Building fails on MacOS, example fails after fixing build

[edmellum]

The build fails on MacOS after a brew install krb5 as homebrew installs into /usr/local/opt/krb5. After setting DYLD_FALLBACK_LIBRARY_PATH to /usr/local/opt/krb5 (which homebrew doesn't automatically recommend) the build still fails as krb5 builds .dylib files instead of .so. If libgssapi_krb5.dylab is renamed to libgssapi_krb5.so the build completes. However running the krb5 example segfaults with a EXC_BAD_ACCESS. Running through lldb it looks like the segfaults comes from libgssapi::oid::OidSet::add.

I don't have much experience binding to C libraries from Rust. Am I doing something crazy here or is something weird happening with the MacOS bindings? 😄

[estokes]

I apologize, this wasn't unexpected since I don't have a mac to test on. I think you've given me enough information to fix it however. If I do that would you be able to test it again?

…

On Wed, Sep 2, 2020 at 1:43 PM David Ed Mellum ***@***.***> wrote: The build fails on MacOS after a brew install krb5 as homebrew installs into /usr/local/opt/krb5. After setting DYLD_FALLBACK_LIBRARY_PATH to /usr/local/opt/krb5 (which homebrew doesn't automatically recommend) the build still fails as krb5 builds .dylib files instead of .so. If libgssapi_krb5.dylab is renamed to libgssapi_krb5.so the build completes. However running the krb5 example segfaults with a EXC_BAD_ACCESS. Running through lldb it looks like the segfaults comes from libgssapi::oid::OidSet::add. I don't have much experience binding to C libraries from Rust. Am I doing something crazy here or is something weird happening with the MacOS bindings? 😄 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJHLG4KKKCOBCATPOQZX3SDZ73RANCNFSM4QTNKSNA> .

[edmellum]

I can absolutely test it again! 😄

[estokes]

I just committed a fix, and tested that it still builds on linux. Would it be possible for you to check it out from git and see if you can cargo build the libgssapi-sys crate? If that works then I'll release a new version.

…

On Wed, Sep 2, 2020 at 2:36 PM David Ed Mellum ***@***.***> wrote: I can absolutely test it again! 😄 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJHLGKUBGZAKECWJSPG3LSD2GB7ANCNFSM4QTNKSNA> .

[dwink]

With the update it now finds the shared library, but I had to add a clang_arg to get the include path right:

diff --git a/libgssapi-sys/build.rs b/libgssapi-sys/build.rs
index 682bb69a..123c5524 100644
--- a/libgssapi-sys/build.rs
+++ b/libgssapi-sys/build.rs
@@ -60,6 +60,7 @@ fn main() {
         Gssapi::Heimdal => println!("cargo:rustc-link-lib=gssapi"),
     }
     let bindings = bindgen::Builder::default()
+        .clang_arg("-I/usr/local/opt/krb5/include")
         .whitelist_type("(OM_.+|gss_.+)")
         .whitelist_var("_?GSS_.+|gss_.+")
         .whitelist_function("gss_.*")

[dwink]

With the patched libgssapi-sys, I tried to do a cargo test on libgssapi, but it seems to be missing some symbols:

 = note: Undefined symbols for architecture x86_64:
            "_gss_wrap_iov_length", referenced from:
                libgssapi::context::wrap_iov_length::hc87f1ab1b3d40235 in liblibgssapi-f998edf59828b990.rlib(libgssapi-f998edf59828b990.zltozf8lipibdfn.rcgu.o)
            "_gss_unwrap_iov", referenced from:
                libgssapi::context::unwrap_iov::h2b3f0dd899ab7ad9 in liblibgssapi-f998edf59828b990.rlib(libgssapi-f998edf59828b990.zltozf8lipibdfn.rcgu.o)
            "_gss_wrap_iov", referenced from:
                libgssapi::context::wrap_iov::he487c776420a8018 in liblibgssapi-f998edf59828b990.rlib(libgssapi-f998edf59828b990.zltozf8lipibdfn.rcgu.o)
          ld: symbol(s) not found for architecture x86_64
          clang: error: linker command failed with exit code 1 (use -v to see invocation)

[estokes]

hmm, thats unfortunate. Which kerberos distribution are you building? IIRC both MIT and Heimdal support those extensions. I can make those functions optional features, but ideally I'd like to understand why they're missing, because the standard wrap/unwrap functions are much slower.

