NegoEx broke GSSAPI in BIND 9
Ondřej Surý
ondrej at isc.org
Wed May 20 09:07:59 EDT 2020
Ok, so I do have more information, the gss_accept_sec_context() now returns in minor:
> 20-May-2020 12:02:03.077 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = SPNEGO cannot find mechanisms to negotiate.
also I see:
> 20-May-2020 13:06:31.121 failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0).
But that’s error I am also seeing on the branch that work for us.
Ondrej
--
Ondřej Surý
ondrej at isc.org
> On 20 May 2020, at 11:34, Ondřej Surý <ondrej at isc.org> wrote:
>
> Hi,
>
> there’s a regression in krb5 1.18.x that broke SPNEGO usage in BIND 9.
>
> There’s a little bit of history there - historically BIND 9 used internal implementation
> of SPNEGO and that still works. But in the development version, I did drop the
> internal implementation in favor of using KRB5 SPNEGO mechanism implementation.
>
> We don’t do anything fancy, the code is basically:
>
> #ifndef GSS_KRB5_MECHANISM
> static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
> 0x12, 0x01, 0x02, 0x02 };
> static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
> sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
> };
> #define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
> #endif /* ifndef GSS_KRB5_MECHANISM */
>
> #ifndef GSS_SPNEGO_MECHANISM
> static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
> 0x05, 0x05, 0x02 };
> static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
> sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
> };
> #define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
> #endif /* ifndef GSS_SPNEGO_MECHANISM */
>
> […]
>
> static OM_uint32
> mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
> OM_uint32 gret;
>
> gret = gss_create_empty_oid_set(minor, mech_oid_set);
> if (gret != GSS_S_COMPLETE) {
> return (gret);
> }
>
> gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
> if (gret != GSS_S_COMPLETE) {
> goto release;
> }
>
> gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
> mech_oid_set);
> if (gret != GSS_S_COMPLETE) {
> goto release;
> }
>
> release:
> REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
>
> return (gret);
> }
>
> static void
> mech_oid_set_release(gss_OID_set *mech_oid_set) {
> OM_uint32 minor;
>
> REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
> }
>
> and then it’s used like this:
>
> gss_OID_set mech_oid_set;
>
> […]
>
> gret = mech_oid_set_create(&minor, &mech_oid_set);
> if (gret != GSS_S_COMPLETE) {
> gss_log(3, "failed to create OID_set: %s",
> gss_error_tostring(gret, minor, buf, sizeof(buf)));
> return (ISC_R_FAILURE);
> }
>
> gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
> usage, cred, NULL, &lifetime);
>
>
> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
> so I would appreciate if I can get some pointers where to start with the debugging.
>
> The code is working in 1.17.1 and it’s neither working in 1.18.1 nor master branch (I saw
> some fixes in there, so I tried).
>
> Thanks,
> Ondrej
> --
> Ondřej Surý
> ondrej at isc.org
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Message signed with OpenPGP
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20200520/00383636/attachment.bin
More information about the krbdev
mailing list