NegoEx broke GSSAPI in BIND 9
Greg Hudson
ghudson at mit.edu
Thu May 21 13:36:47 EDT 2020
With some help from Ondřej setting up the test environment I found the
bug. It's unfortunately pretty bad, and I'm surprised it hasn't been
more of an issue. The bug applies when a the server uses the default
acceptor credential and no ccache with tickets is present in the
environment. The first of those criteria might be rarer than I would
have thought.
The bug is in spnego_mech.c:acc_ctx_new(), which was accidentally
changed to call get_negotiable_mechs() with GSS_C_INITIATE instead of
GSS_C_ACCEPT. When the default credential is used, this usage causes
mechs to be filtered by availability of initiator rather than acceptor
credentials. If there is a non-empty ccache in the environment (as is
almost always the case in krb5's automated tests), things work fine, but
if not, krb5 is erroneously filtered out.
I will speed through a patch release.
More information about the krbdev
mailing list