NegoEx broke GSSAPI in BIND 9

Ondřej Surý ondrej at
Wed May 20 05:34:37 EDT 2020


there’s a regression in krb5 1.18.x that broke SPNEGO usage in BIND 9.

There’s a little bit of history there - historically BIND 9 used internal implementation
of SPNEGO and that still works.  But in the development version, I did drop the
internal implementation in favor of using KRB5 SPNEGO mechanism implementation.

We don’t do anything fancy, the code is basically:

static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
                                              0x12, 0x01, 0x02, 0x02 };
static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
       sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
#endif /* ifndef GSS_KRB5_MECHANISM */

static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
                                                0x05, 0x05, 0x02 };
static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
       sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
#define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
#endif /* ifndef GSS_SPNEGO_MECHANISM */


static OM_uint32
mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
       OM_uint32 gret;

       gret = gss_create_empty_oid_set(minor, mech_oid_set);
       if (gret != GSS_S_COMPLETE) {
               return (gret);

       gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
       if (gret != GSS_S_COMPLETE) {
               goto release;

       gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
       if (gret != GSS_S_COMPLETE) {
               goto release;

       REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);

       return (gret);

static void
mech_oid_set_release(gss_OID_set *mech_oid_set) {
       OM_uint32 minor;

       REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);

and then it’s used like this:

       gss_OID_set mech_oid_set;


       gret = mech_oid_set_create(&minor, &mech_oid_set);
       if (gret != GSS_S_COMPLETE) {
               gss_log(3, "failed to create OID_set: %s",
                       gss_error_tostring(gret, minor, buf, sizeof(buf)));
               return (ISC_R_FAILURE);

       gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
                               usage, cred, NULL, &lifetime);

Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
so I would appreciate if I can get some pointers where to start with the debugging.

The code is working in 1.17.1 and it’s neither working in 1.18.1 nor master branch (I saw
some fixes in there, so I tried).

Ondřej Surý
ondrej at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Message signed with OpenPGP
Url :

More information about the krbdev mailing list