rpms/gssproxy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Merged update from upstream sources

Browse Source 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/gssproxy.git#8e5cc4d7fc533e97be36d2a37cf4c209610c2b44
This commit is contained in:
DistroBaker 2020-10-30 02:38:31 +01:00
parent 8b426ac569
commit 0c0e91e6d7
10 changed files with 817 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
Always-free-ciphertext-data-in-gp_encrypt_buffer.patch Normal file
View File

@ -0,0 +1,31 @@
From d9a37354c9a040b151fbd737b84b7cacb315ec9d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 15:35:40 -0400
Subject: [PATCH] Always free ciphertext data in gp_encrypt_buffer
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: rewrote commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit fe9e3c29caab90daf19028fb31ff28622d8708a9)
---
src/gp_export.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/gp_export.c b/src/gp_export.c
index a5681c0..fb2f81b 100644
--- a/src/gp_export.c
+++ b/src/gp_export.c
@@ -308,10 +308,9 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
ret = gp_conv_octet_string(enc_handle.ciphertext.length,
enc_handle.ciphertext.data,
out);
- if (ret) {
- free(enc_handle.ciphertext.data);
- goto done;
- }
+ /* the conversion function copies the data, so free our copy
+ * unconditionally, or we leak */
+ free(enc_handle.ciphertext.data);
done:
free(padded);

56
Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch Normal file
View File

@ -0,0 +1,56 @@
From ebd66fbf42887220a0ff38cfea03a7b20fa4da17 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 17:20:44 -0400
Subject: [PATCH] Avoid unnecessary allocation in gpm_inquire_mechs_for_name()
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: clarified commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit c0561c078bc22b9523ac25f515ad85b735c26a92)
---
src/client/gpm_indicate_mechs.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
index 4041dcd..73fadf0 100644
--- a/src/client/gpm_indicate_mechs.c
+++ b/src/client/gpm_indicate_mechs.c
@@ -390,7 +390,7 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
uint32_t ret_min;
uint32_t ret_maj;
uint32_t discard;
- gss_OID name_type = GSS_C_NO_OID;
+ gss_OID_desc name_type;
int present;
if (!minor_status) {
@@ -407,19 +407,14 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
- ret_min = gp_conv_gssx_to_oid_alloc(&input_name->name_type, &name_type);
- if (ret_min) {
- ret_maj = GSS_S_FAILURE;
- goto done;
- }
-
ret_maj = gss_create_empty_oid_set(&ret_min, mech_types);
if (ret_maj) {
goto done;
}
+ gp_conv_gssx_to_oid(&input_name->name_type, &name_type);
for (unsigned i = 0; i < global_mechs.info_len; i++) {
- ret_maj = gss_test_oid_set_member(&ret_min, name_type,
+ ret_maj = gss_test_oid_set_member(&ret_min, &name_type,
global_mechs.info[i].name_types,
&present);
if (ret_maj) {
@@ -437,7 +432,6 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
}
done:
- gss_release_oid(&discard, &name_type);
if (ret_maj) {
gss_release_oid_set(&discard, mech_types);
*minor_status = ret_min;

