NegoEx broke GSSAPI in BIND 9

Greg Hudson ghudson at
Thu May 21 13:36:47 EDT 2020

With some help from Ondřej setting up the test environment I found the
bug.  It's unfortunately pretty bad, and I'm surprised it hasn't been
more of an issue.  The bug applies when a the server uses the default
acceptor credential and no ccache with tickets is present in the
environment.  The first of those criteria might be rarer than I would
have thought.

The bug is in spnego_mech.c:acc_ctx_new(), which was accidentally
changed to call get_negotiable_mechs() with GSS_C_INITIATE instead of
GSS_C_ACCEPT.  When the default credential is used, this usage causes
mechs to be filtered by availability of initiator rather than acceptor
credentials.  If there is a non-empty ccache in the environment (as is
almost always the case in krb5's automated tests), things work fine, but
if not, krb5 is erroneously filtered out.

I will speed through a patch release.

More information about the krbdev mailing list