Sanity check: GSSAPI SPI simplifications

Nicolas Williams Nicolas.Williams at
Fri Apr 30 16:52:44 EDT 2010

On Tue, Apr 27, 2010 at 06:17:27AM -0400, ghudson at MIT.EDU wrote:
> I've noticed the following while working in lib/gssapi:
> 1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
> and gss_add_cred in terms of mech->gss_acquire_cred.  It never invokes
> mech->gss_add_cred.
> As a consequence, there is about 300 lines of orphaned code in the
> krb5 mech.  I propose to get rid of it, and to eliminate gss_add_cred
> from struct gss_config.  (Similarly for gss_add_cred_impersonate_name,
> which is already nulled out in the krb5 mech.)

I've noticed this before.  Please do eliminate this dead code.

> 2. The mechglue always invokes mech->gss_acquire_cred with nulled
> desired_mechs (input) and actual_mechs (output).
> The krb5 mech contains a substantial amount of orphaned logic for
> tracking what was passed as desired_mechs to gss_acquired_cred and
> supplying the appropriate mechs in actual_mechs.  All of this is
> unnecessary and I propose to get rid of it.  (Similarly for
> acquire_cred_impersonate_name.)

I'm not sure this is a good idea.  A better mechglue would ask providers
what mechanisms they provide and then would pass to these functions the
subsets of mech OIDs resulting from the intersection of the app-provided
sets with the provider's supported mechs.

In that case the provider would need the code you'd be removing.

But I don't think this is a terribly important consideration.
Portability to other glue SPIs might be, as Sam points out.

> 3. The mechglue only ever invokes mech->gss_inquire_cred if you pass
> null credentials to gss_inquire_cred.  If you pass a valid credential,
> the mechglue satisfies the request using information in the union
> cred.
> I propose to alter the null case in the mechglue to (1) acquire a
> default credential, and (2) query it in a manner consistent with the
> non-NULL case.  This is not really extra work, since the krb5 mech's
> gss_inquire_cred already goes to the effort of constructing a default
> credential.  After this change is made, I propose to eliminate
> gss_inquire_cred from struct gss_config and remove the krb5
> implementation of it.



More information about the krbdev mailing list