[20089] in Kerberos_V5_Development
Re: NegoEx broke GSSAPI in BIND 9
daemon@ATHENA.MIT.EDU (=?utf-8?B?T25kxZllaiBTdXLDvQ==?=)
Wed May 20 09:09:30 2020
From: =?utf-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
MIME-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 20 May 2020 15:07:59 +0200
To: <krbdev@mit.edu>
In-Reply-To: <253812D5-B414-4F0D-85D8-EFB57CB1D289@isc.org>
Message-ID: <1AB3A7F4-3E2B-4529-82C0-564F0C4EDCF5@isc.org>
Content-Type: multipart/mixed; boundary="===============4830290540114058518=="
Errors-To: krbdev-bounces@mit.edu
--===============4830290540114058518==
Content-Type: multipart/signed;
boundary="Apple-Mail=_05C489A6-1E8B-41B0-ABCD-79C269B74661";
protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_05C489A6-1E8B-41B0-ABCD-79C269B74661
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Ok, so I do have more information, the gss_accept_sec_context() now =
returns in minor:
> 20-May-2020 12:02:03.077 failed gss_accept_sec_context: GSSAPI error: =
Major =3D Unspecified GSS failure. Minor code may provide more =
information, Minor =3D SPNEGO cannot find mechanisms to negotiate.
also I see:
> 20-May-2020 13:06:31.121 failed gss_inquire_cred: GSSAPI error: Major =
=3D Unspecified GSS failure. Minor code may provide more information, =
Minor =3D No Kerberos credentials available (default cache: =
FILE:/tmp/krb5cc_0).
But that=E2=80=99s error I am also seeing on the branch that work for =
us.
Ondrej
--
Ond=C5=99ej Sur=C3=BD
ondrej@isc.org
> On 20 May 2020, at 11:34, Ond=C5=99ej Sur=C3=BD <ondrej@isc.org> =
wrote:
>=20
> Hi,
>=20
> there=E2=80=99s a regression in krb5 1.18.x that broke SPNEGO usage in =
BIND 9.
>=20
> There=E2=80=99s a little bit of history there - historically BIND 9 =
used internal implementation
> of SPNEGO and that still works. But in the development version, I did =
drop the
> internal implementation in favor of using KRB5 SPNEGO mechanism =
implementation.
>=20
> We don=E2=80=99t do anything fancy, the code is basically:
>=20
> #ifndef GSS_KRB5_MECHANISM
> static unsigned char krb5_mech_oid_bytes[] =3D { 0x2a, 0x86, 0x48, =
0x86, 0xf7,
> 0x12, 0x01, 0x02, 0x02 };
> static gss_OID_desc __gss_krb5_mechanism_oid_desc =3D {
> sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
> };
> #define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
> #endif /* ifndef GSS_KRB5_MECHANISM */
>=20
> #ifndef GSS_SPNEGO_MECHANISM
> static unsigned char spnego_mech_oid_bytes[] =3D { 0x2b, 0x06, 0x01,
> 0x05, 0x05, 0x02 };
> static gss_OID_desc __gss_spnego_mechanism_oid_desc =3D {
> sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
> };
> #define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
> #endif /* ifndef GSS_SPNEGO_MECHANISM */
>=20
> [=E2=80=A6]
>=20
> static OM_uint32
> mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
> OM_uint32 gret;
>=20
> gret =3D gss_create_empty_oid_set(minor, mech_oid_set);
> if (gret !=3D GSS_S_COMPLETE) {
> return (gret);
> }
>=20
> gret =3D gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, =
mech_oid_set);
> if (gret !=3D GSS_S_COMPLETE) {
> goto release;
> }
>=20
> gret =3D gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
> mech_oid_set);
> if (gret !=3D GSS_S_COMPLETE) {
> goto release;
> }
>=20
> release:
> REQUIRE(gss_release_oid_set(minor, mech_oid_set) =3D=3D =
GSS_S_COMPLETE);
>=20
> return (gret);
> }
>=20
> static void
> mech_oid_set_release(gss_OID_set *mech_oid_set) {
> OM_uint32 minor;
>=20
> REQUIRE(gss_release_oid_set(&minor, mech_oid_set) =3D=3D =
GSS_S_COMPLETE);
> }
>=20
> and then it=E2=80=99s used like this:
>=20
> gss_OID_set mech_oid_set;
>=20
> [=E2=80=A6]
>=20
> gret =3D mech_oid_set_create(&minor, &mech_oid_set);
> if (gret !=3D GSS_S_COMPLETE) {
> gss_log(3, "failed to create OID_set: %s",
> gss_error_tostring(gret, minor, buf, =
sizeof(buf)));
> return (ISC_R_FAILURE);
> }
>=20
> gret =3D gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, =
mech_oid_set,
> usage, cred, NULL, &lifetime);
>=20
>=20
> Unfortunately, this stopped working since 1.18.1, but perhaps we were =
doing something
> wrong from the beginning. Honestly, looking at the GSSAPI is like =
reading tea leaves :-),
> so I would appreciate if I can get some pointers where to start with =
the debugging.
>=20
> The code is working in 1.17.1 and it=E2=80=99s neither working in =
1.18.1 nor master branch (I saw
> some fixes in there, so I tried).
>=20
> Thanks,
> Ondrej
> --
> Ond=C5=99ej Sur=C3=BD
> ondrej@isc.org
>=20
--Apple-Mail=_05C489A6-1E8B-41B0-ABCD-79C269B74661
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAl7FK69fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcLCAg/+P6MUISIAJZDibxEArAiC97ZDR4QXIv+6oaAowPugG3kv2xvm0axgcBOH
6IW6S4CrO8IZRjNmDr669RLsa2Yw3x3QZoe212M3bb/lNrrzZ9h1ElsXcLybpiMi
402Lxa+aKqMvboTyVCxrRr0/wGrOdqBx53qkrI2bFTOSwBFqKGFlW/bC2VeuMYpE
UcQEs1S9+2c+/KsLRLiGyrrmnnt6FASlHYhu3miDXpR0b4c+/aVarFti9uk4YLNM
mnT5XYyVm28UENSIFrkQrt7gUWWEYiQ0x9Z/0dryBX2nKRWn2G3MMPfZAtkdRz90
DsXeYypovjFhE+JbmXWIW0IcnIzVeuPpvnTyMdDfHGAyNh2GicKKUcjVAkyECJRx
K4BknjSUQEQ03z54N6O7sZKxM2GI8UPd39HG0wYfecIRHaMKvhtEihenbP7i+WdE
c8wvbIMdosLusgADglmUlo3mDo3/tQ/a/QiWNUdz7bWVncISsqhFgk3rduRI8Y5K
DE8t6/JjGbGl2F86A7FQfgeRXFPCCNh6bgku2XbvQtVe+8YI7HLEIvwKM4KsPcmF
nlLxKBm9v+eYx8tsqLic00Pr62bj6r4Ic6B+G0TJtfCgyj1jvReQYbI5H2RuozWR
zi04v7o15vGXVtQgR/4//AAXEPdkNFe2+C3Gy+MfTckAuioKc/I=
=K+uu
-----END PGP SIGNATURE-----
--Apple-Mail=_05C489A6-1E8B-41B0-ABCD-79C269B74661--
--===============4830290540114058518==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============4830290540114058518==--
