From 290e2430c4e170e317eb013191f8ad36f3939a87 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Fri, 17 Apr 2015 10:49:39 -0500
Subject: [PATCH] Don't use mech default cred when input cred isn't

gss_init_sec_context() with input_cred_handle != GSS_C_NO_CREDENTIAL
should NOT proceed if there is no element in the given credential for
the requested mechanism.
---
 lib/gssapi/mech/gss_init_sec_context.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/gssapi/mech/gss_init_sec_context.c b/lib/gssapi/mech/gss_init_sec_context.c
index 32ad870f1..21e02aea6 100644
--- a/lib/gssapi/mech/gss_init_sec_context.c
+++ b/lib/gssapi/mech/gss_init_sec_context.c
@@ -172,7 +172,7 @@ gss_init_sec_context(OM_uint32 * minor_status,
 	major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
 	if (major_status != GSS_S_COMPLETE) {
 		if (allocated_ctx)
-			free(ctx);
+                    free(ctx);
 		return major_status;
 	}
 
@@ -184,6 +184,13 @@ gss_init_sec_context(OM_uint32 * minor_status,
 	else
 		cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type);
 
+        if (initiator_cred_handle != GSS_C_NO_CREDENTIAL &&
+            cred_handle == NULL) {
+            if (allocated_ctx)
+                free(ctx);
+            return GSS_S_NO_CRED;
+        }
+
 	major_status = m->gm_init_sec_context(minor_status,
 	    cred_handle,
 	    &ctx->gc_ctx,
-- 
2.11.4.GIT