BIND 9 attempts to look up GSSAPI OIDs for the Kerberos 5 and SPNEGO
mechanisms in the relevant header files provided by the Kerberos/GSSAPI
library used. Due to the differences between various Kerberos/GSSAPI
implementations, if any of the expected preprocessor macros
(GSS_KRB5_MECHANISM, GSS_SPNEGO_MECHANISM) is not defined in the header
files provided by the library used, the code in lib/dns/gssapictx.c
defines its own version of each missing macro, so that BIND 9 can
attempt to use the relevant security mechanisms anyway.
Commit 7f08c756aa, which contains a
partial backport of the changes introduced in commit
978c7b2e89, left a block of code in the
lib/dns/include/dst/gssapi.h header which defines the
GSS_SPNEGO_MECHANISM preprocessor macro to NULL if it is not defined by
any header file provided by the Kerberos/GSSAPI library used. This
causes the gss_add_oid_set_member() call in the mech_oid_set_create()
helper function to always return an error. This in turn causes the
dst_gssapi_acquirecred() function to also always return an error, which
ultimately prevents any named instance whose configuration includes the
"tkey-gssapi-credential" option from starting.
Remove the offending conditional definition of the GSS_SPNEGO_MECHANISM
preprocessor macro from lib/dns/include/dst/gssapi.h, so that a proper
GSSAPI OID is assigned to that macro in lib/dns/gssapictx.c when the
Kerberos/GSSAPI library used does not define it.
(cherry picked from commit 648ef3a2b4)
870701c336