Sanity check: GSSAPI SPI simplifications
Nicolas.Williams at oracle.com
Fri Apr 30 16:52:44 EDT 2010
On Tue, Apr 27, 2010 at 06:17:27AM -0400, ghudson at MIT.EDU wrote:
> I've noticed the following while working in lib/gssapi:
> 1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
> and gss_add_cred in terms of mech->gss_acquire_cred. It never invokes
> As a consequence, there is about 300 lines of orphaned code in the
> krb5 mech. I propose to get rid of it, and to eliminate gss_add_cred
> from struct gss_config. (Similarly for gss_add_cred_impersonate_name,
> which is already nulled out in the krb5 mech.)
I've noticed this before. Please do eliminate this dead code.
> 2. The mechglue always invokes mech->gss_acquire_cred with nulled
> desired_mechs (input) and actual_mechs (output).
> The krb5 mech contains a substantial amount of orphaned logic for
> tracking what was passed as desired_mechs to gss_acquired_cred and
> supplying the appropriate mechs in actual_mechs. All of this is
> unnecessary and I propose to get rid of it. (Similarly for
I'm not sure this is a good idea. A better mechglue would ask providers
what mechanisms they provide and then would pass to these functions the
subsets of mech OIDs resulting from the intersection of the app-provided
sets with the provider's supported mechs.
In that case the provider would need the code you'd be removing.
But I don't think this is a terribly important consideration.
Portability to other glue SPIs might be, as Sam points out.
> 3. The mechglue only ever invokes mech->gss_inquire_cred if you pass
> null credentials to gss_inquire_cred. If you pass a valid credential,
> the mechglue satisfies the request using information in the union
> I propose to alter the null case in the mechglue to (1) acquire a
> default credential, and (2) query it in a manner consistent with the
> non-NULL case. This is not really extra work, since the krb5 mech's
> gss_inquire_cred already goes to the effort of constructing a default
> credential. After this change is made, I propose to eliminate
> gss_inquire_cred from struct gss_config and remove the krb5
> implementation of it.
More information about the krbdev