From owner-freebsd-current@FreeBSD.ORG  Fri Nov 23 16:49:16 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A6E2D16A417
	for <current@freebsd.org>; Fri, 23 Nov 2007 16:49:16 +0000 (UTC)
	(envelope-from sean@mcneil.com)
Received: from mail.mcneil.com (mcneil.com [24.199.45.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 6308713C474
	for <current@freebsd.org>; Fri, 23 Nov 2007 16:49:16 +0000 (UTC)
	(envelope-from sean@mcneil.com)
Received: from localhost (localhost.mcneil.com [127.0.0.1])
	by mail.mcneil.com (Postfix) with ESMTP id 098F7F7303
	for <current@freebsd.org>; Fri, 23 Nov 2007 08:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at mcneil.com
Received: from mail.mcneil.com ([127.0.0.1])
	by localhost (mcneil.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id dVyCnOoCQvCG for <current@freebsd.org>;
	Fri, 23 Nov 2007 08:49:09 -0800 (PST)
Received: from [10.10.10.246] (mini.mcneil.com [10.10.10.246])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.mcneil.com (Postfix) with ESMTP id E4191F185E
	for <current@freebsd.org>; Fri, 23 Nov 2007 08:49:08 -0800 (PST)
Message-ID: <47470463.1010608@mcneil.com>
Date: Fri, 23 Nov 2007 08:48:35 -0800
From: Sean McNeil <sean@mcneil.com>
Organization: Sean McNeil Consulting, Inc
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: current@freebsd.org
Content-Type: multipart/mixed; boundary="------------060001030805060506050600"
X-Mailman-Approved-At: Fri, 23 Nov 2007 16:56:17 +0000
Cc: 
Subject: GSSAPI broken
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2007 16:49:16 -0000

This is a multi-part message in MIME format.
--------------060001030805060506050600
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


The moderator rejected my previous attempt to report this as I stated 
7-STABLE. I assumed that since there is a STABLE cvsup tag this was 
appropriate, but the moderator found it confusing as there is no 
official stable for 7 yet. Instead, I should have stated 7-BETA3.

I am resending as this is very important. Without a fix, secure LDAP 
support is broken as well as other potential SASL2 uses.

I have updated my system to

FreeBSD triton.mcneil.com 7.0-BETA3 FreeBSD 7.0-BETA3 #225: Thu Nov 22 
12:43:12 PST 2007     
root@triton.mcneil.com:/usr/obj/usr/src/sys/TRITON  amd64

I used the supfile setting of

*default release=cvs tag=RELENG_7

I have found 2 problems related to GSSAPI support:

1) /etc/gss/mech has the wrong version number for libgssapi_krb5.so. It 
is set to 8 instead of 9.
2) /usr/src/lib/libgssapi/gss_acquire_cred.c causes a segfault because 
it will access off of a null pointer. SASL2 from ports will call 
gss_acquire_cred with the desired_mechs set to GSS_C_NO_OID_SET when 
_gss_mech_oids hasn't been setup yet. This happens in openldap23-server, 
for instance. The following patch prevents the segfault:

--- gss_acquire_cred.c.orig    2005-12-29 06:40:20.000000000 -0800
+++ gss_acquire_cred.c    2007-11-22 18:30:07.000000000 -0800
@@ -59,8 +59,8 @@
      * First make sure that at least one of the requested
      * mechanisms is one that we support.
      */
+    _gss_load_mech();
     if (mechs) {
-        _gss_load_mech();
         for (i = 0; i < mechs->count; i++) {
             int t;
             gss_test_oid_set_member(minor_status,
@@ -74,6 +74,9 @@
             return (GSS_S_BAD_MECH);
         }
     }
+    else
+        mechs = _gss_mech_oids;
+
 
     if (actual_mechs) {
         major_status = gss_create_empty_oid_set(minor_status,
@@ -92,9 +95,6 @@
     cred->gc_usage = cred_usage;
     SLIST_INIT(&cred->gc_mc);
 
-    if (mechs == GSS_C_NO_OID_SET)
-        mechs = _gss_mech_oids;
-
     set.count = 1;
     min_time = GSS_C_INDEFINITE;
     for (i = 0; i < mechs->count; i++) {


--------------060001030805060506050600
Content-Type: text/plain;
 name="gss_acquire_cred.c.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="gss_acquire_cred.c.diff"

--- gss_acquire_cred.c.orig	2005-12-29 06:40:20.000000000 -0800
+++ gss_acquire_cred.c	2007-11-22 18:30:07.000000000 -0800
@@ -59,8 +59,8 @@
 	 * First make sure that at least one of the requested
 	 * mechanisms is one that we support.
 	 */
+	_gss_load_mech();
 	if (mechs) {
-		_gss_load_mech();
 		for (i = 0; i < mechs->count; i++) {
 			int t;
 			gss_test_oid_set_member(minor_status,
@@ -74,6 +74,9 @@
 			return (GSS_S_BAD_MECH);
 		}
 	}
+	else
+		mechs = _gss_mech_oids;
+
 
 	if (actual_mechs) {
 		major_status = gss_create_empty_oid_set(minor_status,
@@ -92,9 +95,6 @@
 	cred->gc_usage = cred_usage;
 	SLIST_INIT(&cred->gc_mc);
 
-	if (mechs == GSS_C_NO_OID_SET)
-		mechs = _gss_mech_oids;
-
 	set.count = 1;
 	min_time = GSS_C_INDEFINITE;
 	for (i = 0; i < mechs->count; i++) {

--------------060001030805060506050600--