…

On Fri, Sep 4, 2020 at 8:59 PM David Harks ***@***.***> wrote: With the patched libgssapi-sys, I tried to do a cargo test, but it seems to be missing some symbols: = note: Undefined symbols for architecture x86_64: "_gss_wrap_iov_length", referenced from: libgssapi::context::wrap_iov_length::hc87f1ab1b3d40235 in liblibgssapi-f998edf59828b990.rlib(libgssapi-f998edf59828b990.zltozf8lipibdfn.rcgu.o) "_gss_unwrap_iov", referenced from: libgssapi::context::unwrap_iov::h2b3f0dd899ab7ad9 in liblibgssapi-f998edf59828b990.rlib(libgssapi-f998edf59828b990.zltozf8lipibdfn.rcgu.o) "_gss_wrap_iov", referenced from: libgssapi::context::wrap_iov::he487c776420a8018 in liblibgssapi-f998edf59828b990.rlib(libgssapi-f998edf59828b990.zltozf8lipibdfn.rcgu.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJHLFS4C4MQFH5HYKWXV3SEGEOBANCNFSM4QTNKSNA> .

[dwink]

hmm, thats unfortunate. Which kerberos distribution are you building? IIRC both MIT and Heimdal support those extensions. I can make those functions optional features, but ideally I'd like to understand why they're missing, because the standard wrap/unwrap functions are much slower.

I'm just naively installing krb5 from homebrew, which is a packaged build of MIT Kerberos. I'm going to try to build it from source myself to see if we can make the build expose those symbols.

That said, I also just learned that Apple includes a Heimdal distribution in OSX. I'll experiment with that too.

[edmellum]

Building MIT Kerberos from source helped me run the tests. There's not that many flags in the Homebrew formula, so I'm a little unsure what's causing the problems. I'll try compiling with each of the flags till I get the problem again.

[estokes]

I have a friend with a mac, I'm going to try to get access to it ...

…

On Sat, Sep 5, 2020 at 10:03 AM David Harks ***@***.***> wrote: hmm, thats unfortunate. Which kerberos distribution are you building? IIRC both MIT and Heimdal support those extensions. I can make those functions optional features, but ideally I'd like to understand why they're missing, because the standard wrap/unwrap functions are much slower. I'm just naively installing krb5 from homebrew, which is a packaged build of MIT Kerberos. I'm going to try to build it from source myself to see if we can make the build expose those symbols. That said, I also just learned that Apple includes a Heimdal distribution in OSX. I'll experiment with that too. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJHLECCGVWRD2JCDJQW23SEJALHANCNFSM4QTNKSNA> .

[estokes]

gss_iov_* functions are technically extensions to the gssapi standard, but they have been supported for a very long time by pretty much everything, I guess homebrew somehow convinced MIT's configure script to disable them ...

…

On Sat, Sep 5, 2020 at 10:31 AM David Ed Mellum ***@***.***> wrote: Building MIT Kerberos from source helped me run the tests. There's not that many flags in the Homebrew formula <https://github.com/Homebrew/linuxbrew-core/blob/master/Formula/krb5.rb>, so I'm a little unsure what's causing the problems. I'll try compiling with each of the flags till I get the problem again. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJHLCPDCAXTFISXLVPDPLSEJDT5ANCNFSM4QTNKSNA> .

[edmellum]

I'm probably doing something weird, but I'm not able to reproduce the missing symbols by building from source while trying to do the same thing the Homebrew formula does.

[dwink]

@edmellum interesting -- do you have anything special set in your environment? I haven't been able to avoid the missing symbols, even when building from source. I even made sure that the build was picking up the Homebrew OpenSSL, and yet it still complains.

