Sanity check: GSSAPI SPI simplifications

ghudson@MIT.EDU ghudson at MIT.EDU
Tue Apr 27 06:17:27 EDT 2010

I've noticed the following while working in lib/gssapi:

1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
and gss_add_cred in terms of mech->gss_acquire_cred.  It never invokes

As a consequence, there is about 300 lines of orphaned code in the
krb5 mech.  I propose to get rid of it, and to eliminate gss_add_cred
from struct gss_config.  (Similarly for gss_add_cred_impersonate_name,
which is already nulled out in the krb5 mech.)

2. The mechglue always invokes mech->gss_acquire_cred with nulled
desired_mechs (input) and actual_mechs (output).

The krb5 mech contains a substantial amount of orphaned logic for
tracking what was passed as desired_mechs to gss_acquired_cred and
supplying the appropriate mechs in actual_mechs.  All of this is
unnecessary and I propose to get rid of it.  (Similarly for

3. The mechglue only ever invokes mech->gss_inquire_cred if you pass
null credentials to gss_inquire_cred.  If you pass a valid credential,
the mechglue satisfies the request using information in the union

I propose to alter the null case in the mechglue to (1) acquire a
default credential, and (2) query it in a manner consistent with the
non-NULL case.  This is not really extra work, since the krb5 mech's
gss_inquire_cred already goes to the effort of constructing a default
credential.  After this change is made, I propose to eliminate
gss_inquire_cred from struct gss_config and remove the krb5
implementation of it.

I have prototyped some of these changes and, as expected, they don't
break the build or any test cases.

I may delay these changes until after the IAKERB merge, which will
hopefully be soon.

More information about the krbdev mailing list