Fix SPNEGO fallback context handling

In init_ctx_call_init(), if gss_init_sec_context() fails while
producing the first SPNEGO initiator token, we remove the first
candidate mechanism from sc->mech_set and try again.  If
sc->ctx_handle is present after the error (more likely after commit
56f7b1bc95a2a3eeb420e069e7655fb181ade5cf), we must clear it before
falling back or it will cause subsequent attempts to fail.

(cherry picked from commit 40ecfad10dd36700028ff0f3d0d79ce7925fe545)

ticket: 8846
version_fixed: 1.17.1

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 9d6027ce8058de79d0af45911797a4643fd6d5d3..efcec2dda2ddc12ed0ac8df919efa61d053ed95e 100644 (file)
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -982,6 +982,7 @@ init_ctx_call_init(OM_uint32 *minor_status,
        gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
        if (put_mech_set(sc->mech_set, &sc->DER_mechTypes) < 0)
                goto fail;
+       gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER);
        tmpret = init_ctx_call_init(&tmpmin, sc, spcred, target_name,
                                    req_flags, time_req, mechtok_in,
                                    actual_mech, mechtok_out, ret_flags,