[bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.

[bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.

[Marius Bakke]

The GNU Generic Security Service and friends have been unmaintained for
many years now: <https://www.gnu.org/software/gss/>.

Since these libraries are security-critical, it would be good to switch
to maintained implementations.  WDYT?

Marius Bakke (2):
  gnu: gsasl: Use the MIT Kerberos implementation instead of GSS.
  gnu: curl: Build against MIT Kerberos instead of GSS.

 gnu/packages/curl.scm  | 10 ++++++----
 gnu/packages/gsasl.scm |  4 +++-
 2 files changed, 9 insertions(+), 5 deletions(-)

-- 
2.20.1

[bug#34632] [PATCH 1/2] gnu: gsasl: Use the MIT Kerberos implementation instead of GSS.

[Marius Bakke]

* gnu/packages/gsasl.scm (gsasl)[inputs]: Change from GSS to MIT-KRB5.
[arguments]: New field.
---
 gnu/packages/gsasl.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/gsasl.scm b/gnu/packages/gsasl.scm
index 127b476ef3..9296f3d80f 100644
--- a/gnu/packages/gsasl.scm
+++ b/gnu/packages/gsasl.scm
@@ -95,9 +95,11 @@ the underlying security implementation.")
                   (("test-lock\\$\\(EXEEXT\\) ") ""))
                 #t))))
    (build-system gnu-build-system)
+   (arguments
+    `(#:configure-flags '("--with-gssapi-impl=mit")))
    (inputs `(("libidn" ,libidn)
              ("libntlm" ,libntlm)
-             ("gss" ,gss)
+             ("mit-krb5" ,mit-krb5)
              ("zlib" ,zlib)))
    (propagated-inputs
     ;; Propagate GnuTLS because libgnutls.la reads `-lnettle', and Nettle is a
-- 
2.20.1

[bug#34632] [PATCH core-updates 2/2] gnu: curl: Build against MIT Kerberos instead of GSS.

[Marius Bakke]

* gnu/packages/curl.scm (curl)[inputs]: Change from GSS to MIT-KRB5.
[arguments]: Adjust accordingly.
---
 gnu/packages/curl.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index b1b2b999a2..88abc6aabd 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -37,8 +37,8 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages golang)
   #:use-module (gnu packages groff)
-  #:use-module (gnu packages gsasl)
   #:use-module (gnu packages guile)
+  #:use-module (gnu packages kerberos)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages openldap)
   #:use-module (gnu packages perl)
@@ -63,10 +63,10 @@
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
    (inputs `(("gnutls" ,gnutls)
-             ("gss" ,gss)
              ("libidn" ,libidn)
              ("libssh2" ,libssh2)
              ("openldap" ,openldap)
+             ("mit-krb5" ,mit-krb5)
              ("nghttp2" ,nghttp2 "lib")
              ("zlib" ,zlib)))
    (native-inputs
@@ -85,8 +85,10 @@
            (separator #f)                         ;single entry
            (files '("etc/ssl/certs/ca-certificates.crt")))))
    (arguments
-    `(#:configure-flags '("--with-gnutls" "--with-gssapi"
-                          "--disable-static")
+    `(#:configure-flags (list "--with-gnutls"
+                              (string-append "--with-gssapi="
+                                             (assoc-ref %build-inputs "mit-krb5"))
+                              "--disable-static")
       ;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
       #:phases
       (modify-phases %standard-phases
-- 
2.20.1

[bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 348 bytes --]

On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
> The GNU Generic Security Service and friends have been unmaintained for
> many years now: <https://www.gnu.org/software/gss/>.
> 
> Since these libraries are security-critical, it would be good to switch
> to maintained implementations.  WDYT?

I think it's the right choice.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.

[Ludovic Courtès]

Hello,

Leo Famulari <leo@famulari.name> skribis:

> On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
>> The GNU Generic Security Service and friends have been unmaintained for
>> many years now: <https://www.gnu.org/software/gss/>.
>> 
>> Since these libraries are security-critical, it would be good to switch
>> to maintained implementations.  WDYT?
>
> I think it's the right choice.

Yeah, it’s a bit sad IMO, but so be it.

Note that “guix refresh -l gss” says 4K packages depend on it,
not sure why.

