NegoEx broke GSSAPI in BIND 9

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

NegoEx broke GSSAPI in BIND 9

Ondřej Surý
Hi,

there’s a regression in krb5 1.18.x that broke SPNEGO usage in BIND 9.

There’s a little bit of history there - historically BIND 9 used internal implementation
of SPNEGO and that still works.  But in the development version, I did drop the
internal implementation in favor of using KRB5 SPNEGO mechanism implementation.

We don’t do anything fancy, the code is basically:

#ifndef GSS_KRB5_MECHANISM
static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
                                              0x12, 0x01, 0x02, 0x02 };
static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
       sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
};
#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
#endif /* ifndef GSS_KRB5_MECHANISM */

#ifndef GSS_SPNEGO_MECHANISM
static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
                                                0x05, 0x05, 0x02 };
static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
       sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
};
#define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
#endif /* ifndef GSS_SPNEGO_MECHANISM */

[…]

static OM_uint32
mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
       OM_uint32 gret;

       gret = gss_create_empty_oid_set(minor, mech_oid_set);
       if (gret != GSS_S_COMPLETE) {
               return (gret);
       }

       gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
       if (gret != GSS_S_COMPLETE) {
               goto release;
       }

       gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
                                     mech_oid_set);
       if (gret != GSS_S_COMPLETE) {
               goto release;
       }

release:
       REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);

       return (gret);
}

static void
mech_oid_set_release(gss_OID_set *mech_oid_set) {
       OM_uint32 minor;

       REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
}

and then it’s used like this:

       gss_OID_set mech_oid_set;

[…]

       gret = mech_oid_set_create(&minor, &mech_oid_set);
       if (gret != GSS_S_COMPLETE) {
               gss_log(3, "failed to create OID_set: %s",
                       gss_error_tostring(gret, minor, buf, sizeof(buf)));
               return (ISC_R_FAILURE);
       }

       gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
                               usage, cred, NULL, &lifetime);


Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
so I would appreciate if I can get some pointers where to start with the debugging.

The code is working in 1.17.1 and it’s neither working in 1.18.1 nor master branch (I saw
some fixes in there, so I tried).

Thanks,
Ondrej
--
Ondřej Surý
[hidden email]


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NegoEx broke GSSAPI in BIND 9

Ondřej Surý
Ok, so I do have more information, the gss_accept_sec_context() now returns in minor:

> 20-May-2020 12:02:03.077 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = SPNEGO cannot find mechanisms to negotiate.

also I see:

> 20-May-2020 13:06:31.121 failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0).

But that’s error I am also seeing on the branch that work for us.

Ondrej
--
Ondřej Surý
[hidden email]

> On 20 May 2020, at 11:34, Ondřej Surý <[hidden email]> wrote:
>
> Hi,
>
> there’s a regression in krb5 1.18.x that broke SPNEGO usage in BIND 9.
>
> There’s a little bit of history there - historically BIND 9 used internal implementation
> of SPNEGO and that still works.  But in the development version, I did drop the
> internal implementation in favor of using KRB5 SPNEGO mechanism implementation.
>
> We don’t do anything fancy, the code is basically:
>
> #ifndef GSS_KRB5_MECHANISM
> static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
>                                              0x12, 0x01, 0x02, 0x02 };
> static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
>       sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
> };
> #define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
> #endif /* ifndef GSS_KRB5_MECHANISM */
>
> #ifndef GSS_SPNEGO_MECHANISM
> static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
>                                                0x05, 0x05, 0x02 };
> static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
>       sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
> };
> #define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
> #endif /* ifndef GSS_SPNEGO_MECHANISM */
>
> […]
>
> static OM_uint32
> mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
>       OM_uint32 gret;
>
>       gret = gss_create_empty_oid_set(minor, mech_oid_set);
>       if (gret != GSS_S_COMPLETE) {
>               return (gret);
>       }
>
>       gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
>       if (gret != GSS_S_COMPLETE) {
>               goto release;
>       }
>
>       gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
>                                     mech_oid_set);
>       if (gret != GSS_S_COMPLETE) {
>               goto release;
>       }
>
> release:
>       REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
>
>       return (gret);
> }
>
> static void
> mech_oid_set_release(gss_OID_set *mech_oid_set) {
>       OM_uint32 minor;
>
>       REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
> }
>
> and then it’s used like this:
>
>       gss_OID_set mech_oid_set;
>
> […]
>
>       gret = mech_oid_set_create(&minor, &mech_oid_set);
>       if (gret != GSS_S_COMPLETE) {
>               gss_log(3, "failed to create OID_set: %s",
>                       gss_error_tostring(gret, minor, buf, sizeof(buf)));
>               return (ISC_R_FAILURE);
>       }
>
>       gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
>                               usage, cred, NULL, &lifetime);
>
>
> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
> so I would appreciate if I can get some pointers where to start with the debugging.
>
> The code is working in 1.17.1 and it’s neither working in 1.18.1 nor master branch (I saw
> some fixes in there, so I tried).
>
> Thanks,
> Ondrej
> --
> Ondřej Surý
> [hidden email]
>

