GSSAPI broken

Sean McNeil sean at mcneil.com
Fri Nov 23 08:49:16 PST 2007


The moderator rejected my previous attempt to report this as I stated 
7-STABLE. I assumed that since there is a STABLE cvsup tag this was 
appropriate, but the moderator found it confusing as there is no 
official stable for 7 yet. Instead, I should have stated 7-BETA3.

I am resending as this is very important. Without a fix, secure LDAP 
support is broken as well as other potential SASL2 uses.

I have updated my system to

FreeBSD triton.mcneil.com 7.0-BETA3 FreeBSD 7.0-BETA3 #225: Thu Nov 22 
12:43:12 PST 2007     
root at triton.mcneil.com:/usr/obj/usr/src/sys/TRITON  amd64

I used the supfile setting of

*default release=cvs tag=RELENG_7

I have found 2 problems related to GSSAPI support:

1) /etc/gss/mech has the wrong version number for libgssapi_krb5.so. It 
is set to 8 instead of 9.
2) /usr/src/lib/libgssapi/gss_acquire_cred.c causes a segfault because 
it will access off of a null pointer. SASL2 from ports will call 
gss_acquire_cred with the desired_mechs set to GSS_C_NO_OID_SET when 
_gss_mech_oids hasn't been setup yet. This happens in openldap23-server, 
for instance. The following patch prevents the segfault:

--- gss_acquire_cred.c.orig    2005-12-29 06:40:20.000000000 -0800
+++ gss_acquire_cred.c    2007-11-22 18:30:07.000000000 -0800
@@ -59,8 +59,8 @@
      * First make sure that at least one of the requested
      * mechanisms is one that we support.
      */
+    _gss_load_mech();
     if (mechs) {
-        _gss_load_mech();
         for (i = 0; i < mechs->count; i++) {
             int t;
             gss_test_oid_set_member(minor_status,
@@ -74,6 +74,9 @@
             return (GSS_S_BAD_MECH);
         }
     }
+    else
+        mechs = _gss_mech_oids;
+
 
     if (actual_mechs) {
         major_status = gss_create_empty_oid_set(minor_status,
@@ -92,9 +95,6 @@
     cred->gc_usage = cred_usage;
     SLIST_INIT(&cred->gc_mc);
 
-    if (mechs == GSS_C_NO_OID_SET)
-        mechs = _gss_mech_oids;
-
     set.count = 1;
     min_time = GSS_C_INDEFINITE;
     for (i = 0; i < mechs->count; i++) {

-------------- next part --------------
--- gss_acquire_cred.c.orig	2005-12-29 06:40:20.000000000 -0800
+++ gss_acquire_cred.c	2007-11-22 18:30:07.000000000 -0800
@@ -59,8 +59,8 @@
 	 * First make sure that at least one of the requested
 	 * mechanisms is one that we support.
 	 */
+	_gss_load_mech();
 	if (mechs) {
-		_gss_load_mech();
 		for (i = 0; i < mechs->count; i++) {
 			int t;
 			gss_test_oid_set_member(minor_status,
@@ -74,6 +74,9 @@
 			return (GSS_S_BAD_MECH);
 		}
 	}
+	else
+		mechs = _gss_mech_oids;
+
 
 	if (actual_mechs) {
 		major_status = gss_create_empty_oid_set(minor_status,
@@ -92,9 +95,6 @@
 	cred->gc_usage = cred_usage;
 	SLIST_INIT(&cred->gc_mc);
 
-	if (mechs == GSS_C_NO_OID_SET)
-		mechs = _gss_mech_oids;
-
 	set.count = 1;
 	min_time = GSS_C_INDEFINITE;
 	for (i = 0; i < mechs->count; i++) {


More information about the freebsd-current mailing list