Skip to content

krb5: backport upstream SPNEGO mechListMIC parsing fix (ticket 9183)#17784

Open
apurvparekh30 wants to merge 2 commits into
microsoft:3.0-devfrom
apurvparekh30:krb5-spnego-mechlistmic-9183
Open

krb5: backport upstream SPNEGO mechListMIC parsing fix (ticket 9183)#17784
apurvparekh30 wants to merge 2 commits into
microsoft:3.0-devfrom
apurvparekh30:krb5-spnego-mechlistmic-9183

Conversation

@apurvparekh30

@apurvparekh30 apurvparekh30 commented Jun 23, 2026
edited by KavyaSree2610
Loading

Copy link
Copy Markdown
Merge Checklist
  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted
  • LICENSE-MAP files are up-to-date
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

https://microsoft.visualstudio.com/OS/_workitems/edit/62817258
Azure Linux 3.0 ships krb5 1.21.3-4, whose get_negTokenResp() parses the SPNEGO mechListMIC field with the wrong ASN.1 context tag — [4] (0xA4) instead of the correct [3] (0xA3). Per RFC 4178 NegTokenResp, mechListMIC is [3] (and get_negTokenInit() already uses [3] correctly). The bug was introduced upstream by commit fdceb225.

As a result the acceptor/initiator fails to read the mechListMIC in a negTokenResp, breaking SPNEGO MIC verification on that path. This is observable when authenticating NTLM-over-SPNEGO to Windows hosts (e.g. PowerShell/WinRM remoting from an Azure Linux container via gss-ntlmssp), where the MIC exchange is required.

This PR backports the upstream fix krb5 commit 942c503 (ticket 9183, target_version: 1.21-next), which corrects the tag and restores the t_spnego.c reselection regression test.

Change Log
  • Add SPECS/krb5/krb5-fix-SPNEGO-mechListMIC-parsing.patch (full upstream commit 942c503, code fix + regression test).
  • krb5.spec: add Patch3, bump Release 4 → 5, add %changelog entry.
  • Update toolchain_{x86_64,aarch64}.txt and pkggen_core_{x86_64,aarch64}.txt manifests to the new 1.21.3-5 RPM filenames (krb5 is a toolchain package).
  • No Source files changed, so krb5.signatures.json is unchanged.
Does this affect the toolchain?

YES — krb5 is a toolchain package. No source/dependency changes, but its Release bump (4 → 5) requires the toolchain and pkggen_core package manifests (x86_64 + aarch64) to be updated to the new RPM filenames, which this PR does.

Associated issues
Test Methodology
  • Full upstream patch applies cleanly to the 1.21.3 source tree (%autosetup -p1); the restored t_spnego.c reselection test runs under %check (make check).
  • Fix validated end-to-end in a live Azure Linux 3.0 container: with krb5 carrying this fix, SPNEGO/NTLM PowerShell remoting to a Windows SCVMM/VMM host completes successfully.
  • Pipeline build id: to be filled from the GitHub PR check run

krb5: backport upstream SPNEGO mechListMIC parsing fix
946a869 
Azure Linux 3.0 ships krb5 1.21.3, whose get_negTokenResp() looks for the
SPNEGO mechListMIC field with ASN.1 context tag [4] (0xA4) instead of the
correct [3] (0xA3). This was introduced upstream by commit fdceb225 and
breaks SPNEGO MIC verification on the negTokenResp path (notably NTLM-over-
SPNEGO authentication to Windows hosts).

Backport upstream fix krb5 commit 942c503 (ticket 9183), which corrects the
tag and restores the t_spnego.c reselection regression test. Bump release
4 -> 5.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@apurvparekh30 apurvparekh30 requested a review from a team as a code owner June 23, 2026 04:16
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Jun 23, 2026
krb5: update toolchain/pkggen_core manifests for 1.21.3-5
04df8dc 
krb5 is a toolchain package, so bumping its Release requires updating the
x86_64 and aarch64 toolchain and pkggen_core manifests to reference the
new -5 RPM filenames.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@KavyaSree2610

KavyaSree2610 commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

Reproduced the issue without patch: hangs indefinitely
image
Resolved with the patch:
image

KavyaSree2610
KavyaSree2610 approved these changes Jun 24, 2026
View reviewed changes

@KavyaSree2610 KavyaSree2610 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@KavyaSree2610

KavyaSree2610 commented Jun 24, 2026

Copy link
Copy Markdown

Buddy build: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1145595&view=results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KavyaSree2610 KavyaSree2610 KavyaSree2610 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@apurvparekh30 @KavyaSree2610