From 9eb01c66e961e8561d1ded69082bc89ecd3b4860 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Mon, 13 Apr 2020 20:51:44 +1000
Subject: [PATCH] gss: remove superfluous SPNEGO cred wrappers

SPNEGO credentials are mechglue credentials. SPNEGO credential wrapper
functions can be replaced with direct calls into the mechglue, unless a
specific check is required to avoid infinite recursion (as is the case where
the mechglue enumerates all mechanism when passed a null credential handle).
---
 lib/gssapi/spnego/cred_stubs.c | 68 +++++++-----------------------------------
 lib/gssapi/spnego/external.c   |  8 ++---
 2 files changed, 15 insertions(+), 61 deletions(-)

diff --git a/lib/gssapi/spnego/cred_stubs.c b/lib/gssapi/spnego/cred_stubs.c
index 7d3399ab9..0124c8f44 100644
--- a/lib/gssapi/spnego/cred_stubs.c
+++ b/lib/gssapi/spnego/cred_stubs.c
@@ -33,23 +33,6 @@
 #include "spnego_locl.h"
 #include <gssapi_mech.h>
 
-OM_uint32 GSSAPI_CALLCONV
-_gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
-{
-    OM_uint32 ret;
-
-    *minor_status = 0;
-
-    if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL)
-	return GSS_S_COMPLETE;
-
-    ret = gss_release_cred(minor_status, cred_handle);
-
-    *cred_handle = GSS_C_NO_CREDENTIAL;
-
-    return ret;
-}
-
 /*
  * For now, just a simple wrapper that avoids recursion. When
  * we support gss_{get,set}_neg_mechs() we will need to expose
@@ -95,6 +78,11 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred
             gss_OID_set * mechanisms
            )
 {
+    /*
+     * A wrapper around the mechglue is required to error out
+     * where cred_handle == GSS_C_NO_CREDENTIAL, otherwise we
+     * would infinitely recurse.
+     */
     if (cred_handle == GSS_C_NO_CREDENTIAL) {
 	*minor_status = 0;
 	return GSS_S_NO_CRED;
@@ -114,30 +102,12 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred_by_mech (
             gss_cred_usage_t * cred_usage
            )
 {
-    if (cred_handle == GSS_C_NO_CREDENTIAL) {
-	*minor_status = 0;
-	return GSS_S_NO_CRED;
-    }
-
-    return gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type,
-				   name, initiator_lifetime,
-				   acceptor_lifetime, cred_usage);
-}
-
-OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred_by_oid
-           (OM_uint32 * minor_status,
-            gss_const_cred_id_t cred_handle,
-            const gss_OID desired_object,
-            gss_buffer_set_t *data_set)
-{
-    if (cred_handle == GSS_C_NO_CREDENTIAL) {
-	*minor_status = 0;
-	return GSS_S_NO_CRED;
-    }
-
-    return gss_inquire_cred_by_oid(minor_status, cred_handle,
-				   desired_object, data_set);
+    /* Similar to _gss_spnego_inquire_cred(), wrapper is required */
+    heim_assert(gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM),
+		"Mechglue called inquire_cred_by_mech with wrong OID");
 
+    *minor_status = 0;
+    return GSS_S_BAD_MECH;
 }
 
 OM_uint32 GSSAPI_CALLCONV
@@ -146,6 +116,7 @@ _gss_spnego_set_cred_option (OM_uint32 *minor_status,
 			     const gss_OID object,
 			     const gss_buffer_t value)
 {
+    /* Similar to _gss_spnego_inquire_cred(), wrapper is required */
     if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
 	*minor_status = 0;
 	return GSS_S_NO_CRED;
@@ -159,23 +130,6 @@ _gss_spnego_set_cred_option (OM_uint32 *minor_status,
 
 
 OM_uint32 GSSAPI_CALLCONV
-_gss_spnego_export_cred (OM_uint32 *minor_status,
-			 gss_cred_id_t cred_handle,
-			 gss_buffer_t value)
-{
-    return gss_export_cred(minor_status, cred_handle, value);
-}
-
-OM_uint32 GSSAPI_CALLCONV
-_gss_spnego_import_cred (OM_uint32 *minor_status,
-			 gss_buffer_t value,
-			 gss_cred_id_t *cred_handle)
-{
-    return gss_import_cred(minor_status, value, cred_handle);
-}
-
-
-OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_set_neg_mechs (OM_uint32 *minor_status,
 			   gss_cred_id_t cred_handle,
 			   const gss_OID_set mech_list)
diff --git a/lib/gssapi/spnego/external.c b/lib/gssapi/spnego/external.c
index b1393f9d5..eeefa6a71 100644
--- a/lib/gssapi/spnego/external.c
+++ b/lib/gssapi/spnego/external.c
@@ -90,7 +90,7 @@ static gssapi_mech_interface_desc spnego_mech = {
     {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") },
     0,
     NULL, /* gm_acquire_cred */
-    _gss_spnego_release_cred,
+    gss_release_cred,
     _gss_spnego_init_sec_context,
     _gss_spnego_accept_sec_context,
     _gss_spnego_process_context_token,
@@ -119,7 +119,7 @@ static gssapi_mech_interface_desc spnego_mech = {
     _gss_spnego_canonicalize_name,
     _gss_spnego_duplicate_name,
     _gss_spnego_inquire_sec_context_by_oid,
-    _gss_spnego_inquire_cred_by_oid,
+    gss_inquire_cred_by_oid,
     _gss_spnego_set_sec_context_option,
     _gss_spnego_set_cred_option,
     _gss_spnego_pseudo_random,
@@ -127,8 +127,8 @@ static gssapi_mech_interface_desc spnego_mech = {
     _gss_spnego_unwrap_iov,
     _gss_spnego_wrap_iov_length,
     NULL,
-    _gss_spnego_export_cred,
-    _gss_spnego_import_cred,
+    gss_export_cred,
+    gss_import_cred,
     _gss_spnego_acquire_cred_from,
     NULL,
     NULL,
-- 
2.11.4.GIT