From 1c0746c482421c4c33d008d9aa6765538bf5ebf1 Mon Sep 17 00:00:00 2001
From: Filip Navara <navara@emclient.com>
Date: Wed, 15 Jun 2022 11:45:13 +0000
Subject: [PATCH] Remove GSS_KRB5_CRED_NO_CI_FLAGS_X code

The support for building with GSS_KRB5_CRED_NO_CI_FLAGS_X was broken for quite some time. Attempts to reenable it failed due to bug in the krb5 GSSAPI implementation resulting in invalid memory accesses.
---
 .../Net/Security/NegotiateStreamPal.Unix.cs   | 10 -------
 src/native/libs/Common/pal_config.h.in        |  1 -
 .../System.Net.Security.Native/pal_gssapi.c   | 30 -------------------
 src/native/libs/configure.cmake               | 12 --------
 4 files changed, 53 deletions(-)

diff --git a/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs b/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs
index 448444543018e4..291795b418b384 100644
--- a/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs
+++ b/src/libraries/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs
@@ -376,16 +376,6 @@ internal static SecurityStatusPal InitializeSecurityContext(
                 ref resultBlob,
                 ref contextFlags);
 
-            // Confidentiality flag should not be set if not requested
-            if (status.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded)
-            {
-                ContextFlagsPal mask = ContextFlagsPal.Confidentiality;
-                if ((requestedContextFlags & mask) != (contextFlags & mask))
-                {
-                    throw new PlatformNotSupportedException(SR.net_nego_protection_level_not_supported);
-                }
-            }
-
             return status;
         }
 
diff --git a/src/native/libs/Common/pal_config.h.in b/src/native/libs/Common/pal_config.h.in
index 2c1c8ff1922c79..3f5b8c3627edcd 100644
--- a/src/native/libs/Common/pal_config.h.in
+++ b/src/native/libs/Common/pal_config.h.in
@@ -104,7 +104,6 @@
 #cmakedefine01 HAVE_TCP_FSM_H
 #cmakedefine01 HAVE_GSSFW_HEADERS
 #cmakedefine01 HAVE_GSS_SPNEGO_MECHANISM
-#cmakedefine01 HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
 #cmakedefine01 HAVE_HEIMDAL_HEADERS
 #cmakedefine01 HAVE_NSGETENVIRON
 #cmakedefine01 HAVE_GETAUXVAL
diff --git a/src/native/libs/System.Net.Security.Native/pal_gssapi.c b/src/native/libs/System.Net.Security.Native/pal_gssapi.c
index 6206fa0fa0ce42..6959ce9a56f520 100644
--- a/src/native/libs/System.Net.Security.Native/pal_gssapi.c
+++ b/src/native/libs/System.Net.Security.Native/pal_gssapi.c
@@ -80,13 +80,6 @@ static gss_OID_desc gss_mech_ntlm_OID_desc = {.length = STRING_LENGTH(gss_ntlm_o
     PER_FUNCTION_BLOCK(GSS_C_NT_USER_NAME) \
     PER_FUNCTION_BLOCK(GSS_C_NT_HOSTBASED_SERVICE)
 
-#if HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
-
-#define FOR_ALL_GSS_FUNCTIONS FOR_ALL_GSS_FUNCTIONS \
-    PER_FUNCTION_BLOCK(gss_set_cred_option)
-
-#endif //HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
-
 // define indirection pointers for all functions, like
 // static TYPEOF(gss_accept_sec_context)* gss_accept_sec_context_ptr;
 #define PER_FUNCTION_BLOCK(fn) \
@@ -116,11 +109,6 @@ static void* volatile s_gssLib = NULL;
 #define gss_unwrap(...)                     gss_unwrap_ptr(__VA_ARGS__)
 #define gss_wrap(...)                       gss_wrap_ptr(__VA_ARGS__)
 
-#if HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
-#define gss_set_cred_option(...)            gss_set_cred_option_ptr(__VA_ARGS__)
-#endif //HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
-
-
 #define GSS_C_NT_USER_NAME                  (*GSS_C_NT_USER_NAME_ptr)
 #define GSS_C_NT_HOSTBASED_SERVICE          (*GSS_C_NT_HOSTBASED_SERVICE_ptr)
 #define gss_mech_krb5                       (*gss_mech_krb5_ptr)
@@ -181,15 +169,6 @@ static uint32_t AcquireCredSpNego(uint32_t* minorStatus,
     uint32_t majorStatus = gss_acquire_cred(
         minorStatus, desiredName, 0, &gss_mech_spnego_OID_set_desc, credUsage, outputCredHandle, NULL, NULL);
 
-    // call gss_set_cred_option with GSS_KRB5_CRED_NO_CI_FLAGS_X to support Kerberos Sign Only option from *nix client against a windows server
-#if HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
-    if (majorStatus == GSS_S_COMPLETE)
-    {
-        GssBuffer emptyBuffer = GSS_C_EMPTY_BUFFER;
-        majorStatus = gss_set_cred_option(minorStatus, outputCredHandle, GSS_KRB5_CRED_NO_CI_FLAGS_X, &emptyBuffer);
-    }
-#endif
-
     return majorStatus;
 }
 
@@ -604,15 +583,6 @@ static uint32_t AcquireCredWithPassword(uint32_t* minorStatus,
     uint32_t majorStatus = gss_acquire_cred_with_password(
         minorStatus, desiredName, &passwordBuffer, 0, desiredMech, credUsage, outputCredHandle, NULL, NULL);
 
-    // call gss_set_cred_option with GSS_KRB5_CRED_NO_CI_FLAGS_X to support Kerberos Sign Only option from *nix client against a windows server
-#if HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
-    if (majorStatus == GSS_S_COMPLETE)
-    {
-        GssBuffer emptyBuffer = GSS_C_EMPTY_BUFFER;
-        majorStatus = gss_set_cred_option(minorStatus, outputCredHandle, GSS_KRB5_CRED_NO_CI_FLAGS_X, &emptyBuffer);
-    }
-#endif
-
     return majorStatus;
 }
 
diff --git a/src/native/libs/configure.cmake b/src/native/libs/configure.cmake
index 8567842366bc5a..4a8b7940ce5efd 100644
--- a/src/native/libs/configure.cmake
+++ b/src/native/libs/configure.cmake
@@ -1042,18 +1042,6 @@ else ()
         HAVE_GSS_SPNEGO_MECHANISM)
 endif ()
 
-if (HAVE_GSSFW_HEADERS)
-    check_symbol_exists(
-        GSS_KRB5_CRED_NO_CI_FLAGS_X
-        "GSS/GSS.h"
-        HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X)
-else ()
-    check_symbol_exists(
-        GSS_KRB5_CRED_NO_CI_FLAGS_X
-        "gssapi/gssapi_krb5.h"
-        HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X)
-endif ()
-
 check_symbol_exists(getauxval sys/auxv.h HAVE_GETAUXVAL)
 check_include_files(crt_externs.h HAVE_CRT_EXTERNS_H)