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NegoEx broke GSSAPI in BIND 9

Simo Sorce-3
In reply to this post by Ondřej Surý

The mechanism list you create for gss_acquire_cred looks somewhat wrong
to me.

If you want to perform SPNEGO authentication but limit SPNEGO to allow
only the krb5 mechanism you should acquire creds specifying only the
SPNEGO oid.

Then you should use the gss_set_neg_mechs() call on the credentials
obtained and specify the krb5 mech oid only.

This means:
- 1) obtain credentials for any mechanism that SPNEGO can handle.
- 2) make sure only krb5 is used by SPNEGO

What you are doing now is to get a set of credentials for raw krb5 as
well as all other mechanisms under SPNEGO. I am not sure this is what
you want.

--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc




On Wed, 2020-05-20 at 11:34 +0200, Ondřej Surý wrote:

> Hi,
>
> there’s a regression in krb5 1.18.x that broke SPNEGO usage in BIND 9.
>
> There’s a little bit of history there - historically BIND 9 used internal implementation
> of SPNEGO and that still works.  But in the development version, I did drop the
> internal implementation in favor of using KRB5 SPNEGO mechanism implementation.
>
> We don’t do anything fancy, the code is basically:
>
> #ifndef GSS_KRB5_MECHANISM
> static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
>                                               0x12, 0x01, 0x02, 0x02 };
> static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
>        sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
> };
> #define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
> #endif /* ifndef GSS_KRB5_MECHANISM */
>
> #ifndef GSS_SPNEGO_MECHANISM
> static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
>                                                 0x05, 0x05, 0x02 };
> static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
>        sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
> };
> #define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
> #endif /* ifndef GSS_SPNEGO_MECHANISM */
>
> […]
>
> static OM_uint32
> mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
>        OM_uint32 gret;
>
>        gret = gss_create_empty_oid_set(minor, mech_oid_set);
>        if (gret != GSS_S_COMPLETE) {
>                return (gret);
>        }
>
>        gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
>        if (gret != GSS_S_COMPLETE) {
>                goto release;
>        }
>
>        gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
>                                      mech_oid_set);
>        if (gret != GSS_S_COMPLETE) {
>                goto release;
>        }
>
> release:
>        REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
>
>        return (gret);
> }
>
> static void
> mech_oid_set_release(gss_OID_set *mech_oid_set) {
>        OM_uint32 minor;
>
>        REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
> }
>
> and then it’s used like this:
>
>        gss_OID_set mech_oid_set;
>
> […]
>
>        gret = mech_oid_set_create(&minor, &mech_oid_set);
>        if (gret != GSS_S_COMPLETE) {
>                gss_log(3, "failed to create OID_set: %s",
>                        gss_error_tostring(gret, minor, buf, sizeof(buf)));
>                return (ISC_R_FAILURE);
>        }
>
>        gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
>                                usage, cred, NULL, &lifetime);
>
>
> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
> so I would appreciate if I can get some pointers where to start with the debugging.
>
> The code is working in 1.17.1 and it’s neither working in 1.18.1 nor master branch (I saw
> some fixes in there, so I tried).
>
> Thanks,
> Ondrej
> --
> Ondřej Surý
> [hidden email]
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: NegoEx broke GSSAPI in BIND 9

Ondřej Surý
The gssapictx.c is dated 2000 :-), so I am not sure if anybody remembers
what we want :-) apart from implementing RFC 3645 which says:

— cut here —
   The GSS API using SPNEGO [RFC2478] provides maximum flexibility to
   choose the underlying security mechanisms that enables security
   context negotiation.  GSS API using SPNEGO [RFC2478] enables client
   and server to negotiate and choose such underlying security
   mechanisms on the fly.  To support such flexibility, DNS clients and
   servers SHOULD specify SPNEGO mech_type in their GSS API calls.  At
   the same time, in order to guarantee interoperability between DNS
   clients and servers that support GSS-TSIG it is required that

   -  DNS servers specify SPNEGO mech_type
   -  GSS APIs called by DNS client support Kerberos v5
   -  GSS APIs called by DNS server support SPNEGO [RFC2478] and
      Kerberos v5.

