[15742] in Kerberos_V5_Development
Re: Sanity check: GSSAPI SPI simplifications
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Fri Apr 30 16:55:11 2010
Date: Fri, 30 Apr 2010 15:52:44 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: ghudson@mit.edu
Message-ID: <20100430205244.GT28229@Sun.COM>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <201004271017.o3RAHRh6011477@outgoing.mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, Apr 27, 2010 at 06:17:27AM -0400, ghudson@MIT.EDU wrote:
> I've noticed the following while working in lib/gssapi:
>
> 1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
> and gss_add_cred in terms of mech->gss_acquire_cred. It never invokes
> mech->gss_add_cred.
>
> As a consequence, there is about 300 lines of orphaned code in the
> krb5 mech. I propose to get rid of it, and to eliminate gss_add_cred
> from struct gss_config. (Similarly for gss_add_cred_impersonate_name,
> which is already nulled out in the krb5 mech.)
I've noticed this before. Please do eliminate this dead code.
> 2. The mechglue always invokes mech->gss_acquire_cred with nulled
> desired_mechs (input) and actual_mechs (output).
>
> The krb5 mech contains a substantial amount of orphaned logic for
> tracking what was passed as desired_mechs to gss_acquired_cred and
> supplying the appropriate mechs in actual_mechs. All of this is
> unnecessary and I propose to get rid of it. (Similarly for
> acquire_cred_impersonate_name.)
I'm not sure this is a good idea. A better mechglue would ask providers
what mechanisms they provide and then would pass to these functions the
subsets of mech OIDs resulting from the intersection of the app-provided
sets with the provider's supported mechs.
In that case the provider would need the code you'd be removing.
But I don't think this is a terribly important consideration.
Portability to other glue SPIs might be, as Sam points out.
> 3. The mechglue only ever invokes mech->gss_inquire_cred if you pass
> null credentials to gss_inquire_cred. If you pass a valid credential,
> the mechglue satisfies the request using information in the union
> cred.
>
> I propose to alter the null case in the mechglue to (1) acquire a
> default credential, and (2) query it in a manner consistent with the
> non-NULL case. This is not really extra work, since the krb5 mech's
> gss_inquire_cred already goes to the effort of constructing a default
> credential. After this change is made, I propose to eliminate
> gss_inquire_cred from struct gss_config and remove the krb5
> implementation of it.
OK.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev