From d19a69fe6afacf7b9fc756e077c70cb3092d1df3 Mon Sep 17 00:00:00 2001
From: Stefan Becker <chemobejk@gmail.com>
Date: Tue, 4 Jun 2013 11:02:07 +0300
Subject: [PATCH] security: drop useless gss_acquire_cred()

As it turned out there is no regression in krb5 1.11.x, but our call to
gss_acquire_cred() is pointless. You can call gss_init_sec_context()
with GSS_C_NO_CREDENTIALS and it will automatically pick up the default
credentials. Therefore all code for credential handling can be removed
from sip-sec-krb5.c.

Verified kinit & kinit-less use cases on Fedora 19 Beta (krb5 1.11.x),
Fedora 18 (krb5 1.10.x) and Ubuntu 10.04 (krb5 1.8.x).
---
 ChangeLog               |  3 ++-
 src/core/sip-sec-krb5.c | 57 ++-----------------------------------------------
 2 files changed, 4 insertions(+), 56 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5ca9c6fc..c7e95c26 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,8 @@
-version 1.16.0 "HTTP Rewrite" (2013-XX-XX)
+version 1.16.0 "HTTP Rewrite & Subscription Fixes" (2013-XX-XX)
 	- Feature #58: Implement Digest authentication scheme for SIP Proxy Authentication (Stefan Becker)
 	- Fixed #193: Pidgin Status changes stop working (Stefan Becker)
 	- Fixed #186: Users appear offline when they are not (Stefan Becker)
+	- fix kinit-less use case with krb5 >= 1.11 (Stefan Becker)
 	- rewritten HTTP stack from scratch (Stefan Becker)
 	  * cleaner, layered and hopefully less error-prone implementation
 	  * HTTP stack internals no longer exposed to user code
diff --git a/src/core/sip-sec-krb5.c b/src/core/sip-sec-krb5.c
index 1302e45c..00c35ff9 100644
--- a/src/core/sip-sec-krb5.c
+++ b/src/core/sip-sec-krb5.c
@@ -37,7 +37,6 @@
 /* Security context for Kerberos */
 typedef struct _context_krb5 {
 	struct sip_sec_context common;
-	gss_cred_id_t cred_krb5;
 	gss_ctx_id_t ctx_krb5;
 	const gchar *domain;
 	const gchar *username;
@@ -63,41 +62,6 @@ static void sip_sec_krb5_destroy_context(context_krb5 context)
 		}
 		context->ctx_krb5 = GSS_C_NO_CONTEXT;
 	}
-
-	if (context->cred_krb5) {
-		ret = gss_release_cred(&minor, &(context->cred_krb5));
-		if (GSS_ERROR(ret)) {
-			sip_sec_krb5_print_gss_error("gss_release_cred", ret, minor);
-			SIPE_DEBUG_ERROR("sip_sec_krb5_destroy_context: failed to release credentials (ret=%d)", (int)ret);
-		}
-		context->cred_krb5 = NULL;
-	}
-}
-
-static gboolean sip_sec_krb5_acquire_credentials(context_krb5 context)
-{
-	OM_uint32 ret;
-	OM_uint32 minor;
-	gss_cred_id_t credentials;
-
-	/* Acquire default user credentials */
-	ret = gss_acquire_cred(&minor,
-			       GSS_C_NO_NAME,
-			       GSS_C_INDEFINITE,
-			       GSS_C_NO_OID_SET,
-			       GSS_C_INITIATE,
-			       &credentials,
-			       NULL,
-			       NULL);
-
-	if (GSS_ERROR(ret)) {
-		sip_sec_krb5_print_gss_error("gss_acquire_cred", ret, minor);
-		SIPE_DEBUG_ERROR("sip_sec_krb5_acquire_credentials: failed to acquire credentials (ret=%d)", (int)ret);
-		return(FALSE);
-	} else {
-		context->cred_krb5 = credentials;
-		return(TRUE);
-	}
 }
 
 static gboolean sip_sec_krb5_initialize_context(context_krb5 context,
@@ -133,7 +97,7 @@ static gboolean sip_sec_krb5_initialize_context(context_krb5 context,
 	output_token.value = NULL;
 
 	ret = gss_init_sec_context(&minor,
-				   context->cred_krb5,
+				   GSS_C_NO_CREDENTIAL,
 				   &(context->ctx_krb5),
 				   target_name,
 				   GSS_C_NO_OID,
@@ -175,7 +139,6 @@ sip_sec_acquire_cred__krb5(SipSecContext context,
 			   const gchar *password)
 {
 	context_krb5 ctx = (context_krb5) context;
-	gboolean result;
 
 	SIPE_DEBUG_INFO_NOFORMAT("sip_sec_acquire_cred__krb5: started");
 
@@ -195,22 +158,7 @@ sip_sec_acquire_cred__krb5(SipSecContext context,
 	if ((context->flags & SIP_SEC_FLAG_COMMON_HTTP) == 0)
 		context->flags |= SIP_SEC_FLAG_KRB5_RETRY_AUTH;
 
-	result = sip_sec_krb5_acquire_credentials(ctx);
-
-	/*
-	 * If acquire credentials fails then retry after trying to obtaining
-	 * a TGT. This will will only succeed if we have been provided with
-	 * valid authentication information by the user.
-	 */
-	if (!result && (context->flags & SIP_SEC_FLAG_KRB5_RETRY_AUTH)) {
-		result = sip_sec_krb5_obtain_tgt(ctx)          &&
-			 sip_sec_krb5_acquire_credentials(ctx);
-
-		/* Only retry once */
-		context->flags &= ~SIP_SEC_FLAG_KRB5_RETRY_AUTH;
-	}
-
-	return(result);
+	return(TRUE);
 }
 
 static gboolean
@@ -251,7 +199,6 @@ sip_sec_init_sec_context__krb5(SipSecContext context,
 	if (!result && (context->flags & SIP_SEC_FLAG_KRB5_RETRY_AUTH)) {
 		sip_sec_krb5_destroy_context(ctx);
 		result = sip_sec_krb5_obtain_tgt(ctx)          &&
-			 sip_sec_krb5_acquire_credentials(ctx) &&
 			 sip_sec_krb5_initialize_context(ctx,
 							 in_buff,
 							 out_buff,
-- 
2.11.4.GIT