From a7d42cdf6b057d21e40b87c6d526574c4d297807 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 3 Jan 2019 23:16:03 +1100
Subject: [PATCH] gssapi: honor initiator credential in SPNEGO (#506)

SPNEGO uses the callback function initiator_approved() in order to determine
mechanism availability. Prior to this commit, is not passed in the initiator
credential, so it always uses a default credential. This breaks SPNEGO if a
non-default credential (such as one acquired with
gss_acquire_cred_with_password()) is used. This commit addresses this.
---
 lib/gssapi/spnego/accept_sec_context.c | 6 ++++--
 lib/gssapi/spnego/compat.c             | 6 +++---
 lib/gssapi/spnego/init_sec_context.c   | 6 ++++--
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c
index 693d90cbc..545492480 100644
--- a/lib/gssapi/spnego/accept_sec_context.c
+++ b/lib/gssapi/spnego/accept_sec_context.c
@@ -63,7 +63,9 @@ send_reject (OM_uint32 *minor_status,
 }
 
 static OM_uint32
-acceptor_approved(gss_name_t target_name, gss_OID mech)
+acceptor_approved(gss_const_cred_id_t cred_unused,
+		  gss_name_t target_name,
+		  gss_OID mech)
 {
     gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
     gss_OID_set oidset;
@@ -393,7 +395,7 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
 	if (ret != GSS_S_COMPLETE)
 	    return ret;
 
-	ret = acceptor_approved(name, *mech_p);
+	ret = acceptor_approved(GSS_C_NO_CREDENTIAL, name, *mech_p);
 	gss_release_name(&junk, &name);
     }
 
diff --git a/lib/gssapi/spnego/compat.c b/lib/gssapi/spnego/compat.c
index 6e90fe6fa..b902e0469 100644
--- a/lib/gssapi/spnego/compat.c
+++ b/lib/gssapi/spnego/compat.c
@@ -232,7 +232,7 @@ add_mech_type(gss_OID mech_type,
 OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
 				   gss_name_t target_name,
-				   OM_uint32 (*func)(gss_name_t, gss_OID),
+				   OM_uint32 (*func)(gss_const_cred_id_t, gss_name_t, gss_OID),
 				   int includeMSCompatOID,
 				   gss_const_cred_id_t cred_handle,
 				   MechTypeList *mechtypelist,
@@ -267,7 +267,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    ret = (*func)(target_name, GSS_KRB5_MECHANISM);
+    ret = (*func)(cred_handle, target_name, GSS_KRB5_MECHANISM);
     if (ret == GSS_S_COMPLETE) {
 	ret = add_mech_type(GSS_KRB5_MECHANISM,
 			    includeMSCompatOID,
@@ -284,7 +284,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
 	if (gss_oid_equal(&supported_mechs->elements[i], GSS_KRB5_MECHANISM))
 	    continue;
 
-	subret = (*func)(target_name, &supported_mechs->elements[i]);
+	subret = (*func)(cred_handle, target_name, &supported_mechs->elements[i]);
 	if (subret != GSS_S_COMPLETE)
 	    continue;
 
diff --git a/lib/gssapi/spnego/init_sec_context.c b/lib/gssapi/spnego/init_sec_context.c
index 006f3ef59..4f7ff7fd8 100644
--- a/lib/gssapi/spnego/init_sec_context.c
+++ b/lib/gssapi/spnego/init_sec_context.c
@@ -38,14 +38,16 @@
  */
 
 static OM_uint32
-initiator_approved(gss_name_t target_name, gss_OID mech)
+initiator_approved(gss_const_cred_id_t cred,
+		   gss_name_t target_name,
+		   gss_OID mech)
 {
     OM_uint32 min_stat, maj_stat;
     gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
     gss_buffer_desc out;
 
     maj_stat = gss_init_sec_context(&min_stat,
-				    GSS_C_NO_CREDENTIAL,
+				    cred,
 				    &ctx,
 				    target_name,
 				    mech,
-- 
2.11.4.GIT