The moderator rejected my previous attempt to report this as I stated 7-STABLE. I assumed that since there is a STABLE cvsup tag this was appropriate, but the moderator found it confusing as there is no official stable for 7 yet. Instead, I should have stated 7-BETA3. I am resending as this is very important. Without a fix, secure LDAP support is broken as well as other potential SASL2 uses. I have updated my system to FreeBSD triton.mcneil.com 7.0-BETA3 FreeBSD 7.0-BETA3 #225: Thu Nov 22 12:43:12 PST 2007 root_at_triton.mcneil.com:/usr/obj/usr/src/sys/TRITON amd64 I used the supfile setting of *default release=cvs tag=RELENG_7 I have found 2 problems related to GSSAPI support: 1) /etc/gss/mech has the wrong version number for libgssapi_krb5.so. It is set to 8 instead of 9. 2) /usr/src/lib/libgssapi/gss_acquire_cred.c causes a segfault because it will access off of a null pointer. SASL2 from ports will call gss_acquire_cred with the desired_mechs set to GSS_C_NO_OID_SET when _gss_mech_oids hasn't been setup yet. This happens in openldap23-server, for instance. The following patch prevents the segfault: --- gss_acquire_cred.c.orig 2005-12-29 06:40:20.000000000 -0800 +++ gss_acquire_cred.c 2007-11-22 18:30:07.000000000 -0800 _at__at_ -59,8 +59,8 _at__at_ * First make sure that at least one of the requested * mechanisms is one that we support. */ + _gss_load_mech(); if (mechs) { - _gss_load_mech(); for (i = 0; i < mechs->count; i++) { int t; gss_test_oid_set_member(minor_status, _at__at_ -74,6 +74,9 _at__at_ return (GSS_S_BAD_MECH); } } + else + mechs = _gss_mech_oids; + if (actual_mechs) { major_status = gss_create_empty_oid_set(minor_status, _at__at_ -92,9 +95,6 _at__at_ cred->gc_usage = cred_usage; SLIST_INIT(&cred->gc_mc); - if (mechs == GSS_C_NO_OID_SET) - mechs = _gss_mech_oids; - set.count = 1; min_time = GSS_C_INDEFINITE; for (i = 0; i < mechs->count; i++) { --- gss_acquire_cred.c.orig 2005-12-29 06:40:20.000000000 -0800 +++ gss_acquire_cred.c 2007-11-22 18:30:07.000000000 -0800 _at__at_ -59,8 +59,8 _at__at_ * First make sure that at least one of the requested * mechanisms is one that we support. */ + _gss_load_mech(); if (mechs) { - _gss_load_mech(); for (i = 0; i < mechs->count; i++) { int t; gss_test_oid_set_member(minor_status, _at__at_ -74,6 +74,9 _at__at_ return (GSS_S_BAD_MECH); } } + else + mechs = _gss_mech_oids; + if (actual_mechs) { major_status = gss_create_empty_oid_set(minor_status, _at__at_ -92,9 +95,6 _at__at_ cred->gc_usage = cred_usage; SLIST_INIT(&cred->gc_mc); - if (mechs == GSS_C_NO_OID_SET) - mechs = _gss_mech_oids; - set.count = 1; min_time = GSS_C_INDEFINITE; for (i = 0; i < mechs->count; i++) {Received on Fri Nov 23 2007 - 15:49:16 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:23 UTC