Skip to content

krb5: backport upstream SPNEGO mechListMIC parsing fix (ticket 9183)#17784

Open
apurvparekh30 wants to merge 2 commits into
microsoft:fasttrack/3.0from
apurvparekh30:krb5-spnego-mechlistmic-9183
Open

krb5: backport upstream SPNEGO mechListMIC parsing fix (ticket 9183)#17784
apurvparekh30 wants to merge 2 commits into
microsoft:fasttrack/3.0from
apurvparekh30:krb5-spnego-mechlistmic-9183

Conversation

@apurvparekh30

@apurvparekh30 apurvparekh30 commented Jun 23, 2026
edited by KavyaSree2610
Loading

Copy link
Copy Markdown
Merge Checklist
  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted
  • LICENSE-MAP files are up-to-date
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

https://microsoft.visualstudio.com/OS/_workitems/edit/62817258
Azure Linux 3.0 ships krb5 1.21.3-4, whose get_negTokenResp() parses the SPNEGO mechListMIC field with the wrong ASN.1 context tag — [4] (0xA4) instead of the correct [3] (0xA3). Per RFC 4178 NegTokenResp, mechListMIC is [3] (and get_negTokenInit() already uses [3] correctly). The bug was introduced upstream by commit fdceb225.

As a result the acceptor/initiator fails to read the mechListMIC in a negTokenResp, breaking SPNEGO MIC verification on that path. This is observable when authenticating NTLM-over-SPNEGO to Windows hosts (e.g. PowerShell/WinRM remoting from an Azure Linux container via gss-ntlmssp), where the MIC exchange is required.

This PR backports the upstream fix krb5 commit 942c503 (ticket 9183, target_version: 1.21-next), which corrects the tag and restores the t_spnego.c reselection regression test.

Change Log
  • Add SPECS/krb5/krb5-fix-SPNEGO-mechListMIC-parsing.patch (full upstream commit 942c503, code fix + regression test).
  • krb5.spec: add Patch3, bump Release 4 → 5, add %changelog entry.
  • Update toolchain_{x86_64,aarch64}.txt and pkggen_core_{x86_64,aarch64}.txt manifests to the new 1.21.3-5 RPM filenames (krb5 is a toolchain package).
  • No Source files changed, so krb5.signatures.json is unchanged.
Does this affect the toolchain?

YES — krb5 is a toolchain package. No source/dependency changes, but its Release bump (4 → 5) requires the toolchain and pkggen_core package manifests (x86_64 + aarch64) to be updated to the new RPM filenames, which this PR does.

Associated issues
Test Methodology
  • Full upstream patch applies cleanly to the 1.21.3 source tree (%autosetup -p1); the restored t_spnego.c reselection test runs under %check (make check).
  • Fix validated end-to-end in a live Azure Linux 3.0 container: with krb5 carrying this fix, SPNEGO/NTLM PowerShell remoting to a Windows SCVMM/VMM host completes successfully.
  • Pipeline build id: to be filled from the GitHub PR check run

@apurvparekh30 apurvparekh30 requested a review from a team as a code owner June 23, 2026 04:16
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Jun 23, 2026
@KavyaSree2610

KavyaSree2610 commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

Reproduced the issue without patch: hangs indefinitely
image
Resolved with the patch:
image

KavyaSree2610
KavyaSree2610 approved these changes Jun 24, 2026
View reviewed changes

@KavyaSree2610 KavyaSree2610 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@KavyaSree2610

KavyaSree2610 commented Jun 24, 2026

Copy link
Copy Markdown

Buddy build: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1145595&view=results

@KavyaSree2610 KavyaSree2610 changed the base branch from 3.0-dev to fasttrack/3.0 June 24, 2026 17:00
@KavyaSree2610 KavyaSree2610 requested a review from a team as a code owner June 24, 2026 17:00
@microsoft-github-policy-service microsoft-github-policy-service Bot added specs-extended PR to fix SPECS-EXTENDED documentation Improvements or additions to documentation Tools fasttrack/3.0 PRs Destined for Azure Linux 3.0 labels Jun 24, 2026
Apurv Parekh and others added 2 commits June 24, 2026 17:10
krb5: backport upstream SPNEGO mechListMIC parsing fix
5c79a4f 
Azure Linux 3.0 ships krb5 1.21.3, whose get_negTokenResp() looks for the
SPNEGO mechListMIC field with ASN.1 context tag [4] (0xA4) instead of the
correct [3] (0xA3). This was introduced upstream by commit fdceb225 and
breaks SPNEGO MIC verification on the negTokenResp path (notably NTLM-over-
SPNEGO authentication to Windows hosts).

Backport upstream fix krb5 commit 942c503 (ticket 9183), which corrects the
tag and restores the t_spnego.c reselection regression test. Bump release
4 -> 5.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
krb5: update toolchain/pkggen_core manifests for 1.21.3-5
56007b6 
krb5 is a toolchain package, so bumping its Release requires updating the
x86_64 and aarch64 toolchain and pkggen_core manifests to reference the
new -5 RPM filenames.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@apurvparekh30 apurvparekh30 force-pushed the krb5-spnego-mechlistmic-9183 branch from 04df8dc to 56007b6 Compare June 24, 2026 17:11
KavyaSree2610
KavyaSree2610 approved these changes Jun 24, 2026
View reviewed changes

@KavyaSree2610 KavyaSree2610 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Buddy build: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1145800&view=results
The changes looks good to me except for the circular dependency check which is failing(but expected to fail since its trying to download a package version which is not yet available on pmc)

Kanishk-Bansal
Kanishk-Bansal reviewed Jun 24, 2026
View reviewed changes
Comment thread SPECS/krb5/krb5.spec

%changelog
* Tue Jun 23 2026 Apurv Parekh <apurvparekh@microsoft.com> - 1.21.3-5
- Backport upstream fix for SPNEGO mechListMIC parsing (krb5 commit 942c503, ticket 9183)

@Kanishk-Bansal Kanishk-Bansal Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Backport upstream fix for SPNEGO mechListMIC parsing (krb5 commit 942c503, ticket 9183)
- Backport upstream fix for SPNEGO mechListMIC parsing (krb5 commit 942c503, ticket 9183)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kanishk-Bansal Kanishk-Bansal Kanishk-Bansal left review comments

@jslobodzian jslobodzian jslobodzian approved these changes

@KavyaSree2610 KavyaSree2610 KavyaSree2610 approved these changes

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 documentation Improvements or additions to documentation fasttrack/3.0 PRs Destined for Azure Linux 3.0 Packaging specs-extended PR to fix SPECS-EXTENDED Tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@apurvparekh30 @KavyaSree2610 @jslobodzian @Kanishk-Bansal