Doing nm -gU /usr/local/opt/krb5/lib/libgssapi_krb5.dylib | grep "_gss_.*wrap.*iov" gives:

00000000000ffab T _gss_unwrap_iov
00000000000105e1 T _gss_wrap_iov
00000000000106b7 T _gss_wrap_iov_length

...so the symbols are there. Why can't the linker find them?

[dwink]

Aha! This lets me run cargo test:

diff --git a/libgssapi-sys/build.rs b/libgssapi-sys/build.rs
index 682bb69a..5e0fea8d 100644
--- a/libgssapi-sys/build.rs
+++ b/libgssapi-sys/build.rs
@@ -40,7 +40,7 @@ fn which() -> Gssapi {
         "/lib64",
         "/usr/lib",
         "/usr/lib64",
-        "/usr/local/opt/krb5",
+        "/usr/local/opt/krb5/lib",
     ];
     for path in ldpath.split(':').chain(paths) {
         if search_pat(path, mit_pat) {
@@ -56,10 +56,14 @@ fn which() -> Gssapi {
 fn main() {
     let imp = which();
     match imp {
-        Gssapi::Mit => println!("cargo:rustc-link-lib=gssapi_krb5"),
+        Gssapi::Mit => {
+            println!("cargo:rustc-link-lib=gssapi_krb5");
+            println!("cargo:rustc-link-search=/usr/local/opt/krb5/lib");
+        },
         Gssapi::Heimdal => println!("cargo:rustc-link-lib=gssapi"),
     }
     let bindings = bindgen::Builder::default()
+        .clang_arg("-I/usr/local/opt/krb5/include")
         .whitelist_type("(OM_.+|gss_.+)")
         .whitelist_var("_?GSS_.+|gss_.+")
         .whitelist_function("gss_.*")

[dwink]

...now I get the segfault (this is what you saw too, right @edmellum ?)

❯ lldb target/debug/examples/krb5
(lldb) target create "target/debug/examples/krb5"
Current executable set to '/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64).
(lldb) run
Process 51833 launched: '/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64)
usage: /Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5: <service@host>
Process 51833 exited with status = 0 (0x00000000)
(lldb) run nfs@localhost
Process 51950 launched: '/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64)
Process 51950 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00007fff6eaed9a9 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 169
libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell:
->  0x7fff6eaed9a9 <+169>: movq   (%rsi), %rcx
    0x7fff6eaed9ac <+172>: movq   (%rsi,%rdx), %r8
    0x7fff6eaed9b0 <+176>: movq   %rcx, (%rdi)
    0x7fff6eaed9b3 <+179>: movq   %r8, (%rdi,%rdx)
Target 0: (krb5) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00007fff6eaed9a9 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 169
    frame #1: 0x00000001001f82ac libgssapi_krb5.2.2.dylib`generic_gss_add_oid_set_member + 224
    frame #2: 0x0000000100203608 libgssapi_krb5.2.2.dylib`gss_add_oid_set_member + 15
    frame #3: 0x0000000100015236 krb5`libgssapi::oid::OidSet::add::hd6c35a7fd1cbf884(self=0x00007ffeefbfef10, id=0x0000000100060540) at oid.rs:333:13
    frame #4: 0x000000010000490c krb5`krb5::run::hd43320aa70b0e1c0(service_name=(data_ptr = "nfs@localhost", length = 13)) at krb5.rs:118:9
    frame #5: 0x0000000100005b22 krb5`krb5::main::hf4e1f8e36fd691db at krb5.rs:147:15
    frame #6: 0x0000000100008e2e krb5`std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h96d13f9372e6ff3e at rt.rs:67:34
    frame #7: 0x0000000100039759 krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::hc929fc692f6f0cf9 at rt.rs:52:13 [opt]
    frame #8: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panicking::try::do_call::hd19aaf48f3a9c904 at panicking.rs:297 [opt]
    frame #9: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panicking::try::h32c9e7d0f5011b7f at panicking.rs:274 [opt]
    frame #10: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panic::catch_unwind::hfd90c56a25f83b76 at panic.rs:394 [opt]
    frame #11: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 at rt.rs:51 [opt]
    frame #12: 0x0000000100008e11 krb5`std::rt::lang_start::h029fbc2009511973(main=(krb5`krb5::main::hf4e1f8e36fd691db at krb5.rs:142), argc=2, argv=0x00007ffeefbff7c0) at rt.rs:67:5
    frame #13: 0x0000000100005c22 krb5`main + 34
    frame #14: 0x00007fff6e8f7cc9 libdyld.dylib`start + 1

[edmellum]

Yeah that’s one of the segfaults I’ve gotten. Seems like we’re synced up! 😄 Building with debug symbols should give you line numbers for krb5 too.