217
Expand-use-of-global-static-mechs-to-conform-to-SPI.patch Normal file
View File

@ -0,0 +1,217 @@
From b7ccb627f4663ca949e3483486478add8f61cb27 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 11:34:45 -0400
Subject: [PATCH] Expand use of global static mechs to conform to SPI
GSSAPI requires some specific APIs to return "static" OIDs that the user
does not have to free. The krb5 mechglue in fact requires mechanisms to
also honor this or the mech oid will be irretrievably leaked in some
cases.
To accomodate this, expand use of global mechs structure we already
allocate for the gss_inidicate_mechs case so we can return "static" OIDs
from calls like ISC and ASC.
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: commit message fixups]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit a3f13b30ef3c90ff7344c3913f6e26e55b82451f)
---
src/client/gpm_accept_sec_context.c | 22 ++++++-------------
src/client/gpm_common.c | 1 -
src/client/gpm_indicate_mechs.c | 34 +++++++++++++++++++++++++++++
src/client/gpm_init_sec_context.c | 19 +++++-----------
src/client/gssapi_gpm.h | 3 +++
src/mechglue/gss_plugin.c | 5 +++++
6 files changed, 55 insertions(+), 29 deletions(-)
diff --git a/src/client/gpm_accept_sec_context.c b/src/client/gpm_accept_sec_context.c
index ef5e79c..ab20b03 100644
--- a/src/client/gpm_accept_sec_context.c
+++ b/src/client/gpm_accept_sec_context.c
@@ -21,7 +21,6 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
gssx_res_accept_sec_context *res = &ures.accept_sec_context;
gssx_ctx *ctx = NULL;
gssx_name *name = NULL;
- gss_OID_desc *mech = NULL;
gss_buffer_t outbuf = NULL;
uint32_t ret_maj;
int ret;
@@ -70,15 +69,6 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
goto done;
}
- if (mech_type) {
- if (res->status.mech.octet_string_len) {
- ret = gp_conv_gssx_to_oid_alloc(&res->status.mech, &mech);
- if (ret) {
- goto done;
- }
- }
- }
-
ctx = res->context_handle;
/* we are stealing the delegated creds on success, so we do not want
* it to be freed by xdr_free */
@@ -101,8 +91,14 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
}
if (mech_type) {
- *mech_type = mech;
+ gss_OID_desc mech;
+ gp_conv_gssx_to_oid(&res->status.mech, &mech);
+ ret = gpm_mech_to_static(&mech, mech_type);
+ if (ret) {
+ goto done;
+ }
}
+
if (src_name) {
*src_name = name;
}
@@ -145,10 +141,6 @@ done:
xdr_free((xdrproc_t)xdr_gssx_name, (char *)name);
free(name);
}
- if (mech) {
- free(mech->elements);
- free(mech);
- }
if (outbuf) {
free(outbuf->value);
free(outbuf);
diff --git a/src/client/gpm_common.c b/src/client/gpm_common.c
index 786a77b..820243e 100644
--- a/src/client/gpm_common.c
+++ b/src/client/gpm_common.c
@@ -799,4 +799,3 @@ void gpm_free_xdrs(int proc, union gp_rpc_arg *arg, union gp_rpc_res *res)
xdr_free(gpm_xdr_set[proc].arg_fn, (char *)arg);
xdr_free(gpm_xdr_set[proc].res_fn, (char *)res);
}
-
diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
index b019a96..86c7de3 100644
--- a/src/client/gpm_indicate_mechs.c
+++ b/src/client/gpm_indicate_mechs.c
@@ -300,6 +300,40 @@ static int gpmint_init_global_mechs(void)
return 0;
}
+/* GSSAPI requires some APIs to return "static" mechs that callers do not need