Thanks,
Ludo’.

[bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.

[Maxim Cournoyer]

Hello!

On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
> The GNU Generic Security Service and friends have been unmaintained for
> many years now: <https://www.gnu.org/software/gss/>.
>
> Since these libraries are security-critical, it would be good to switch
> to maintained implementations.  WDYT?

Unmaintained on what ground? The website doesn't list fresh news,
but the latest release was made in 2014 [1], and the maintainer has made
changes to the Debian package last time in 2017 [2]. I wouldn't say it's
unmaintained until the maintainer says so or CVEs pile up unfixed (which
there aren't).

So, my position would be to not do anything, as there doesn't seem to be
an issue.

Maxim

[1]  ftp://ftp.gnu.org/gnu/gss/
[2]  https://sources.debian.org/src/gss/1.0.3-3/debian/changelog/

[bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 716 bytes --]

On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
> Unmaintained on what ground? The website doesn't list fresh news,
> but the latest release was made in 2014 [1], and the maintainer has made
> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
> unmaintained until the maintainer says so or CVEs pile up unfixed (which
> there aren't).

Considering the rate of vulnerability discovery in MIT Kerberos [0] I
think that, if GSS was being examined to the same degree, we would learn
of many serious bugs. Any significant C codebase of this age will have
such bugs. But unfortunately GSS hasn't received as much scrutiny.

[0]
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.

[Maxim Cournoyer]

Hello,

Leo Famulari <leo@famulari.name> writes:

> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>> Unmaintained on what ground? The website doesn't list fresh news,
>> but the latest release was made in 2014 [1], and the maintainer has made
>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>> there aren't).
>
> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
> think that, if GSS was being examined to the same degree, we would learn
> of many serious bugs. Any significant C codebase of this age will have
> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>
> [0]
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5

Just FYI,

I had ping'd the GSS mailing list with this message:
http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
there haven't been a reply (yet).

So it looks like it was a wise decision to make the switch! Sorry for
doubting, eh!

Maxim

bug#34632: [PATCH 0/2] Change from GSS to MIT-KRB5.

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1489 bytes --]

Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> Hello,
>
> Leo Famulari <leo@famulari.name> writes:
>
>> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>>> Unmaintained on what ground? The website doesn't list fresh news,
>>> but the latest release was made in 2014 [1], and the maintainer has made
>>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>>> there aren't).
>>
>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>> think that, if GSS was being examined to the same degree, we would learn
>> of many serious bugs. Any significant C codebase of this age will have
>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>
>> [0]
>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>
> Just FYI,
>
> I had ping'd the GSS mailing list with this message:
> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
> there haven't been a reply (yet).
>
> So it looks like it was a wise decision to make the switch! Sorry for
> doubting, eh!

Thank you very much for checking with upstream :-)

I was on the fence about this switch myself, and submitted this patch
hoping for feedback along these lines.

It would be great to get Shishi and GSS into Googles OSS-Fuzz and
similar so that we can be more confident in the implementation.

For now I've pushed these patches in 996186b..828d376.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

[bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.

[Maxim Cournoyer]

Hello Marius,

Marius Bakke <mbakke@fastmail.com> writes:

[...]

>>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>>> think that, if GSS was being examined to the same degree, we would learn
>>> of many serious bugs. Any significant C codebase of this age will have
>>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>>
>>> [0]
>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>>
>> Just FYI,
>>
>> I had ping'd the GSS mailing list with this message:
>> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
>> there haven't been a reply (yet).
>>
>> So it looks like it was a wise decision to make the switch! Sorry for
>> doubting, eh!
>
> Thank you very much for checking with upstream :-)
>
> I was on the fence about this switch myself, and submitted this patch
> hoping for feedback along these lines.
>
> It would be great to get Shishi and GSS into Googles OSS-Fuzz and
> similar so that we can be more confident in the implementation.

Would it be possible to add a fuzz phase to our GNU build system? If
it's not too expensive to run, it could be a security enhancer for the
Guix System! AFL (which is one of the two fuzzers used by Google's
OSS-fuzz service, and which we already have in Guix).

Food for thoughts!

> For now I've pushed these patches in 996186b..828d376.

Thank you,

Maxim