NegoEx broke GSSAPI in BIND 9

Ondřej Surý ondrej at isc.org
Wed May 20 10:29:09 EDT 2020 

The gssapictx.c is dated 2000 :-), so I am not sure if anybody remembers
what we want :-) apart from implementing RFC 3645 which says:

— cut here —
   The GSS API using SPNEGO [RFC2478] provides maximum flexibility to
   choose the underlying security mechanisms that enables security
   context negotiation.  GSS API using SPNEGO [RFC2478] enables client
   and server to negotiate and choose such underlying security
   mechanisms on the fly.  To support such flexibility, DNS clients and
   servers SHOULD specify SPNEGO mech_type in their GSS API calls.  At
   the same time, in order to guarantee interoperability between DNS
   clients and servers that support GSS-TSIG it is required that

   -  DNS servers specify SPNEGO mech_type
   -  GSS APIs called by DNS client support Kerberos v5
   -  GSS APIs called by DNS server support SPNEGO [RFC2478] and
      Kerberos v5.

   In addition to these, GSS APIs used by DNS client and server MAY also
   support other underlying security mechanisms.
— cut here —

So, what you are saying makes actually vague sense to me.  What I actually
think is that we just want to use SPNEGO and don’t limit the mechanisms.

At the same time, I am still puzzled why it stopped working when NegoEx
was added to krb5.

Thank you very much,
Ondrej
--
Ondřej Surý
ondrej at isc.org

> On 20 May 2020, at 16:05, Simo Sorce <simo at redhat.com> wrote:
> 
> 
> The mechanism list you create for gss_acquire_cred looks somewhat wrong
> to me.
> 
> If you want to perform SPNEGO authentication but limit SPNEGO to allow
> only the krb5 mechanism you should acquire creds specifying only the
> SPNEGO oid.
> 
> Then you should use the gss_set_neg_mechs() call on the credentials
> obtained and specify the krb5 mech oid only.
> 
> This means:
> - 1) obtain credentials for any mechanism that SPNEGO can handle.
> - 2) make sure only krb5 is used by SPNEGO
> 
> What you are doing now is to get a set of credentials for raw krb5 as
> well as all other mechanisms under SPNEGO. I am not sure this is what
> you want.
> 
> --
> Simo Sorce
> RHEL Crypto Team
> Red Hat, Inc
> 
> 
> 
> 
> On Wed, 2020-05-20 at 11:34 +0200, Ondřej Surý wrote:
>> Hi,
>> 
>> there’s a regression in krb5 1.18.x that broke SPNEGO usage in BIND 9.
>> 
>> There’s a little bit of history there - historically BIND 9 used internal implementation
>> of SPNEGO and that still works.  But in the development version, I did drop the
>> internal implementation in favor of using KRB5 SPNEGO mechanism implementation.
>> 
>> We don’t do anything fancy, the code is basically:
>> 
>> #ifndef GSS_KRB5_MECHANISM
>> static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
>>                                              0x12, 0x01, 0x02, 0x02 };
>> static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
>>       sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
>> };
>> #define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
>> #endif /* ifndef GSS_KRB5_MECHANISM */
>> 
>> #ifndef GSS_SPNEGO_MECHANISM
>> static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
>>                                                0x05, 0x05, 0x02 };
>> static gss_OID_desc __gss_spnego_mechanism_oid_desc = {
>>       sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes
>> };
>> #define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
>> #endif /* ifndef GSS_SPNEGO_MECHANISM */
>> 
>> […]
>> 
>> static OM_uint32
>> mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
>>       OM_uint32 gret;
>> 
>>       gret = gss_create_empty_oid_set(minor, mech_oid_set);
>>       if (gret != GSS_S_COMPLETE) {
>>               return (gret);
>>       }
>> 
>>       gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
>>       if (gret != GSS_S_COMPLETE) {
>>               goto release;
>>       }
>> 
>>       gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
>>                                     mech_oid_set);
>>       if (gret != GSS_S_COMPLETE) {
>>               goto release;
>>       }
>> 
>> release:
>>       REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
>> 
>>       return (gret);
>> }
>> 
>> static void
>> mech_oid_set_release(gss_OID_set *mech_oid_set) {
>>       OM_uint32 minor;
>> 
>>       REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
>> }
>> 
>> and then it’s used like this:
>> 
>>       gss_OID_set mech_oid_set;
>> 
>> […]
>> 
>>       gret = mech_oid_set_create(&minor, &mech_oid_set);
>>       if (gret != GSS_S_COMPLETE) {
>>               gss_log(3, "failed to create OID_set: %s",
>>                       gss_error_tostring(gret, minor, buf, sizeof(buf)));
>>               return (ISC_R_FAILURE);
>>       }
>> 
>>       gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
>>                               usage, cred, NULL, &lifetime);
>> 
>> 
>> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
>> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
>> so I would appreciate if I can get some pointers where to start with the debugging.
>> 
>> The code is working in 1.17.1 and it’s neither working in 1.18.1 nor master branch (I saw
>> some fixes in there, so I tried).
>> 
>> Thanks,
>> Ondrej
>> --
>> Ondřej Surý
>> ondrej at isc.org
>> 
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Message signed with OpenPGP
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20200520/e38f97d0/attachment.bin

More information about the krbdev mailing list