[PATCH 0/2] Change from GSS to MIT-KRB5.

DoneSubmitted by Marius Bakke.
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Maxim Cournoyer
  • Marius Bakke
Owner
unassigned
Severity
normal
M
M
Marius Bakke wrote on 23 Feb 2019 17:20
(address . guix-patches@gnu.org)
20190223162042.18168-1-mbakke@fastmail.com
The GNU Generic Security Service and friends have been unmaintained for

Since these libraries are security-critical, it would be good to switch
to maintained implementations. WDYT?

Marius Bakke (2):
gnu: gsasl: Use the MIT Kerberos implementation instead of GSS.
gnu: curl: Build against MIT Kerberos instead of GSS.

gnu/packages/curl.scm | 10 ++++++----
gnu/packages/gsasl.scm | 4 +++-
2 files changed, 9 insertions(+), 5 deletions(-)

--
2.20.1
M
M
Marius Bakke wrote on 23 Feb 2019 17:23
[PATCH 1/2] gnu: gsasl: Use the MIT Kerberos implementation instead of GSS.
(address . 34632@debbugs.gnu.org)
20190223162338.18429-1-mbakke@fastmail.com
* gnu/packages/gsasl.scm (gsasl)[inputs]: Change from GSS to MIT-KRB5.
[arguments]: New field.
---
gnu/packages/gsasl.scm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

Toggle diff (19 lines)
diff --git a/gnu/packages/gsasl.scm b/gnu/packages/gsasl.scm
index 127b476ef3..9296f3d80f 100644
--- a/gnu/packages/gsasl.scm
+++ b/gnu/packages/gsasl.scm
@@ -95,9 +95,11 @@ the underlying security implementation.")
                   (("test-lock\\$\\(EXEEXT\\) ") ""))
                 #t))))
    (build-system gnu-build-system)
+   (arguments
+    `(#:configure-flags '("--with-gssapi-impl=mit")))
    (inputs `(("libidn" ,libidn)
              ("libntlm" ,libntlm)
-             ("gss" ,gss)
+             ("mit-krb5" ,mit-krb5)
              ("zlib" ,zlib)))
    (propagated-inputs
     ;; Propagate GnuTLS because libgnutls.la reads `-lnettle', and Nettle is a
-- 
2.20.1
M
M
Marius Bakke wrote on 23 Feb 2019 17:23
[PATCH core-updates 2/2] gnu: curl: Build against MIT Kerberos instead of GSS.
(address . 34632@debbugs.gnu.org)
20190223162338.18429-2-mbakke@fastmail.com
* gnu/packages/curl.scm (curl)[inputs]: Change from GSS to MIT-KRB5.
[arguments]: Adjust accordingly.
---
gnu/packages/curl.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

Toggle diff (41 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index b1b2b999a2..88abc6aabd 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -37,8 +37,8 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages golang)
   #:use-module (gnu packages groff)
-  #:use-module (gnu packages gsasl)
   #:use-module (gnu packages guile)
+  #:use-module (gnu packages kerberos)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages openldap)
   #:use-module (gnu packages perl)
@@ -63,10 +63,10 @@
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
    (inputs `(("gnutls" ,gnutls)
-             ("gss" ,gss)
              ("libidn" ,libidn)
              ("libssh2" ,libssh2)
              ("openldap" ,openldap)
+             ("mit-krb5" ,mit-krb5)
              ("nghttp2" ,nghttp2 "lib")
              ("zlib" ,zlib)))
    (native-inputs
@@ -85,8 +85,10 @@
            (separator #f)                         ;single entry
            (files '("etc/ssl/certs/ca-certificates.crt")))))
    (arguments
-    `(#:configure-flags '("--with-gnutls" "--with-gssapi"
-                          "--disable-static")
+    `(#:configure-flags (list "--with-gnutls"
+                              (string-append "--with-gssapi="
+                                             (assoc-ref %build-inputs "mit-krb5"))
+                              "--disable-static")
       ;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
       #:phases
       (modify-phases %standard-phases
-- 
2.20.1
L
L
Leo Famulari wrote on 26 Feb 2019 05:58
Re: [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 34632@debbugs.gnu.org)
20190226045813.GA29580@jasmine.lan
On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
Toggle quote (6 lines)
> The GNU Generic Security Service and friends have been unmaintained for
> many years now: <https://www.gnu.org/software/gss/>.
>
> Since these libraries are security-critical, it would be good to switch
> to maintained implementations. WDYT?