The other segfaults I’ve gotten might be because of all my experimentation messing stuff up.

[dwink]

I wonder if this is a conflict between the built-in MacOS GSS framework and the Homebrew one at runtime.

EDIT: I take that back. There's no indication it's linking any of the built-in libs. I did try to compile against the built-in framework, which is supposedly Heimdal, but it's missing several definitions -- it might be pretty old.

[estokes]

Ok, I got access to a mac, but no admin access. The built in Heimdal is super old, and it lacks the gss_iov extensions. The segfault could be a couple of things. make sure it's not linking to both libraries, or the wrong one, IIRC 'otool -L' can tell you that on a mac. It's also possible you're linking to the correct library, but you're reading the tickets created by Apple's ancient Heimdal and that's not working. So if possible, kinit with your MIT kerberos install.

I will poke around as much as I can without admin access and try to figure out how to make something work with this mess.

[dwink]

OK, I verified that I'm not multiply linking and that the ticket is generated with the MIT kerberos tools.

One other note -- I have KRB5_TRACE on, and I get the segfault before any tracing output occurs. It looks like maybe the transmute to gss_OID is wrong somehow on this platform...?

❯ otool -L target/debug/examples/krb5
target/debug/examples/krb5:
        /usr/local/opt/krb5/lib/libgssapi_krb5.2.2.dylib (compatibility version 2.0.0, current version 2.2.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.100.1)
        /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 1.0.0)

❯ which klist
/usr/local/opt/krb5/bin/klist
❯ klist
Ticket cache: FILE:/tmp/krbcache
Default principal: dharks@HOME.HARKS.US

Valid starting       Expires              Service principal
09/06/2020 09:33:28  09/06/2020 19:33:28  krbtgt/HOME.-----.US@HOME.-----.US
        renew until 09/07/2020 09:33:24
❯ lldb target/debug/examples/krb5
(lldb) target create "target/debug/examples/krb5"
Current executable set to '/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64).
(lldb) run nfs@hokusai
Process 71042 launched: '/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64)
Process 71042 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00007fff6eaed9a9 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 169
libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell:
->  0x7fff6eaed9a9 <+169>: movq   (%rsi), %rcx
    0x7fff6eaed9ac <+172>: movq   (%rsi,%rdx), %r8
    0x7fff6eaed9b0 <+176>: movq   %rcx, (%rdi)
    0x7fff6eaed9b3 <+179>: movq   %r8, (%rdi,%rdx)
Target 0: (krb5) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00007fff6eaed9a9 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 169
    frame #1: 0x00000001001f82ac libgssapi_krb5.2.2.dylib`generic_gss_add_oid_set_member + 224
    frame #2: 0x0000000100203608 libgssapi_krb5.2.2.dylib`gss_add_oid_set_member + 15
    frame #3: 0x0000000100015236 krb5`libgssapi::oid::OidSet::add::hd6c35a7fd1cbf884(self=0x00007ffeefbfeed0, id=0x0000000100060540) at oid.rs:333:13
    frame #4: 0x000000010000490c krb5`krb5::run::hd43320aa70b0e1c0(service_name=(data_ptr = "nfs@hokusai", length = 11)) at krb5.rs:118:9
    frame #5: 0x0000000100005b22 krb5`krb5::main::hf4e1f8e36fd691db at krb5.rs:147:15
    frame #6: 0x0000000100008e2e krb5`std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h96d13f9372e6ff3e at rt.rs:67:34
    frame #7: 0x0000000100039759 krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::hc929fc692f6f0cf9 at rt.rs:52:13 [opt]
    frame #8: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panicking::try::do_call::hd19aaf48f3a9c904 at panicking.rs:297 [opt]
    frame #9: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panicking::try::h32c9e7d0f5011b7f at panicking.rs:274 [opt]
    frame #10: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panic::catch_unwind::hfd90c56a25f83b76 at panic.rs:394 [opt]
    frame #11: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 at rt.rs:51 [opt]
    frame #12: 0x0000000100008e11 krb5`std::rt::lang_start::h029fbc2009511973(main=(krb5`krb5::main::hf4e1f8e36fd691db at krb5.rs:142), argc=2, argv=0x00007ffeefbff780) at rt.rs:67:5
    frame #13: 0x0000000100005c22 krb5`main + 34
    frame #14: 0x00007fff6e8f7cc9 libdyld.dylib`start + 1

