Sanity check: GSSAPI SPI simplifications
ghudson at MIT.EDU
Tue Apr 27 06:17:27 EDT 2010
I've noticed the following while working in lib/gssapi:
1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
and gss_add_cred in terms of mech->gss_acquire_cred. It never invokes
As a consequence, there is about 300 lines of orphaned code in the
krb5 mech. I propose to get rid of it, and to eliminate gss_add_cred
from struct gss_config. (Similarly for gss_add_cred_impersonate_name,
which is already nulled out in the krb5 mech.)
2. The mechglue always invokes mech->gss_acquire_cred with nulled
desired_mechs (input) and actual_mechs (output).
The krb5 mech contains a substantial amount of orphaned logic for
tracking what was passed as desired_mechs to gss_acquired_cred and
supplying the appropriate mechs in actual_mechs. All of this is
unnecessary and I propose to get rid of it. (Similarly for
3. The mechglue only ever invokes mech->gss_inquire_cred if you pass
null credentials to gss_inquire_cred. If you pass a valid credential,
the mechglue satisfies the request using information in the union
I propose to alter the null case in the mechglue to (1) acquire a
default credential, and (2) query it in a manner consistent with the
non-NULL case. This is not really extra work, since the krb5 mech's
gss_inquire_cred already goes to the effort of constructing a default
credential. After this change is made, I propose to eliminate
gss_inquire_cred from struct gss_config and remove the krb5
implementation of it.
I have prototyped some of these changes and, as expected, they don't
break the build or any test cases.
I may delay these changes until after the IAKERB merge, which will
hopefully be soon.
More information about the krbdev