From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id gBLFEUCU7mKkBgAAbAwnHQ (envelope-from ) for ; Sat, 06 Aug 2022 18:18:08 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id CoGXEUCU7mKbYQEAauVa8A (envelope-from ) for ; Sat, 06 Aug 2022 18:18:08 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0292D353F6 for ; Sat, 6 Aug 2022 18:18:08 +0200 (CEST) Received: from localhost ([::1]:48446 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oKMV4-0002Dh-3t for larch@yhetil.org; Sat, 06 Aug 2022 12:18:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35180) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oKMLK-0006nx-Qn for guix-patches@gnu.org; Sat, 06 Aug 2022 12:08:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:45555) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oKMLK-0007iu-IT for guix-patches@gnu.org; Sat, 06 Aug 2022 12:08:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oKMLK-0006fn-DP for guix-patches@gnu.org; Sat, 06 Aug 2022 12:08:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#34632] GSS development status Resent-From: Simon Josefsson via Discussion list for GNU Generic Security Service Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 06 Aug 2022 16:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34632 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxim Cournoyer Cc: 34632@debbugs.gnu.org, help-gss@gnu.org Received: via spool by 34632-submit@debbugs.gnu.org id=B34632.165980206225619 (code B ref 34632); Sat, 06 Aug 2022 16:08:02 +0000 Received: (at 34632) by debbugs.gnu.org; 6 Aug 2022 16:07:42 +0000 Received: from localhost ([127.0.0.1]:35301 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oKMKz-0006f9-RK for submit@debbugs.gnu.org; Sat, 06 Aug 2022 12:07:42 -0400 Received: from uggla.sjd.se ([178.174.241.107]:59760) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oKKQf-0001PO-HH for 34632@debbugs.gnu.org; Sat, 06 Aug 2022 10:05:26 -0400 Received: from [2001:9b1:41ac:ff00:e0bc:1189:b201:8631] (port=39532 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oKKQf-00BX4n-QC for 34632@debbugs.gnu.org; Sat, 06 Aug 2022 16:05:24 +0200 Resent-To: 34632@debbugs.gnu.org Resent-From: Simon Josefsson Resent-Date: Sat, 06 Aug 2022 16:05:24 +0200 Resent-Message-ID: <87fsi9tql7.fsf@latte.josefsson.org> Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail Newsgroups: gmane.comp.gnu.gss.general Date: Sat, 06 Aug 2022 16:02:31 +0200 Message-ID: <87r11ttqq0.fsf@latte.josefsson.org> References: <87o968i9gh.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="20602"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) Original-X-From: help-gss-bounces+gcggg-help-gss=m.gmane-mx.org@gnu.org Sat Aug 06 16:02:51 2022 Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oKKO9-00055K-3I for gcggg-help-gss@m.gmane-mx.org; Sat, 06 Aug 2022 16:02:49 +0200 Original-Received: from localhost ([::1]:36500 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oKKO7-0007vC-QM for gcggg-help-gss@m.gmane-mx.org; Sat, 06 Aug 2022 10:02:47 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:37712) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oKKNy-0007sL-A7 for help-gss@gnu.org; Sat, 06 Aug 2022 10:02:41 -0400 Original-Received: from uggla.sjd.se ([2001:9b1:8633::107]:52062) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oKKNw-0005Qf-Br for help-gss@gnu.org; Sat, 06 Aug 2022 10:02:38 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2110; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=UmJqs+bsNB7ImQQZ/rtifd0L5BD0b2CRmzvAkACVGds=; t=1659794555; x=1661004155; b=yJfttqBlL5dago7E0IytOQ5omzV9LqIbH5cdSfj0Wd23ayRSgMkpqL5eBMJsPSjQmj7FMjMlMh+ 6OItVDCdvCw==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2110; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=UmJqs+bsNB7ImQQZ/rtifd0L5BD0b2CRmzvAkACVGds=; t=1659794555; x=1661004155; b=lXzMQ+WUaV5z5tzUwbc7ss72fyHLpvCNbOYnuLovct78XmwOofkCmLimTZ6lVZmi4EyhwbYBj6n 7henmR0UKfMuJWcFZlvZV2t5IryTeyP6sTzpQjjzWwo+9nI3wmbfIxkOLcuof9hQzZVHSB9GtzsaJ nLBya22HDaPcfGdiTheD0jSeNh641NaX8JVsC8zsHagJvWIYmUl3H1FOkyls6fcTzX2DsQ1ziGw1u erEaHtPdbCIOCxopymkKJjg26C4VN/j9eH1aoM6JVt/O9bATiuUHtdrcURKjHqOWXv6PUSuLh2nLj 9XXXY6JuhGnJ+/4Dd8fvwtRlyYtyX0WReaF8DFkSD/Ikss+pEN6fjzkNpdG0Fv3uTAlMijXBi80R8 yzEdYx9I7+VqpcI9SbwI5GZcB6eIEgVskverCNHqOizxpgMa/BmW+bbGAoFtM+s3wAGJLg6y7; Original-Received: from [2001:9b1:41ac:ff00:e0bc:1189:b201:8631] (port=38218 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oKKNt-00BWgw-AD; Sat, 06 Aug 2022 16:02:32 +0200 X-Hashcash: 1:22:220806:34632@debbugs.gnu.org::hZgP96F2r8nM9R48:0jmv OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt X-Hashcash: 1:22:220806:help-gss@gnu.org::8NlVXKUYFwEUfy/y:i2o X-Hashcash: 1:22:220806:maxim.cournoyer@gmail.com::GPd6S43WndGIKxzn:9mcu In-Reply-To: <87o968i9gh.