[dwink]

I added a breakpoint at oid.rs:193 and inspected self:

(lldb) print *self
(libgssapi::oid::Oid) $0 = (length = 9, elements = "*\x86H\x86\x02+\x06\x01\x05\x02\x05*\x85p+\r\x1d*\x86H\x86\x02\x05\x0e")

[estokes]

it looks like the oid set is invalid ... that's strange. I did some more digging and found that the heimdal Apple has installed is deprecated, they have built a framework called GSS. Since the goal is to integrate into the platform, I will look into using that, though I still would like to figure out this segfault.

…

On Sun, Sep 6, 2020 at 10:59 AM David Harks ***@***.***> wrote: I added a breakpoint at oid.rs:193 and inspected self: (lldb) print *self (libgssapi::oid::Oid) $0 = (length = 9, elements = "*\x86H\x86\x02+\x06\x01\x05\x02\x05*\x85p+\r\x1d*\x86H\x86\x02\x05\x0e") — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJHLBT35PRQF6A35DZUELSEOPTTANCNFSM4QTNKSNA> .

[dwink]

Aha, that makes sense. Looks like the IOV stuff is "ApplePrivate" but the rest might be there.

[dwink]

I had a bit of free time so I hid the IOV functions via cfg and linked against the GSS framework:

❯ otool -L target/debug/examples/krb5
target/debug/examples/krb5:
        /System/Library/Frameworks/GSS.framework/Versions/A/GSS (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.100.1)
        /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 1.0.0)

I end up segfaulting at a similar spot:

❯ lldb target/debug/examples/krb5
(lldb) target create "target/debug/examples/krb5"
Current executable set to '/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64).
(lldb) run nfs@localhost
Process 41211 launched: '/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64)
import name
Process 41211 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00007fff6eaed9a9 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 169
libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell:
->  0x7fff6eaed9a9 <+169>: movq   (%rsi), %rcx
    0x7fff6eaed9ac <+172>: movq   (%rsi,%rdx), %r8
    0x7fff6eaed9b0 <+176>: movq   %rcx, (%rdi)
    0x7fff6eaed9b3 <+179>: movq   %r8, (%rdi,%rdx)
Target 0: (krb5) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00007fff6eaed9a9 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 169
    frame #1: 0x00007fff37493614 GSS`_gss_copy_oid + 148
    frame #2: 0x00007fff374929b4 GSS`gss_import_name + 228
    frame #3: 0x0000000100018bde krb5`libgssapi::name::Name::new::hd9a4803f6311fbb7(s=(data_ptr = "nfs@localhost", length = 13), kind=Option<&libgssapi::oid::Oid> @ 0x00007ffeefbfe9f0) at name.rs:77:13
    frame #4: 0x0000000100003d18 krb5`krb5::setup_server_ctx::h1ecdfe683b0a2b35(service_name=(data_ptr = "nfs@localhost", length = 13), desired_mechs=0x00007ffeefbfef28) at krb5.rs:91:16
    frame #5: 0x00000001000049bf krb5`krb5::run::hd43320aa70b0e1c0(service_name=(data_ptr = "nfs@localhost", length = 13)) at krb5.rs:121:31
    frame #6: 0x0000000100005b02 krb5`krb5::main::hf4e1f8e36fd691db at krb5.rs:147:15
    frame #7: 0x0000000100008e0e krb5`std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h96d13f9372e6ff3e at rt.rs:67:34
    frame #8: 0x0000000100039759 krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::hc929fc692f6f0cf9 at rt.rs:52:13 [opt]
    frame #9: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panicking::try::do_call::hd19aaf48f3a9c904 at panicking.rs:297 [opt]
    frame #10: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panicking::try::h32c9e7d0f5011b7f at panicking.rs:274 [opt]
    frame #11: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panic::catch_unwind::hfd90c56a25f83b76 at panic.rs:394 [opt]
    frame #12: 0x000000010003974e krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 at rt.rs:51 [opt]
    frame #13: 0x0000000100008df1 krb5`std::rt::lang_start::h029fbc2009511973(main=(krb5`krb5::main::hf4e1f8e36fd691db at krb5.rs:142), argc=2, argv=0x00007ffeefbff7e0) at rt.rs:67:5
    frame #14: 0x0000000100005c02 krb5`main + 34
    frame #15: 0x00007fff6e8f7cc9 libdyld.dylib`start + 1

