From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 13 Nov 2025 05:08:01 +0000 (-0500)
Subject: Consolidate krb5 GSS cred cleanup
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fkrb5.git

Consolidate krb5 GSS cred cleanup

Factor out duplicate cleanup code from acquire_cred_context() and
krb5_gss_release_cred() into a new helper kg_release_cred().
---

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 12e6b7ea80..0e12c2233b 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -894,29 +894,7 @@ krb_error_out:
     ret = GSS_S_FAILURE;
 
 error_out:
-    if (cred != NULL) {
-        if (cred->ccache) {
-            if (cred->destroy_ccache)
-                krb5_cc_destroy(context, cred->ccache);
-            else
-                krb5_cc_close(context, cred->ccache);
-        }
-        if (cred->client_keytab)
-            krb5_kt_close(context, cred->client_keytab);
-#ifndef LEAN_CLIENT
-        if (cred->keytab)
-            krb5_kt_close(context, cred->keytab);
-#endif /* LEAN_CLIENT */
-        if (cred->rcache)
-            k5_rc_close(context, cred->rcache);
-        if (cred->name)
-            kg_release_name(context, &cred->name);
-        krb5_free_principal(context, cred->impersonator);
-        krb5_free_principal(context, cred->acceptor_mprinc);
-        zapfreestr(cred->password);
-        k5_mutex_destroy(&cred->lock);
-        xfree(cred);
-    }
+    kg_release_cred(context, cred);
     save_error_info(*minor_status, context);
     return ret;
 }
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 1ed71fc81f..b8fc03d04d 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -940,6 +940,9 @@ krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context,
 
 int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc);
 
+krb5_error_code
+kg_release_cred(krb5_context context, krb5_gss_cred_id_t cred);
+
 /* naming_exts.c */
 #define KG_INIT_NAME_NO_COPY 0x1
 
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
index 9e04e2fa81..937b67e593 100644
--- a/src/lib/gssapi/krb5/rel_cred.c
+++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -23,74 +23,51 @@
 
 #include "gssapiP_krb5.h"
 
-OM_uint32 KRB5_CALLCONV
-krb5_gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
+krb5_error_code
+kg_release_cred(krb5_context context, krb5_gss_cred_id_t cred)
 {
-    krb5_context context;
-    krb5_gss_cred_id_t cred;
-    krb5_error_code code1, code2;
-
-    code1 = krb5_gss_init_context(&context);
-    if (code1) {
-        *minor_status = code1;
-        return GSS_S_FAILURE;
-    }
-
-    if (*cred_handle == GSS_C_NO_CREDENTIAL) {
-        *minor_status = 0;
-        krb5_free_context(context);
-        return(GSS_S_COMPLETE);
-    }
-
-    cred = (krb5_gss_cred_id_t)*cred_handle;
+    krb5_error_code ret = 0;
 
+    if (cred == NULL)
+        return 0;
     k5_mutex_destroy(&cred->lock);
-    /* ignore error destroying mutex */
-
-    if (cred->ccache) {
+    if (cred->ccache != NULL) {
         if (cred->destroy_ccache)
-            code1 = krb5_cc_destroy(context, cred->ccache);
+            ret = krb5_cc_destroy(context, cred->ccache);
         else
-            code1 = krb5_cc_close(context, cred->ccache);
-    } else
-        code1 = 0;
-
-    if (cred->client_keytab)
+            ret = krb5_cc_close(context, cred->ccache);
+    }
+    if (cred->client_keytab != NULL)
         krb5_kt_close(context, cred->client_keytab);
-
 #ifndef LEAN_CLIENT
-    if (cred->keytab)
-        code2 = krb5_kt_close(context, cred->keytab);
-    else
+    if (cred->keytab != NULL)
+        krb5_kt_close(context, cred->keytab);
 #endif /* LEAN_CLIENT */
-        code2 = 0;
-
-    if (cred->rcache)
+    if (cred->rcache != NULL)
         k5_rc_close(context, cred->rcache);
-    if (cred->name)
-        kg_release_name(context, &cred->name);
-
+    kg_release_name(context, &cred->name);
     krb5_free_principal(context, cred->acceptor_mprinc);
     krb5_free_principal(context, cred->impersonator);
+    free(cred->req_enctypes);
+    zapfreestr(cred->password);
+    free(cred);
+    return ret;
+}
 
-    if (cred->req_enctypes)
-        free(cred->req_enctypes);
-
-    if (cred->password != NULL)
-        zapfree(cred->password, strlen(cred->password));
-
-    xfree(cred);
-
-    *cred_handle = NULL;
+OM_uint32 KRB5_CALLCONV
+krb5_gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
+{
+    krb5_context context;
 
     *minor_status = 0;
-    if (code1)
-        *minor_status = code1;
-    if (code2)
-        *minor_status = code2;
-
+    if (*cred_handle == GSS_C_NO_CREDENTIAL)
+        return GSS_S_COMPLETE;
+    *minor_status = krb5_gss_init_context(&context);
+    if (*minor_status)
+        return GSS_S_FAILURE;
+    *minor_status = kg_release_cred(context, (krb5_gss_cred_id_t)*cred_handle);
     if (*minor_status)
         save_error_info(*minor_status, context);
     krb5_free_context(context);
-    return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE);
+    return *minor_status ? GSS_S_FAILURE : GSS_S_COMPLETE;
 }