I think it's the right choice.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0x2UACgkQJkb6MLrK
fwhOZw//Z1Mr5oeLPV3bFbkQ0KPKptAi6JnfLoaw+O666oJ88sWhClsmXP/2Oj/u
tshYq9i5tizm++liNmHmb8R93GyU+Ri529klE1Gnr+dDJLQskA4dLdjV/zFLxjJ7
6cmfo3KhdjL+eQNnD7YowLbn/xTZOYvDeRo+9GH4+/3u7cU+7n9I7joeut4qB1n9
bX18dB3C2CzUFIqcTytLROjG2SRTAn2P0UB4IfEgagHKVm/uZ5Nbmh7gVVtXwz7U
s39LOevBpVJ/7p0V3qm3rd81r99pJRW7di+lIKKCjWgl+Eh/zeTYmiHMKjqresaK
PkAEY7Ouo/vjHmFIddfubaEz2k4smJFwZAzqXVHM523jtrSR/sXINVObOG/YhEql
be3tWGUzkKUvvxocYcJDICgYomk87s+UPGxS7FpeQlOJTTY4ckIzwgMsAIUONFnA
pv3vWYO/jLhKK3sszJk8/YG8sPUrPmHYhL8QLFeH0vS3QSToqGK/87eMGe5Dw4Yj
ZaFuzQO7ff13AG9zrGG+GQOckJlECCLUvEvbhpra5v0XXiTCGQpNpsSOuVJGR9Uw
U9rjpBEjXwoOfWl1Wtb2iJqC+ZtKrpPijAR5ZBz0aJYavw4kz2MS4iB7+zTLto5+
L6UPnJrjlgoTxXmwJKNAaPfMUkGeb6knKWosBnhZsJcYoZiQ6og=
=beXR
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 15 Mar 2019 23:14
(name . Leo Famulari)(address . leo@famulari.name)
87tvg323ak.fsf@gnu.org
Hello,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (9 lines)
> On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
>> The GNU Generic Security Service and friends have been unmaintained for
>> many years now: <https://www.gnu.org/software/gss/>.
>>
>> Since these libraries are security-critical, it would be good to switch
>> to maintained implementations. WDYT?
>
> I think it's the right choice.

Yeah, it’s a bit sad IMO, but so be it.

Note that “guix refresh -l gss” says 4K packages depend on it,
not sure why.

Thanks,
Ludo’.
M
M
Maxim Cournoyer wrote on 16 Mar 2019 04:43
(address . mbakke@fastmail.com)
87o96bqyap.fsf@gmail.com
Hello!

On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
Toggle quote (6 lines)
> The GNU Generic Security Service and friends have been unmaintained for
> many years now: <https://www.gnu.org/software/gss/>.
>
> Since these libraries are security-critical, it would be good to switch
> to maintained implementations. WDYT?

Unmaintained on what ground? The website doesn't list fresh news,
but the latest release was made in 2014 [1], and the maintainer has made
changes to the Debian package last time in 2017 [2]. I wouldn't say it's
unmaintained until the maintainer says so or CVEs pile up unfixed (which
there aren't).

So, my position would be to not do anything, as there doesn't seem to be
an issue.

Maxim

[1] ftp://ftp.gnu.org/gnu/gss/
L
L
Leo Famulari wrote on 17 Mar 2019 19:27
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
20190317182705.GD1410@jasmine.lan
On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
Toggle quote (6 lines)
> Unmaintained on what ground? The website doesn't list fresh news,
> but the latest release was made in 2014 [1], and the maintainer has made
> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
> unmaintained until the maintainer says so or CVEs pile up unfixed (which
> there aren't).

Considering the rate of vulnerability discovery in MIT Kerberos [0] I
think that, if GSS was being examined to the same degree, we would learn
of many serious bugs. Any significant C codebase of this age will have
such bugs. But unfortunately GSS hasn't received as much scrutiny.

[0]
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlyOkXkACgkQJkb6MLrK
fwgJQBAAjXTRfMC9wD71dSlYDE1r8SfMYqMGxIX0tyie7Cg6Q4bnCzzvsXMItM/i
jXD24Vb3c7gaIqjGWbf2PMQfsDesq/l5ZQkzM8CGFfknirxa/DbC3/PhnOKaoRok
zkKMRd3RIMzyf83gjQahETXB9TISPKVObeCm5m4WQGvqWnRVkh8HSyr+v9UyI/Ty
BB+Vc6aapCZlu1cQoOt6gvUw34L3pqgDeklgZLEJ2ecnr2gAH0qEOaOXFyQFHMyP
/xGQvRsUHCnhXx8SwSbcevcxIM01zjFhZXg1LXOkvsHZCvssp2tiQxe2r525fX0o
B0jZaY3AwkOMh+hhIKeNSh0ICkFOnOM1Yc9bopHKorIfEGbnvuaHRd/pFUjWzHtW
wq47b/m3ISu6Mmdy/qBgksE3ucsVyqatOYGSNbaqwTPcUNo1DDg6AwPJW1KdMHAI
dCb+AJWZprrwTcH2zo3/gFFYJB4VKD26sKIYYifhw02TQUaCorU5lMsRGMt2sk8q
lAaNr0Ky41HtoM09nLAVnc6MCZn6fUkgPRJx2HM5uDoRkJSFQ9uQqimC4FIjzVmH
//K7ErLsjZyyZv+33/YwjrYP3vsDANhrt0ZcoEDlYyNo1uzVGCQXPEp1FU33MOTu
UH20nlpNLv0+mxarh+xWe4ym/nc9QhGT75682ugBRxL9QsFp9xY=
=ToYO
-----END PGP SIGNATURE-----