[estokes]

There's clearly something wrong, I'll try to dig in this week.

On Tuesday, September 8, 2020, David Harks ***@***.***> wrote: I had a bit of free time so I hid the IOV functions via cfg and linked

against the GSS framework:

❯ otool -L target/debug/examples/krb5 target/debug/examples/krb5: /System/Library/Frameworks/GSS.framework/Versions/A/GSS (compatibility

version 1.0.0, current version 1.0.0)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version

1281.100.1)

/usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version

1.0.0)

I end up segfaulting at exactly the same spot: ❯ lldb target/debug/examples/krb5 (lldb) target create "target/debug/examples/krb5" Current executable set to

'/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64).

(lldb) run ***@***.*** Process 41211 launched:

'/Users/dharks/projects/libgssapi/libgssapi/target/debug/examples/krb5' (x86_64)

import name Process 41211 stopped * thread #1, queue = 'com.apple.main-thread', stop reason =

EXC_BAD_ACCESS (code=EXC_I386_GPFLT)

frame #0: 0x00007fff6eaed9a9

libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 169

libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell: -> 0x7fff6eaed9a9 <+169>: movq (%rsi), %rcx 0x7fff6eaed9ac <+172>: movq (%rsi,%rdx), %r8 0x7fff6eaed9b0 <+176>: movq %rcx, (%rdi) 0x7fff6eaed9b3 <+179>: movq %r8, (%rdi,%rdx) Target 0: (krb5) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason =

EXC_BAD_ACCESS (code=EXC_I386_GPFLT)

* frame #0: 0x00007fff6eaed9a9

libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 169

frame #1: 0x00007fff37493614 GSS`_gss_copy_oid + 148 frame #2: 0x00007fff374929b4 GSS`gss_import_name + 228 frame #3: 0x0000000100018bde

krb5`libgssapi::name::Name::new::hd9a4803f6311fbb7(s=(data_ptr = "nfs@localhost", length = 13), kind=Option<&libgssapi::oid::Oid> @ 0x00007ffeefbfe9f0) at name.rs:77:13

frame #4: 0x0000000100003d18

krb5`krb5::setup_server_ctx::h1ecdfe683b0a2b35(service_name=(data_ptr = "nfs@localhost", length = 13), desired_mechs=0x00007ffeefbfef28) at krb5.rs:91:16

frame #5: 0x00000001000049bf

krb5`krb5::run::hd43320aa70b0e1c0(service_name=(data_ptr = "nfs@localhost", length = 13)) at krb5.rs:121:31

frame #6: 0x0000000100005b02 krb5`krb5::main::hf4e1f8e36fd691db at

krb5.rs:147:15

frame #7: 0x0000000100008e0e

krb5`std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h96d13f9372e6ff3e at rt.rs:67:34

frame #8: 0x0000000100039759

krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::hc929fc692f6f0cf9 at rt.rs:52:13 [opt]

frame #9: 0x000000010003974e

krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panicking::try::do_call::hd19aaf48f3a9c904 at panicking.rs:297 [opt]

