[20088] in Kerberos_V5_Development
NegoEx broke GSSAPI in BIND 9
daemon@ATHENA.MIT.EDU (=?utf-8?B?T25kxZllaiBTdXLDvQ==?=)
Wed May 20 05:35:40 2020
From: =?utf-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
MIME-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Message-ID: <253812D5-B414-4F0D-85D8-EFB57CB1D289@isc.org>
Date: Wed, 20 May 2020 11:34:37 +0200
To: <krbdev@mit.edu>
Content-Type: multipart/mixed; boundary="===============5275356299257201356=="
Errors-To: krbdev-bounces@mit.edu
--===============5275356299257201356==
Content-Type: multipart/signed;
boundary="Apple-Mail=_1F4B7910-C3E8-4F5B-A9F9-3C3FE09217F6";
protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_1F4B7910-C3E8-4F5B-A9F9-3C3FE09217F6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Hi,
there=E2=80=99s a regression in krb5 1.18.x that broke SPNEGO usage in =
BIND 9.
There=E2=80=99s a little bit of history there - historically BIND 9 used =
internal implementation
of SPNEGO and that still works. But in the development version, I did =
drop the
internal implementation in favor of using KRB5 SPNEGO mechanism =
implementation.
We don=E2=80=99t do anything fancy, the code is basically:
#ifndef GSS_KRB5_MECHANISM
static unsigned char krb5_mech_oid_bytes[] =3D { 0x2a, 0x86, 0x48, 0x86, =
0xf7,
0x12, 0x01, 0x02, 0x02 };
static gss_OID_desc __gss_krb5_mechanism_oid_desc =3D {
sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
};
#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
#endif /* ifndef GSS_KRB5_MECHANISM */
#ifndef GSS_SPNEGO_MECHANISM
static unsigned char spnego_mech_oid_bytes[] =3D { 0x2b, 0x06, 0x01,
0x05, 0x05, 0x02 };
static gss_OID_desc __gss_spnego_mechanism_oid_desc =3D {
sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
};
#define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
#endif /* ifndef GSS_SPNEGO_MECHANISM */
[=E2=80=A6]
static OM_uint32
mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
OM_uint32 gret;
gret =3D gss_create_empty_oid_set(minor, mech_oid_set);
if (gret !=3D GSS_S_COMPLETE) {
return (gret);
}
gret =3D gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, =
mech_oid_set);
if (gret !=3D GSS_S_COMPLETE) {
goto release;
}
gret =3D gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
mech_oid_set);
if (gret !=3D GSS_S_COMPLETE) {
goto release;
}
release:
REQUIRE(gss_release_oid_set(minor, mech_oid_set) =3D=3D =
GSS_S_COMPLETE);
return (gret);
}
static void
mech_oid_set_release(gss_OID_set *mech_oid_set) {
OM_uint32 minor;
REQUIRE(gss_release_oid_set(&minor, mech_oid_set) =3D=3D =
GSS_S_COMPLETE);
}
and then it=E2=80=99s used like this:
gss_OID_set mech_oid_set;
[=E2=80=A6]
gret =3D mech_oid_set_create(&minor, &mech_oid_set);
if (gret !=3D GSS_S_COMPLETE) {
gss_log(3, "failed to create OID_set: %s",
gss_error_tostring(gret, minor, buf, =
sizeof(buf)));
return (ISC_R_FAILURE);
}
gret =3D gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, =
mech_oid_set,
usage, cred, NULL, &lifetime);
Unfortunately, this stopped working since 1.18.1, but perhaps we were =
doing something
wrong from the beginning. Honestly, looking at the GSSAPI is like =
reading tea leaves :-),
so I would appreciate if I can get some pointers where to start with the =
debugging.
The code is working in 1.17.1 and it=E2=80=99s neither working in 1.18.1 =
nor master branch (I saw
some fixes in there, so I tried).
Thanks,
Ondrej
--
Ond=C5=99ej Sur=C3=BD
ondrej@isc.org
--Apple-Mail=_1F4B7910-C3E8-4F5B-A9F9-3C3FE09217F6
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAl7E+a1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcKJeQ/9Ew0faT2nAAi+Xh0FGxLzBw4XZiLN2E3bAJiLyYvbjZ9bF8+OLbifl5H+
WRwojlK9FOMnDq6++jZq1XRz+JCCD8Jdfa7D+eqXrbC90c+vDuFtlYyFnjZZuYV8
xq88miMX4uHmh8sKQ74Ca7V84hCotz6mQE8dKMqd4Cmtr24QdBlkHK97urbSymJB
9MYGVoy2wO+XmWZYl87G/aV85EorzGMJe2vilNtfH4cNQDcNpQN3PFR8rfgeJdpb
uHKhd7oS+XqUVu1jDAx2IXg343nj0Xa1CeC1kFtDyICkT8rrs2LojxrVIjvNfyJg
HYhCYjZglWYDTY1rYtN15crIOrOw2QttCxrbg7wulIQg/elmbuEPNJlj2V5nmD8C
EfbLhN+pxBPBlRd3SfgEJo7IxrFjdK2eW+kqk6Q79sERNdEI1D6m0LyMVWhYHPsR
O0gQpKVymlXqTLnVCF8EY54A/2dcuCC4v/F44F/329uFbS6usJnk0pZL6vqbFi0a
ck0sOlt5BUB4yFgVXJjc+xyuw+J59J/iRhIrMDel75A7aQYSrZkDIj7Opn9X8eNv
AuiHghJjv9qRRsfEpF0K36ZbnKKuf7NZVL+3g3tX8Kq9WxbCnaMamSgQAvq8N+Jv
nUpsmcF8cvKF2JRWgvsCp0q9hZqqlcEZVhQKmUrdymD83d+g28o=
=xSVa
-----END PGP SIGNATURE-----
--Apple-Mail=_1F4B7910-C3E8-4F5B-A9F9-3C3FE09217F6--
--===============5275356299257201356==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============5275356299257201356==--
