Date: Fri, 23 Nov 2007 08:48:35 -0800 From: Sean McNeil <sean@mcneil.com> To: current@freebsd.org Subject: GSSAPI broken Message-ID: <47470463.1010608@mcneil.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------060001030805060506050600 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit The moderator rejected my previous attempt to report this as I stated 7-STABLE. I assumed that since there is a STABLE cvsup tag this was appropriate, but the moderator found it confusing as there is no official stable for 7 yet. Instead, I should have stated 7-BETA3. I am resending as this is very important. Without a fix, secure LDAP support is broken as well as other potential SASL2 uses. I have updated my system to FreeBSD triton.mcneil.com 7.0-BETA3 FreeBSD 7.0-BETA3 #225: Thu Nov 22 12:43:12 PST 2007 root@triton.mcneil.com:/usr/obj/usr/src/sys/TRITON amd64 I used the supfile setting of *default release=cvs tag=RELENG_7 I have found 2 problems related to GSSAPI support: 1) /etc/gss/mech has the wrong version number for libgssapi_krb5.so. It is set to 8 instead of 9. 2) /usr/src/lib/libgssapi/gss_acquire_cred.c causes a segfault because it will access off of a null pointer. SASL2 from ports will call gss_acquire_cred with the desired_mechs set to GSS_C_NO_OID_SET when _gss_mech_oids hasn't been setup yet. This happens in openldap23-server, for instance. The following patch prevents the segfault: --- gss_acquire_cred.c.orig 2005-12-29 06:40:20.000000000 -0800 +++ gss_acquire_cred.c 2007-11-22 18:30:07.000000000 -0800 @@ -59,8 +59,8 @@ * First make sure that at least one of the requested * mechanisms is one that we support. */ + _gss_load_mech(); if (mechs) { - _gss_load_mech(); for (i = 0; i < mechs->count; i++) { int t; gss_test_oid_set_member(minor_status, @@ -74,6 +74,9 @@ return (GSS_S_BAD_MECH); } } + else + mechs = _gss_mech_oids; + if (actual_mechs) { major_status = gss_create_empty_oid_set(minor_status, @@ -92,9 +95,6 @@ cred->gc_usage = cred_usage; SLIST_INIT(&cred->gc_mc); - if (mechs == GSS_C_NO_OID_SET) - mechs = _gss_mech_oids; - set.count = 1; min_time = GSS_C_INDEFINITE; for (i = 0; i < mechs->count; i++) { --------------060001030805060506050600 Content-Type: text/plain; name="gss_acquire_cred.c.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gss_acquire_cred.c.diff" --- gss_acquire_cred.c.orig 2005-12-29 06:40:20.000000000 -0800 +++ gss_acquire_cred.c 2007-11-22 18:30:07.000000000 -0800 @@ -59,8 +59,8 @@ * First make sure that at least one of the requested * mechanisms is one that we support. */ + _gss_load_mech(); if (mechs) { - _gss_load_mech(); for (i = 0; i < mechs->count; i++) { int t; gss_test_oid_set_member(minor_status, @@ -74,6 +74,9 @@ return (GSS_S_BAD_MECH); } } + else + mechs = _gss_mech_oids; + if (actual_mechs) { major_status = gss_create_empty_oid_set(minor_status, @@ -92,9 +95,6 @@ cred->gc_usage = cred_usage; SLIST_INIT(&cred->gc_mc); - if (mechs == GSS_C_NO_OID_SET) - mechs = _gss_mech_oids; - set.count = 1; min_time = GSS_C_INDEFINITE; for (i = 0; i < mechs->count; i++) { --------------060001030805060506050600--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47470463.1010608>