+ * to free. So match a radom mech and return from our global "static" array */
+int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static)
+{
+ int ret;
+
+ ret = gpmint_init_global_mechs();
+ if (ret) {
+ return ret;
+ }
+
+ *mech_static = GSS_C_NO_OID;
+ for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
+ if (gpm_equal_oids(&global_mechs.mech_set->elements[i], mech_type)) {
+ *mech_static = &global_mechs.mech_set->elements[i];
+ return 0;
+ }
+ }
+ /* TODO: potentially in future add the mech to the list if missing */
+ return ENOENT;
+}
+
+bool gpm_mech_is_static(gss_OID mech_type)
+{
+ if (global_mechs.mech_set) {
+ for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
+ if (&global_mechs.mech_set->elements[i] == mech_type) {
+ return true;
+ }
+ }
+ }
+ return false;
+}
+
OM_uint32 gpm_indicate_mechs(OM_uint32 *minor_status, gss_OID_set *mech_set)
{
uint32_t ret_min;
diff --git a/src/client/gpm_init_sec_context.c b/src/client/gpm_init_sec_context.c
index bea2010..b84ff94 100644
--- a/src/client/gpm_init_sec_context.c
+++ b/src/client/gpm_init_sec_context.c
@@ -43,7 +43,6 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
gssx_arg_init_sec_context *arg = &uarg.init_sec_context;
gssx_res_init_sec_context *res = &ures.init_sec_context;
gssx_ctx *ctx = NULL;
- gss_OID_desc *mech = NULL;
gss_buffer_t outbuf = NULL;
uint32_t ret_maj = GSS_S_COMPLETE;
uint32_t ret_min = 0;
@@ -100,11 +99,12 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
/* return values */
if (actual_mech_type) {
- if (res->status.mech.octet_string_len) {
- ret = gp_conv_gssx_to_oid_alloc(&res->status.mech, &mech);
- if (ret) {
- goto done;
- }
+ gss_OID_desc mech;
+ gp_conv_gssx_to_oid(&res->status.mech, &mech);
+ ret = gpm_mech_to_static(&mech, actual_mech_type);
+ if (ret) {
+ gpm_save_internal_status(ret, gp_strerror(ret));
+ goto done;
}
}
@@ -151,9 +151,6 @@ done:
gpm_free_xdrs(GSSX_INIT_SEC_CONTEXT, &uarg, &ures);
if (ret_maj == GSS_S_COMPLETE || ret_maj == GSS_S_CONTINUE_NEEDED) {
- if (actual_mech_type) {
- *actual_mech_type = mech;
- }
if (outbuf) {
*output_token = *outbuf;
free(outbuf);
@@ -170,10 +167,6 @@ done:
free(ctx);
ctx = NULL;
}
- if (mech) {
- free(mech->elements);
- free(mech);
- }
if (outbuf) {
free(outbuf->value);
free(outbuf);
diff --git a/src/client/gssapi_gpm.h b/src/client/gssapi_gpm.h
index 61124e0..b7ba04b 100644
--- a/src/client/gssapi_gpm.h
+++ b/src/client/gssapi_gpm.h
@@ -27,6 +27,9 @@ void gpm_display_status_init_once(void);
void gpm_save_status(gssx_status *status);
void gpm_save_internal_status(uint32_t err, char *err_str);
+int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static);
+bool gpm_mech_is_static(gss_OID mech_type);
+
OM_uint32 gpm_display_status(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
index 9ce3e15..8f401e9 100644
--- a/src/mechglue/gss_plugin.c
+++ b/src/mechglue/gss_plugin.c
@@ -376,6 +376,11 @@ OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
item = gpp_next_special_oids(item);
}
+ if (gpm_mech_is_static(*oid)) {
+ *oid = GSS_C_NO_OID;
+ return GSS_S_COMPLETE;
+ }
+
/* none matched, it's not ours */
return GSS_S_CONTINUE_NEEDED;
}

156
Fix-leaks-in-our-test-suite-itself.patch Normal file
View File

@ -0,0 +1,156 @@
From 617d9ee9ce967cf20462e3cc7a575fda0f945075 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 13:23:49 -0400
Subject: [PATCH] Fix leaks in our test suite itself
These are mostly laziness in freeing since the programs are short-lived.
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: rewrote commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit dc56c86f1dcb1ae4dbc35facf5f50fb21c9d5049)
---
tests/interposetest.c | 22 +++++++++++++++-------
tests/t_impersonate.c | 11 ++++++++---
tests/t_init.c | 2 ++
tests/t_setcredopt.c | 8 ++++++--
4 files changed, 31 insertions(+), 12 deletions(-)
diff --git a/tests/interposetest.c b/tests/interposetest.c
index a00904f..0cdd473 100644
--- a/tests/interposetest.c
+++ b/tests/interposetest.c
@@ -71,6 +71,8 @@ static int gptest_inq_context(gss_ctx_id_t ctx)
DEBUG("Context validity: %d sec.\n", time_rec);
done:
+ (void)gss_release_name(&min, &src_name);
+ (void)gss_release_name(&min, &targ_name);
(void)gss_release_buffer(&min, &sname);
(void)gss_release_buffer(&min, &tname);
(void)gss_release_buffer(&min, &mechstr);
@@ -274,7 +276,7 @@ void run_client(struct aproc *data)
gp_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
goto done;
}
- fprintf(stdout, "Client, RECV: [%s]\n", buffer);
+ fprintf(stdout, "Client, RECV: [%*s]\n", buflen, buffer);
/* test gss_wrap_iov_length */
@@ -837,19 +839,22 @@ int main(int argc, const char *main_argv[])
if (opt_version) {
puts(VERSION""DISTRO_VERSION""PRERELEASE_VERSION);
- return 0;
+ ret = 0;
+ goto done;
}
if (opt_target == NULL) {
fprintf(stderr, "Missing target!\n");
poptPrintUsage(pc, stderr, 0);
- return 1;
+ ret = 1;
+ goto done;
}
if (!opt_all) {
- return run_cli_srv_test(PROXY_LOCAL_ONLY,
- PROXY_LOCAL_ONLY,
- opt_target);
+ ret = run_cli_srv_test(PROXY_LOCAL_ONLY,
+ PROXY_LOCAL_ONLY,
+ opt_target);
+ goto done;
}
for (i=0; i<4; i++) {
@@ -861,10 +866,13 @@ int main(int argc, const char *main_argv[])
lookup_gssproxy_behavior(k),
ret ? "failed" : "succeeded");
if (ret) {
- return ret;
+ goto done;
}
}
}
+done:
+ poptFreeContext(pc);
+ free(opt_target);
return ret;
}
diff --git a/tests/t_impersonate.c b/tests/t_impersonate.c
index 8ca6e9c..e7b0bc2 100644
--- a/tests/t_impersonate.c
+++ b/tests/t_impersonate.c
@@ -12,9 +12,9 @@ int main(int argc, const char *argv[])
gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;
gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
- gss_name_t user_name;
- gss_name_t proxy_name;
- gss_name_t target_name;
+ gss_name_t user_name = GSS_C_NO_NAME;
+ gss_name_t proxy_name = GSS_C_NO_NAME;
+ gss_name_t target_name = GSS_C_NO_NAME;
gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) };
uint32_t ret_maj;
uint32_t ret_min;
@@ -207,9 +207,14 @@ int main(int argc, const char *argv[])
ret = 0;
done:
+ gss_release_name(&ret_min, &user_name);
+ gss_release_name(&ret_min, &proxy_name);
+ gss_release_name(&ret_min, &target_name);
gss_release_buffer(&ret_min, &in_token);
gss_release_buffer(&ret_min, &out_token);
gss_release_cred(&ret_min, &impersonator_cred_handle);
gss_release_cred(&ret_min, &cred_handle);
+ gss_delete_sec_context(&ret_min, &accept_ctx, GSS_C_NO_BUFFER);
+ gss_delete_sec_context(&ret_min, &init_ctx, GSS_C_NO_BUFFER);
return ret;
}
diff --git a/tests/t_init.c b/tests/t_init.c
index 02407ce..76bd4c1 100644
--- a/tests/t_init.c
+++ b/tests/t_init.c
@@ -82,6 +82,8 @@ int main(int argc, const char *argv[])
goto done;
}
+ gss_release_buffer(&ret_min, &out_token);
+
ret = t_recv_buffer(STDIN_FD, buffer, &buflen);
if (ret != 0) {
DEBUG("Failed to read token from STDIN\n");
diff --git a/tests/t_setcredopt.c b/tests/t_setcredopt.c
index 1399474..bc5e13f 100644
--- a/tests/t_setcredopt.c
+++ b/tests/t_setcredopt.c
@@ -12,8 +12,8 @@ int main(int argc, const char *argv[])
gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;
gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
- gss_name_t user_name;
- gss_name_t target_name;
+ gss_name_t user_name = GSS_C_NO_NAME;
+ gss_name_t target_name = GSS_C_NO_NAME;
gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) };
uint32_t ret_maj;
uint32_t ret_min;
@@ -160,8 +160,12 @@ int main(int argc, const char *argv[])
ret = 0;
done:
+ gss_release_name(&ret_min, &user_name);
+ gss_release_name(&ret_min, &target_name);
gss_release_buffer(&ret_min, &in_token);
gss_release_buffer(&ret_min, &out_token);
gss_release_cred(&ret_min, &cred_handle);
+ gss_delete_sec_context(&ret_min, &init_ctx, GSS_C_NO_BUFFER);
+ gss_delete_sec_context(&ret_min, &accept_ctx, GSS_C_NO_BUFFER);
return ret;
}

92
Initialize-interposed-mech-list-without-allocation.patch Normal file
View File

@ -0,0 +1,92 @@
From 4abda7e47551f39adfc074fc017f6006a4b91a19 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 12:32:06 -0400
Subject: [PATCH] Initialize interposed mech list without allocation
While we had already fixed the leak here in main, the code performed
unnecessary extra work, so just replacethe whole lot with a function
that does not do any extra allocation or copy.
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 447d5352c2a81e219ccf04348a87b2ff25b7de15)
---
src/mechglue/gss_plugin.c | 31 ++++++++++++++++++++++++++-----
1 file changed, 26 insertions(+), 5 deletions(-)
diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
index 8f401e9..5767f4d 100644
--- a/src/mechglue/gss_plugin.c
+++ b/src/mechglue/gss_plugin.c
@@ -65,6 +65,8 @@ enum gpp_behavior gpp_get_behavior(void)
return behavior;
}
+static void gpp_init_special_available_mechs(const gss_OID_set mechs);
+
/* 2.16.840.1.113730.3.8.15.1 */
const gss_OID_desc gssproxy_mech_interposer = {
.length = 11,
@@ -76,7 +78,6 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
gss_OID_set interposed_mechs;
OM_uint32 maj, min;
char *envval;
- gss_OID_set special_mechs;
/* avoid looping in the gssproxy daemon by avoiding to interpose
* any mechanism */
@@ -119,8 +120,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
}
/* while there also initiaize special_mechs */
- special_mechs = gpp_special_available_mechs(interposed_mechs);
- (void)gss_release_oid_set(&min, &special_mechs);
+ gpp_init_special_available_mechs(interposed_mechs);
done:
if (maj != 0) {
@@ -307,13 +307,13 @@ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
gss_OID n;
uint32_t maj, min;
- item = gpp_get_special_oids();
-
maj = gss_create_empty_oid_set(&min, &amechs);
if (maj) {
return GSS_C_NO_OID_SET;
}
for (size_t i = 0; i < mechs->count; i++) {
+ item = gpp_get_special_oids();
+
while (item) {
if (gpp_is_special_oid(&mechs->elements[i])) {
maj = gss_add_oid_set_member(&min,
@@ -354,6 +354,27 @@ done:
return amechs;
}
+static void gpp_init_special_available_mechs(const gss_OID_set mechs)
+{
+ struct gpp_special_oid_list *item;
+
+ for (size_t i = 0; i < mechs->count; i++) {
+ item = gpp_get_special_oids();
+
+ while (item) {
+ if (gpp_is_special_oid(&mechs->elements[i]) ||
+ gpp_special_equal(&item->special_oid, &mechs->elements[i])) {
+ break;
+ }
+ item = gpp_next_special_oids(item);
+ }
+ if (item == NULL) {
+ /* not found, add to static list */
+ (void)gpp_new_special_mech(&mechs->elements[i]);
+ }
+ }
+}
+
OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
{
struct gpp_special_oid_list *item = NULL;

27
Make-sure-to-free-also-the-remote-ctx-struct.patch Normal file
View File

@ -0,0 +1,27 @@
From 8d5457c290d513781b54be54ede9c81cc5d1fff8 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 12:44:45 -0400
Subject: [PATCH] Make sure to free also the remote ctx struct
The xdr_free() call only frees the contents and not the containing
structure itself.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit e6811347c23b6c62d9f1869da089ab9900f97a84)
---
src/client/gpm_release_handle.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/client/gpm_release_handle.c b/src/client/gpm_release_handle.c
index 8f49ee9..2f70781 100644
--- a/src/client/gpm_release_handle.c
+++ b/src/client/gpm_release_handle.c
@@ -106,5 +106,7 @@ rel_done:
gpm_free_xdrs(GSSX_RELEASE_HANDLE, &uarg, &ures);
done:
xdr_free((xdrproc_t)xdr_gssx_ctx, (char *)r);
+ free(r);
+ *context_handle = NULL;
return ret;
}

156
Return-static-oids-for-naming-functions.patch Normal file
View File

@ -0,0 +1,156 @@
From 41cb9683627d6c3b136a4b48e1b1842619132f16 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 17:01:39 -0400
Subject: [PATCH] Return static oids for naming functions
gss_display_name and gss_inquire_name reteurn "static" oids, that are
generally not freed by callers, so make sure to match and return actual
static OIDs exported by GSSAPI.
Also remove gpm_equal_oids() and use the library provided gss_oid_equal
function instead.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 6ea8391257e687dfb3981b634c06cf7a55008eb0)
---
src/client/gpm_import_and_canon_name.c | 28 ++++++++++++++++++++++++--
src/client/gpm_indicate_mechs.c | 24 +++++-----------------
src/client/gssapi_gpm.h | 1 +
3 files changed, 32 insertions(+), 21 deletions(-)
diff --git a/src/client/gpm_import_and_canon_name.c b/src/client/gpm_import_and_canon_name.c
index 70149a3..88b8d7c 100644
--- a/src/client/gpm_import_and_canon_name.c
+++ b/src/client/gpm_import_and_canon_name.c
@@ -2,6 +2,26 @@
#include "gssapi_gpm.h"
+static int gpm_name_oid_to_static(gss_OID name_type, gss_OID *name_static)
+{
+#define ret_static(b) \
+ if (gss_oid_equal(name_type, b)) { \
+ *name_static = b; \
+ return 0; \
+ }
+ ret_static(GSS_C_NT_USER_NAME);
+ ret_static(GSS_C_NT_MACHINE_UID_NAME);
+ ret_static(GSS_C_NT_STRING_UID_NAME);
+ ret_static(GSS_C_NT_HOSTBASED_SERVICE_X);
+ ret_static(GSS_C_NT_HOSTBASED_SERVICE);
+ ret_static(GSS_C_NT_ANONYMOUS);
+ ret_static(GSS_C_NT_EXPORT_NAME);
+ ret_static(GSS_C_NT_COMPOSITE_EXPORT);
+ ret_static(GSS_KRB5_NT_PRINCIPAL_NAME);
+ ret_static(gss_nt_krb5_name);
+ return ENOENT;
+}
+
OM_uint32 gpm_display_name(OM_uint32 *minor_status,
gssx_name *in_name,
gss_buffer_t output_name_buffer,
@@ -57,7 +77,9 @@ OM_uint32 gpm_display_name(OM_uint32 *minor_status,
}
if (output_name_type) {
- ret = gp_conv_gssx_to_oid_alloc(&in_name->name_type, output_name_type);
+ gss_OID_desc oid;
+ gp_conv_gssx_to_oid(&in_name->name_type, &oid);
+ ret = gpm_name_oid_to_static(&oid, output_name_type);
if (ret) {
gss_release_buffer(&discard, output_name_buffer);
ret_min = ret;
@@ -285,7 +307,9 @@ OM_uint32 gpm_inquire_name(OM_uint32 *minor_status,
}
if (MN_mech != NULL) {
- ret = gp_conv_gssx_to_oid_alloc(&name->name_type, MN_mech);
+ gss_OID_desc oid;
+ gp_conv_gssx_to_oid(&name->name_type, &oid);
+ ret = gpm_name_oid_to_static(&oid, MN_mech);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
index 86c7de3..4041dcd 100644
--- a/src/client/gpm_indicate_mechs.c
+++ b/src/client/gpm_indicate_mechs.c
@@ -95,20 +95,6 @@ static uint32_t gpm_copy_gss_buffer(uint32_t *minor_status,
return GSS_S_COMPLETE;
}
-static bool gpm_equal_oids(gss_const_OID a, gss_const_OID b)
-{
- int ret;
-
- if (a->length == b->length) {
- ret = memcmp(a->elements, b->elements, a->length);
- if (ret == 0) {
- return true;
- }
- }
-
- return false;
-}
-
static void gpmint_indicate_mechs(void)
{
union gp_rpc_arg uarg;
@@ -313,7 +299,7 @@ int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static)
*mech_static = GSS_C_NO_OID;
for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
- if (gpm_equal_oids(&global_mechs.mech_set->elements[i], mech_type)) {
+ if (gss_oid_equal(&global_mechs.mech_set->elements[i], mech_type)) {
*mech_static = &global_mechs.mech_set->elements[i];
return 0;
}
@@ -383,7 +369,7 @@ OM_uint32 gpm_inquire_names_for_mech(OM_uint32 *minor_status,
}
for (unsigned i = 0; i < global_mechs.info_len; i++) {
- if (!gpm_equal_oids(global_mechs.info[i].mech, mech_type)) {
+ if (!gss_oid_equal(global_mechs.info[i].mech, mech_type)) {
continue;
}
ret_maj = gpm_copy_gss_OID_set(&ret_min,
@@ -481,7 +467,7 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
}
for (unsigned i = 0; i < global_mechs.info_len; i++) {
- if (!gpm_equal_oids(global_mechs.info[i].mech, mech)) {
+ if (!gss_oid_equal(global_mechs.info[i].mech, mech)) {
continue;
}
@@ -540,7 +526,7 @@ OM_uint32 gpm_inquire_saslname_for_mech(OM_uint32 *minor_status,
}
for (unsigned i = 0; i < global_mechs.info_len; i++) {
- if (!gpm_equal_oids(global_mechs.info[i].mech, desired_mech)) {
+ if (!gss_oid_equal(global_mechs.info[i].mech, desired_mech)) {
continue;
}
ret_maj = gpm_copy_gss_buffer(&ret_min,
@@ -598,7 +584,7 @@ OM_uint32 gpm_display_mech_attr(OM_uint32 *minor_status,
}
for (unsigned i = 0; i < global_mechs.desc_len; i++) {
- if (!gpm_equal_oids(global_mechs.desc[i].attr, mech_attr)) {
+ if (!gss_oid_equal(global_mechs.desc[i].attr, mech_attr)) {
continue;
}
ret_maj = gpm_copy_gss_buffer(&ret_min,
diff --git a/src/client/gssapi_gpm.h b/src/client/gssapi_gpm.h
index b7ba04b..bdf12e1 100644
--- a/src/client/gssapi_gpm.h
+++ b/src/client/gssapi_gpm.h
@@ -10,6 +10,7 @@
#include <string.h>
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_ext.h>
+#include <gssapi/gssapi_krb5.h>
#include "rpcgen/gp_rpc.h"
#include "rpcgen/gss_proxy.h"
#include "src/gp_common.h"

30
Use-static-OIDs-in-gss_inquire_context.patch Normal file
View File

@ -0,0 +1,30 @@
From 9cc525b1f1184241483705dfc0a4162bc0c55632 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 17:21:03 -0400
Subject: [PATCH] Use static OIDs in gss_inquire_context()
As per other functions gssapi expect a static OID here.
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: commit message fixup]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 502e448b3b126bf828ed871496dd7520d5075564)
---
src/client/gpm_inquire_context.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/client/gpm_inquire_context.c b/src/client/gpm_inquire_context.c
index 8c683fe..5800a8d 100644
--- a/src/client/gpm_inquire_context.c
+++ b/src/client/gpm_inquire_context.c
@@ -51,7 +51,9 @@ OM_uint32 gpm_inquire_context(OM_uint32 *minor_status,
}
if (mech_type) {
- ret = gp_conv_gssx_to_oid_alloc(&context_handle->mech, mech_type);
+ gss_OID_desc mech;
+ gp_conv_gssx_to_oid(&context_handle->mech, &mech);
+ ret = gpm_mech_to_static(&mech, mech_type);
if (ret) {
if (src_name) {
(void)gpm_release_name(&tmp_min, src_name);

39
Use-the-correct-function-to-free-unused-creds.patch Normal file
View File

@ -0,0 +1,39 @@
From f77b75b7928a2c7813aebc8a1ec107d495627685 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 13:20:49 -0400
Subject: [PATCH] Use the correct function to free unused creds
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit a2ffd1230fd572d7fa9099af2365dfb7ac394d07)
---
src/mechglue/gpp_creds.c | 2 +-
src/mechglue/gpp_init_sec_context.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mechglue/gpp_creds.c b/src/mechglue/gpp_creds.c
index e87da82..338fadd 100644
--- a/src/mechglue/gpp_creds.c
+++ b/src/mechglue/gpp_creds.c
@@ -895,7 +895,7 @@ done:
if (maj == GSS_S_COMPLETE) {
*cred_handle = (gss_cred_id_t)cred;
} else {
- free(cred);
+ (void)gpp_cred_handle_free(&min, cred);
}
(void)gss_release_buffer(&min, &wrap_token);
return maj;
diff --git a/src/mechglue/gpp_init_sec_context.c b/src/mechglue/gpp_init_sec_context.c
index 94d9b01..bb878df 100644
--- a/src/mechglue/gpp_init_sec_context.c
+++ b/src/mechglue/gpp_init_sec_context.c
@@ -215,7 +215,7 @@ done:
*context_handle = (gss_ctx_id_t)ctx_handle;
if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
- free(cred_handle);
+ (void)gpp_cred_handle_free(&min, cred_handle);
}
return maj;
}

14
gssproxy.spec
View File

@ -1,7 +1,7 @@
Name: gssproxy Name: gssproxy
Version: 0.8.3 Version: 0.8.3
Release: 5%{?dist} Release: 6%{?dist}
Summary: GSSAPI Proxy Summary: GSSAPI Proxy
License: MIT License: MIT
@ -13,6 +13,15 @@ Patch0: Initialize-our-epoll_event-structures.patch
Patch1: Avoid-leak-of-special-mechs-in-gss_mech_interposer.patch Patch1: Avoid-leak-of-special-mechs-in-gss_mech_interposer.patch
Patch2: Fix-leak-of-mech-OID-in-gssi_inquire_context.patch Patch2: Fix-leak-of-mech-OID-in-gssi_inquire_context.patch
Patch3: Document-config-file-non-merging.patch Patch3: Document-config-file-non-merging.patch
Patch4: Expand-use-of-global-static-mechs-to-conform-to-SPI.patch
Patch5: Initialize-interposed-mech-list-without-allocation.patch
Patch6: Make-sure-to-free-also-the-remote-ctx-struct.patch
Patch7: Use-the-correct-function-to-free-unused-creds.patch
Patch8: Fix-leaks-in-our-test-suite-itself.patch
Patch9: Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
Patch10: Return-static-oids-for-naming-functions.patch
Patch11: Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch
Patch12: Use-static-OIDs-in-gss_inquire_context.patch
%global servicename gssproxy %global servicename gssproxy
%global pubconfpath %{_sysconfdir}/gssproxy %global pubconfpath %{_sysconfdir}/gssproxy
@ -114,6 +123,9 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy
%systemd_postun_with_restart gssproxy.service %systemd_postun_with_restart gssproxy.service
%changelog %changelog
* Thu Oct 29 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.3-6
- Leak fix pullup
* Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.3-5 * Mon Oct 12 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.3-5
- Document config file non-merging - Document config file non-merging