   In addition to these, GSS APIs used by DNS client and server MAY also
   support other underlying security mechanisms.
— cut here —

So, what you are saying makes actually vague sense to me.  What I actually
think is that we just want to use SPNEGO and don’t limit the mechanisms.

At the same time, I am still puzzled why it stopped working when NegoEx
was added to krb5.

Thank you very much,
Ondrej
--
Ondřej Surý
[hidden email]

> On 20 May 2020, at 16:05, Simo Sorce <[hidden email]> wrote:
>
>
> The mechanism list you create for gss_acquire_cred looks somewhat wrong
> to me.
>
> If you want to perform SPNEGO authentication but limit SPNEGO to allow
> only the krb5 mechanism you should acquire creds specifying only the
> SPNEGO oid.
>
> Then you should use the gss_set_neg_mechs() call on the credentials
> obtained and specify the krb5 mech oid only.
>
> This means:
> - 1) obtain credentials for any mechanism that SPNEGO can handle.
> - 2) make sure only krb5 is used by SPNEGO
>
> What you are doing now is to get a set of credentials for raw krb5 as
> well as all other mechanisms under SPNEGO. I am not sure this is what
> you want.
>
> --
> Simo Sorce
> RHEL Crypto Team
> Red Hat, Inc
>
>
>
>
> On Wed, 2020-05-20 at 11:34 +0200, Ondřej Surý wrote:
>> Hi,
>>
>> there’s a regression in krb5 1.18.x that broke SPNEGO usage in BIND 9.
>>
>> There’s a little bit of history there - historically BIND 9 used internal implementation
>> of SPNEGO and that still works.  But in the development version, I did drop the
>> internal implementation in favor of using KRB5 SPNEGO mechanism implementation.
>>
>> We don’t do anything fancy, the code is basically:
>>
>> #ifndef GSS_KRB5_MECHANISM
>> static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
>>                                              0x12, 0x01, 0x02, 0x02 };
>> static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
>>       sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
>> };
>> #define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
>> #endif /* ifndef GSS_KRB5_MECHANISM */
>>
>> #ifndef GSS_SPNEGO_MECHANISM
>> static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
>>                                                0x05, 0x05, 0x02 };
>> static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
>>       sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
>> };
>> #define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
>> #endif /* ifndef GSS_SPNEGO_MECHANISM */
>>
>> […]
>>
>> static OM_uint32
>> mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
>>       OM_uint32 gret;
>>
>>       gret = gss_create_empty_oid_set(minor, mech_oid_set);
>>       if (gret != GSS_S_COMPLETE) {
>>               return (gret);
>>       }
>>
>>       gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
>>       if (gret != GSS_S_COMPLETE) {
>>               goto release;
>>       }
>>
>>       gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
>>                                     mech_oid_set);
>>       if (gret != GSS_S_COMPLETE) {
>>               goto release;
>>       }
>>
>> release:
>>       REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
>>
>>       return (gret);
>> }
>>
>> static void
>> mech_oid_set_release(gss_OID_set *mech_oid_set) {
>>       OM_uint32 minor;
>>
>>       REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
>> }
>>
>> and then it’s used like this:
>>
>>       gss_OID_set mech_oid_set;
>>
>> […]
>>
>>       gret = mech_oid_set_create(&minor, &mech_oid_set);
>>       if (gret != GSS_S_COMPLETE) {
>>               gss_log(3, "failed to create OID_set: %s",
>>                       gss_error_tostring(gret, minor, buf, sizeof(buf)));
>>               return (ISC_R_FAILURE);
>>       }
>>
>>       gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
>>                               usage, cred, NULL, &lifetime);
>>
>>
>> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
>> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
>> so I would appreciate if I can get some pointers where to start with the debugging.
>>
>> The code is working in 1.17.1 and it’s neither working in 1.18.1 nor master branch (I saw
>> some fixes in there, so I tried).
>>
>> Thanks,
>> Ondrej
>> --
>> Ondřej Surý
>> [hidden email]
>>
>> _______________________________________________
>> krbdev mailing list             [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NegoEx broke GSSAPI in BIND 9

Greg Hudson
In reply to this post by Ondřej Surý
On 5/20/20 5:34 AM, Ondřej Surý wrote:
> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
> so I would appreciate if I can get some pointers where to start with the debugging.

I don't immediately see what's going wrong.  What Simo pointed out seems
unlikely to be related to the regression.

Given the error message, my best guess is that this is related to commit
c088f56a62702a2cc99c26185681efee1555b7fa ("Restrict SPNEGO acceptor
mechs by cred acquisition").  It should be possible to individually
revert that commit to confirm.  I still wouldn't really know why it
caused a regression, though.