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 18 Mar 2019 09:43:58 -0400") Received-SPF: pass client-ip=2001:9b1:8633::107; envelope-from=simon@josefsson.org; helo=uggla.sjd.se X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-gss@gnu.org X-Mailman-Version: 2.1.29 Precedence: list Original-Sender: "Help-gss" Archived-At: X-Mailman-Approved-At: Sat, 06 Aug 2022 12:07:40 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Approved-At: Sat, 06 Aug 2022 12:17:08 -0400 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Simon Josefsson X-ACL-Warn: , Simon Josefsson via Discussion list for GNU Generic Security Service From: help-gss--- via X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1659802688; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-to:resent-cc:resent-from: resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature:openpgp:openpgp; bh=UmJqs+bsNB7ImQQZ/rtifd0L5BD0b2CRmzvAkACVGds=; b=BUxmYxIIu9ff4iAzQTDUmufn9d/C5ovB6Bjd2wb6j15QgGrrZA9JPdTpA8Kdf42RnxZ2gy ZfDcwLUddR9XDoJ6fdzL0Lgsiye3o6iOEQjwa97NwKL8ZYwdgU0tm1nV8e9P60MFjrULky A+04zIrSRwzO+3W9X/Cv2djDe1jcKMrIg/49Y+dioXpdgmr7CWEfS8/hCse5n31G9mzGl2 6ETV1j3easLC2x7EeaACfdlb3w5xyZ4EQv5uRICjxbjv7mCWgqz8S2VkBYjxveCJRUD3se wCQ3i3dC0SmXZLpthewSCt6IzmdvwQsiqoGx2J388PXSIeIH0PJhsHmYii3sxA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1659802688; a=rsa-sha256; cv=none; b=GnrXoBGBR8hPYg0fpdZuGkHfZZNBeWZ1oGFekrZaQ9Fb4Ba22tOsIj8wDXUvrOl9Fy1AVk ce0MMtHzbDq9QeU/yeMMgPn9Z4fkAH4HlzVEolqpzUpIgeadtKp5J2Veh5qQKm0FqMDDcD cCrnwOQKDirj2kVmforUB6OOK6MQfEccoAfQDWU+vV149UKJco8JJv2K9zJeVicr+ma/50 GBd428meZqb0utvZ9ICB03ULtutJgMWkDTdsh/zaQEAcixKiyF5026/R7L88AdSZTxHlAd B1AE9B/kW2zKx8KQ6HHn6s/A1d+xwBvknxoCrGbUlZ4uimE7HM3TbRGZp3eGyA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2110 header.b=yJfttqBl; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2110 header.b=lXzMQ+WU; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -6.00 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2110 header.b=yJfttqBl; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2110 header.b=lXzMQ+WU; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 0292D353F6 X-Spam-Score: -6.00 X-Migadu-Scanner: scn0.migadu.com X-TUID: UEs+CRMipDNy --=-=-= Content-Type: text/plain Maxim Cournoyer writes: > Hello, > > I'd like to inquire about the development status of GSS? Has it left the > beta status? Are bugs still being fixed? Is there any known or presumed > security issues when using GSS rather than its more mainstream > implementation in MIT Kerberos? > > I'm asking because the GNU Guix project is considering a switch from GNU > GSS to MIT krb5 for security reasons [0], given that no new releases have > been made since 2014. > > Thank you, > > Maxim Cournoyer > > [0] http://issues.guix.info/issue/34632 Hi Maxim, Sorry for the slow response, which may in part be an answer to your question. However I have just released GNU GSS version 1.0.4 to refresh the project, and have setup CI/CD checking of it to pave the road for future improvements. To my knowledge there are only two major missing features: 1) Missing gss_wrap() AES functionality. This prevents SASL GSS-API to complete on modern machines. Shishi supports AES and GSSLib supports it for GSS_Init_sec_context etc but not GSS_wrap. 2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and Heimdal. I hope to complete 1) in the future. For 2), fixing it would be a GNU Shishi feature that should be simple to resolve -- it ships with tools ccache2shishi and keytab2shishi to convert the files, but that should be done automatically internally by the library instead. Indeed getting these enrolled in the OSS Fuzz project would be a great contribution. My primary goal is to do a new release of GNU Shishi and improve the CI/CD integration checks to have good confidence in future changes. Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix, I believe it would be much nicer if you would use the 'Libgssglue' package instead! Then the user can change GSS-API library at run-time. Read about this work here: https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/ /Simon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCYu50dxQcc2ltb25Aam9z ZWZzc29uLm9yZwAKCRBRcisI/kdForNnAP9MOtpwjj4+yezNeoabfkd/kXE++9WI +aPryFiQpET3OwEAzO+EtEVv+T2X62Sr2ltW7gIWjLwMYwr7fN0SIwFa1wo= =oLO3 -----END PGP SIGNATURE----- --=-=-=--