BIND 9 attempts to look up GSSAPI OIDs for the Kerberos 5 and SPNEGO
mechanisms in the relevant header files provided by the Kerberos/GSSAPI
library used. Due to the differences between various Kerberos/GSSAPI
implementations, if any of the expected preprocessor macros
(GSS_KRB5_MECHANISM, GSS_SPNEGO_MECHANISM) is not defined in the header
files provided by the library used, the code in lib/dns/gssapictx.c
defines its own version of each missing macro, so that BIND 9 can
attempt to use the relevant security mechanisms anyway.
Commit
7f08c756aa54d10a71bdf8242479ffeb82e52396, which contains a
partial backport of the changes introduced in commit
978c7b2e89aa37a7ddfe2f6b6ba12ce73dd04528, left a block of code in the
lib/dns/include/dst/gssapi.h header which defines the
GSS_SPNEGO_MECHANISM preprocessor macro to NULL if it is not defined by
any header file provided by the Kerberos/GSSAPI library used. This
causes the gss_add_oid_set_member() call in the mech_oid_set_create()
helper function to always return an error. This in turn causes the
dst_gssapi_acquirecred() function to also always return an error, which
ultimately prevents any named instance whose configuration includes the
"tkey-gssapi-credential" option from starting.
Remove the offending conditional definition of the GSS_SPNEGO_MECHANISM
preprocessor macro from lib/dns/include/dst/gssapi.h, so that a proper
GSSAPI OID is assigned to that macro in lib/dns/gssapictx.c when the
Kerberos/GSSAPI library used does not define it.
(cherry picked from commit
648ef3a2b4f8bc7928bf976fcba3b159ac5768e5)
projects / thirdparty / bind9.git / commitdiff
