NegoEx broke GSSAPI in BIND 9
Simo Sorce
simo at redhat.com
Wed May 20 10:05:18 EDT 2020
The mechanism list you create for gss_acquire_cred looks somewhat wrong
to me.
If you want to perform SPNEGO authentication but limit SPNEGO to allow
only the krb5 mechanism you should acquire creds specifying only the
SPNEGO oid.
Then you should use the gss_set_neg_mechs() call on the credentials
obtained and specify the krb5 mech oid only.
This means:
- 1) obtain credentials for any mechanism that SPNEGO can handle.
- 2) make sure only krb5 is used by SPNEGO
What you are doing now is to get a set of credentials for raw krb5 as
well as all other mechanisms under SPNEGO. I am not sure this is what
you want.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
On Wed, 2020-05-20 at 11:34 +0200, Ondřej Surý wrote:
> Hi,
>
> there’s a regression in krb5 1.18.x that broke SPNEGO usage in BIND 9.
>
> There’s a little bit of history there - historically BIND 9 used internal implementation
> of SPNEGO and that still works. But in the development version, I did drop the
> internal implementation in favor of using KRB5 SPNEGO mechanism implementation.
>
> We don’t do anything fancy, the code is basically:
>
> #ifndef GSS_KRB5_MECHANISM
> static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
> 0x12, 0x01, 0x02, 0x02 };
> static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
> sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
> };
> #define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
> #endif /* ifndef GSS_KRB5_MECHANISM */
>
> #ifndef GSS_SPNEGO_MECHANISM
> static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
> 0x05, 0x05, 0x02 };
> static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
> sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
> };
> #define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
> #endif /* ifndef GSS_SPNEGO_MECHANISM */
>
> […]
>
> static OM_uint32
> mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
> OM_uint32 gret;
>
> gret = gss_create_empty_oid_set(minor, mech_oid_set);
> if (gret != GSS_S_COMPLETE) {
> return (gret);
> }
>
> gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
> if (gret != GSS_S_COMPLETE) {
> goto release;
> }
>
> gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
> mech_oid_set);
> if (gret != GSS_S_COMPLETE) {
> goto release;
> }
>
> release:
> REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
>
> return (gret);
> }
>
> static void
> mech_oid_set_release(gss_OID_set *mech_oid_set) {
> OM_uint32 minor;
>
> REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
> }
>
> and then it’s used like this:
>
> gss_OID_set mech_oid_set;
>
> […]
>
> gret = mech_oid_set_create(&minor, &mech_oid_set);
> if (gret != GSS_S_COMPLETE) {
> gss_log(3, "failed to create OID_set: %s",
> gss_error_tostring(gret, minor, buf, sizeof(buf)));
> return (ISC_R_FAILURE);
> }
>
> gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
> usage, cred, NULL, &lifetime);
>
>
> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
> so I would appreciate if I can get some pointers where to start with the debugging.
>
> The code is working in 1.17.1 and it’s neither working in 1.18.1 nor master branch (I saw
> some fixes in there, so I tried).
>
> Thanks,
> Ondrej
> --
> Ondřej Surý
> ondrej at isc.org
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krbdev
mailing list