frame #10: 0x000000010003974e

krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panicking::try::h32c9e7d0f5011b7f at panicking.rs:274 [opt]

frame #11: 0x000000010003974e

krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 [inlined] std::panic::catch_unwind::hfd90c56a25f83b76 at panic.rs:394 [opt]

frame #12: 0x000000010003974e

krb5`std::rt::lang_start_internal::hf7eb5bf96c0eb063 at rt.rs:51 [opt]

frame #13: 0x0000000100008df1

krb5`std::rt::lang_start::h029fbc2009511973(main=(krb5`krb5::main::hf4e1f8e36fd691db at krb5.rs:142), argc=2, argv=0x00007ffeefbff7e0) at rt.rs:67:5

frame #14: 0x0000000100005c02 krb5`main + 34 frame #15: 0x00007fff6e8f7cc9 libdyld.dylib`start + 1 — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.<

https://ci4.googleusercontent.com/proxy/QEG8wdIYV30gnQXYqEHtOFPfJg5AsyWgdXChOKS26eriEc0oo6G_x-NV3WCvNWA0vgdfJW9NOP4eBZJ2jCP2OIIH1xa5THpzVgNDSdctK4TifYfunGinIh2U6PuAMqga2CA2sRWkP8Q8cR2w1P423V6qwzIAdPhUeW9ReYlfHDJaLMtL_5UsM1TSiuYi_CNl8Lufs4o9wPUPjHm64t7G5ztdqqU1b6DoKxW-V0gsYg=s0-d-e1-ft#https://github.com/notifications/beacon/ABWJHLAWTGDJHIP2LPN7TDDSEZWGXA5CNFSM4QTNKSNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOFEI7GIQ.gif>

[dwink]

There's clearly something wrong, I'll try to dig in this week.

I narrowed it down a bit further -- looks like it's your favorite thing, OIDs. If I substitute the OID definitions listed in the headers for the ones in oid.rs, it works.

[estokes]

Horrible. At least I know where to start.

On Tuesday, September 8, 2020, David Harks ***@***.***> wrote: There's clearly something wrong, I'll try to dig in this week. I narrowed it down a bit further -- looks like it's your favorite thing,

OIDs. If I substitute the OID definitions listed in the headers for the ones in oid.rs, it works.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.<

https://ci6.googleusercontent.com/proxy/PAQmqgVFFvjs2bsZ1aLOiFVL7SNmVGacwb1vT6-j0sDbRhpQXQT8LVK8lSO0pGcLy-CYWOwsUFYzSe95aUqWuw9J6dkcBEpb2XKroN-f3cAkurZcq3Gxys6IEY0W__ecXCevVCeAzh7QkJmSZlL9u_EAKMuBvtv6yMA2wmsTk79jMEiUHOkfG5Hw6pBx7F2a3w7t_GxLajilZQLnq3GQwjPVjVlgj_1nw7x3zHoUJQ=s0-d-e1-ft#https://github.com/notifications/beacon/ABWJHLAAR4OMYUCIMGCIXL3SEZ7V5A5CNFSM4QTNKSNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOFEJJNBI.gif>

[dwink]

Aha! I think I see the issue. On Linux, bindgen generates this for the gss_OID_desc_struct type:

[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct gss_OID_desc_struct {
    pub length: OM_uint32,
    pub elements: *mut ::std::os::raw::c_void,
}

But on Mac, it generates:

#[repr(C, packed(2))]
#[derive(Debug, Copy, Clone)]
pub struct gss_OID_desc_struct {
    pub length: OM_uint32,
    pub elements: *mut ::std::os::raw::c_void,
}

So on Mac, the Oid struct isn't packed the same way as the gss_OID_desc_struct, which means transmute explodes when going back & forth.

I added the #[repr(C, packed(2))] to the Oid struct and the segfault went away!