M
M
Maxim Cournoyer wrote on 14 May 2019 05:17
(name . Leo Famulari)(address . leo@famulari.name)
87o9457miq.fsf@gmail.com
Hello,

Leo Famulari <leo@famulari.name> writes:

Toggle quote (15 lines)
> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>> Unmaintained on what ground? The website doesn't list fresh news,
>> but the latest release was made in 2014 [1], and the maintainer has made
>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>> there aren't).
>
> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
> think that, if GSS was being examined to the same degree, we would learn
> of many serious bugs. Any significant C codebase of this age will have
> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>
> [0]
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5

Just FYI,

I had ping'd the GSS mailing list with this message:
there haven't been a reply (yet).

So it looks like it was a wise decision to make the switch! Sorry for
doubting, eh!

Maxim
M
M
Marius Bakke wrote on 14 May 2019 20:15
87v9ycaomv.fsf@fastmail.com
Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (28 lines)
> Hello,
>
> Leo Famulari <leo@famulari.name> writes:
>
>> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>>> Unmaintained on what ground? The website doesn't list fresh news,
>>> but the latest release was made in 2014 [1], and the maintainer has made
>>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>>> there aren't).
>>
>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>> think that, if GSS was being examined to the same degree, we would learn
>> of many serious bugs. Any significant C codebase of this age will have
>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>
>> [0]
>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>
> Just FYI,
>
> I had ping'd the GSS mailing list with this message:
> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
> there haven't been a reply (yet).
>
> So it looks like it was a wise decision to make the switch! Sorry for
> doubting, eh!

Thank you very much for checking with upstream :-)

I was on the fence about this switch myself, and submitted this patch
hoping for feedback along these lines.

It would be great to get Shishi and GSS into Googles OSS-Fuzz and
similar so that we can be more confident in the implementation.

For now I've pushed these patches in 996186b..828d376.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlzbBcgACgkQoqBt8qM6
VPrZswgAmQ/D5OL5NBfttuDRer5swlVL0IGEwnpPqS5sDlabe6m7mPd9VU9JeLLD
h4OnkAU1tLKc3iPI5H02Uqi1noOKO71KItMI5nQqGsotaaBqVzxEQ9LqIBElLUA9
DdHwgkKTmmHJHJgzUBeHVj1lGQKKsXmGhaCeZi+H7I+5WfyaMfvDOL9kgRmda/x/
4RhbrQcTTr7cdgDfWaORN+loTBfHRF/u0SZtTfCTD40g0JeqhT0fA6FmRbg6ydLy
zWfb1caaco76lW5oaOKQ7s9j0wAEl6kItXE91+4QGndlADgtWEjg858DNJHOQ6xH
Qe8WbFKwV3v8XS1rCH2j8dq/2PMx1w==
=rP86
-----END PGP SIGNATURE-----

Closed
M
M
Maxim Cournoyer wrote on 16 May 2019 01:06
(name . Marius Bakke)(address . mbakke@fastmail.com)
8736lftj08.fsf@gmail.com
Hello Marius,

Marius Bakke <mbakke@fastmail.com> writes:

[...]

Toggle quote (25 lines)
>>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>>> think that, if GSS was being examined to the same degree, we would learn
>>> of many serious bugs. Any significant C codebase of this age will have
>>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>>
>>> [0]
>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>>
>> Just FYI,
>>
>> I had ping'd the GSS mailing list with this message:
>> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
>> there haven't been a reply (yet).
>>
>> So it looks like it was a wise decision to make the switch! Sorry for
>> doubting, eh!
>
> Thank you very much for checking with upstream :-)
>
> I was on the fence about this switch myself, and submitted this patch
> hoping for feedback along these lines.
>
> It would be great to get Shishi and GSS into Googles OSS-Fuzz and
> similar so that we can be more confident in the implementation.

Would it be possible to add a fuzz phase to our GNU build system? If
it's not too expensive to run, it could be a security enhancer for the
Guix System! AFL (which is one of the two fuzzers used by Google's
OSS-fuzz service, and which we already have in Guix).

Food for thoughts!

Toggle quote (2 lines)
> For now I've pushed these patches in 996186b..828d376.

Thank you,

Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 34632@debbugs.gnu.org