Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> Hello,
>
> I'd like to inquire about the development status of GSS? Has it left the
> beta status? Are bugs still being fixed? Is there any known or presumed
> security issues when using GSS rather than its more mainstream
> implementation in MIT Kerberos?
>
> I'm asking because the GNU Guix project is considering a switch from GNU
> GSS to MIT krb5 for security reasons [0], given that no new releases have
> been made since 2014.
>
> Thank you,
>
> Maxim Cournoyer
>
> [0]  http://issues.guix.info/issue/34632

Hi Maxim,

Sorry for the slow response, which may in part be an answer to your
question.  However I have just released GNU GSS version 1.0.4 to refresh
the project, and have setup CI/CD checking of it to pave the road for
future improvements.  To my knowledge there are only two major missing
features:

  1) Missing gss_wrap() AES functionality.  This prevents SASL GSS-API
     to complete on modern machines.  Shishi supports AES and GSSLib
     supports it for GSS_Init_sec_context etc but not GSS_wrap.

  2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and
     Heimdal.

I hope to complete 1) in the future.  For 2), fixing it would be a GNU
Shishi feature that should be simple to resolve -- it ships with tools
ccache2shishi and keytab2shishi to convert the files, but that should be
done automatically internally by the library instead.

Indeed getting these enrolled in the OSS Fuzz project would be a great
contribution.  My primary goal is to do a new release of GNU Shishi and
improve the CI/CD integration checks to have good confidence in future
changes.

Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix,
I believe it would be much nicer if you would use the 'Libgssglue'
package instead!  Then the user can change GSS-API library at run-time.
Read about this work here:

https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/

/Simon