[dwink]

I put my changes on a branch; feel free to cherry-pick in whatever you like...

https://github.com/dwink/libgssapi/tree/macos_gss_framework

[estokes]

Thank's a lot, I'll do that. I want to go through and review the code to make sure there isn't somewhere else I'm making the same mistake, I hope to do that this week, then I'll put together another release. I guess, unfortunately, the gss_iov parts are going to have to be made a feature. That's really too bad, because they improve performance a lot, but *shrug* Apple.

…

On Tue, Sep 8, 2020 at 5:39 PM David Harks ***@***.***> wrote: I put my changes on a branch; feel free to cherry-pick in whatever you like... https://github.com/dwink/libgssapi/tree/macos_gss_framework — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJHLGQMOYUQLRML5KJQPDSE2P7VANCNFSM4QTNKSNA> .

[dwink]

Yeah, Apple made them private. Maybe their implementation uses them under the hood somehow...?

❯ nm -gU /System/Library/Frameworks/GSS.framework/GSS | grep gss_wrap
0000000000033650 T ___ApplePrivate_gss_wrap_iov
0000000000033840 T ___ApplePrivate_gss_wrap_iov_length
00000000000393b0 T _gss_wrap
0000000000039320 T _gss_wrap_size_limit

Looks like some folks just link them in anyhow:
https://github.com/Microsoft/omi/pull/331/files

[estokes]

I believe this is now resolved, including the iov bits. If possible please test. I can't since I don't have admin access to join the mac I'm using to a kerberos realm.

The issue with the oid struct was just stupidity on my part, I should never have copied what bindgen produced, and the worst part is that it wasn't even necessary. I've audited the code and managed to eliminate all uses of transmute, and I don't see any similar errors.

[dwink]

Well, it definitely doesn't segfault, but it also can't seem to find the right credentials:

gssapi major error  No credentials were supplied, or the credentials were unavailable or inaccessible.
gssapi minor error  Function completed successfully

I can auth against this KDC from a Linux host and the example program works perfectly there. Any ideas how to troubleshoot this Heimdal thing?

[estokes]

Do you have a TGT? What's the output of klist? That's the place to start.

[dwink]

Nevermind, it was a DNS issue. (It's always a DNS issue, right?)

It works!

     Running `target/debug/examples/krb5 'test@hokusai.home.harks.us'`
import name
canonicalize name for kerberos 5
server name: test@hokusai.home.harks.us, server cname: test/hokusai.home.harks.us@HOME.HARKS.US
acquired server credentials: CredInfo {
    name: host/hokusai.local@LOCAL,
    lifetime: 4294967295s,
    usage: Accept,
    mechanisms: [
        GSS_MECH_KRB5,
    ],
}
acquired default client credentials: CredInfo {
    name: Administrator@HOME.HARKS.US,
    lifetime: 35338s,
    usage: Initiate,
    mechanisms: [
        GSS_MECH_KRB5,
    ],
}
security context initialized successfully
client ctx info: CtxInfo {
    source_name: Administrator@HOME.HARKS.US,
    target_name: test/hokusai.home.harks.us@HOME.HARKS.US,
    lifetime: 35338s,
    mechanism: GSS_MECH_KRB5,
    flags: GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG,
    local: true,
    open: true,
}
server ctx info: CtxInfo {
    source_name: Administrator@HOME.HARKS.US,
    target_name: test/hokusai.home.harks.us@HOME.HARKS.US,
    lifetime: 35338s,
    mechanism: GSS_MECH_KRB5,
    flags: GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | GSS_C_TRANS_FLAG,
    local: false,
    open: true,
}
the decrypted message is: 'super secret message'

But the iov stuff fails:

rapping secret message using no alloc method
requested buffer lengths are as follows ...
header:  32
data:    20
padding: 0
trailer: 28
gssapi major error  Miscellaneous failure (see text)
gssapi minor error unknown routine error

[estokes]

Fun times. I guess it'll be a feature then, because I'm not buying a mac for this :P

[dwink]

Fun times. I guess it'll be a feature then, because I'm not buying a mac for this :P

I don't blame you. Besides, even if we did get it working, if someone were to use this crate to ship something to the App Store Apple would reject it for linking those __ApplePrivate symbols anyhow.

[estokes]

New release published. Build with --no-default-features on macos.