The error message corresponds to ERR_SPNEGO_NO_MECHS_AVAILABLE, which
can be returned from get_available_mechs() or get_negotiable_mechs() in
src/lib/gssapi/spnego/spnego_mech.c.  If I had a reproduction recipe for
this, I would start by setting a breakpoint in get_negotiable_mechs() on
the acceptor side, and figure out the execution path differences between
1.17 and 1.18.


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NegoEx broke GSSAPI in BIND 9

Ondřej Surý
Thanks. I came to similar conclusion meanwhile that the code I sent was most likely a red herring.

The error is generated from the code path where the credentials is “NULL“ in a call to gss_accept_sec_context(). This still means we could be doing something wrong on the initiator side, but there’s empty set of credentials too in gss_init_sec_context().

The error could still be somewhere how we are using the API, but it still smells like a regression to me. Though I am happy to fix our code and I’ll continue into digging tomorrow, it’s just not easy for somebody new to the API and the whole concept.

I’ll start with the pointers you gave me.

Ondřej
--
Ondřej Surý — ISC

>> On 20 May 2020, at 18:14, Greg Hudson <[hidden email]> wrote:
>>
>> On 5/20/20 5:34 AM, Ondřej Surý wrote:
>> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
>> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
>> so I would appreciate if I can get some pointers where to start with the debugging.
>
> I don't immediately see what's going wrong.  What Simo pointed out seems
> unlikely to be related to the regression.
>
> Given the error message, my best guess is that this is related to commit
> c088f56a62702a2cc99c26185681efee1555b7fa ("Restrict SPNEGO acceptor
> mechs by cred acquisition").  It should be possible to individually
> revert that commit to confirm.  I still wouldn't really know why it
> caused a regression, though.
>
> The error message corresponds to ERR_SPNEGO_NO_MECHS_AVAILABLE, which
> can be returned from get_available_mechs() or get_negotiable_mechs() in
> src/lib/gssapi/spnego/spnego_mech.c.  If I had a reproduction recipe for
> this, I would start by setting a breakpoint in get_negotiable_mechs() on
> the acceptor side, and figure out the execution path differences between
> 1.17 and 1.18.


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: NegoEx broke GSSAPI in BIND 9

Ondřej Surý
In reply to this post by Greg Hudson
Hi Greg,

Actually, my colleague already run git bisect on the repository, and identified the culprit
to be NegoEx (c2ca2f26eaf817a6a7ed42257c380437ab802bd9) and I have just confirmed
that with an independent test, the c088f56a62702a2cc99c26185681efee1555b7fa is still
part of the repository, but I reverted the tree to c2ca2f26eaf817a6a7ed42257c380437ab802bd9~
(commit before NegoEx) and our tests work again.

Going forward to c2ca2f26eaf817a6a7ed42257c380437ab802bd9 makes our tests to be
broken again.  So, actually there is something in the NegoEx implementation that makes
gss_accept_sec_context() in BIND 9 to return with:

20-May-2020 21:49:46.670 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = SPNEGO cannot find mechanisms to negotiate.

I will try to isolate a minimal test case (if I can) tomorrow.

Thanks,
Ondrej
--
Ondřej Surý
[hidden email]

> On 20 May 2020, at 18:14, Greg Hudson <[hidden email]> wrote:
>
> Given the error message, my best guess is that this is related to commit
> c088f56a62702a2cc99c26185681efee1555b7fa ("Restrict SPNEGO acceptor
> mechs by cred acquisition").  It should be possible to individually
> revert that commit to confirm.  I still wouldn't really know why it
> caused a regression, though.


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NegoEx broke GSSAPI in BIND 9

Greg Hudson
In reply to this post by Ondřej Surý
With some help from Ondřej setting up the test environment I found the
bug.  It's unfortunately pretty bad, and I'm surprised it hasn't been
more of an issue.  The bug applies when a the server uses the default
acceptor credential and no ccache with tickets is present in the
environment.  The first of those criteria might be rarer than I would
have thought.

The bug is in spnego_mech.c:acc_ctx_new(), which was accidentally
changed to call get_negotiable_mechs() with GSS_C_INITIATE instead of
GSS_C_ACCEPT.  When the default credential is used, this usage causes
mechs to be filtered by availability of initiator rather than acceptor
credentials.  If there is a non-empty ccache in the environment (as is
almost always the case in krb5's automated tests), things work fine, but
if not, krb5 is erroneously filtered out.

I will speed through a patch release.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev