rpms/gssproxy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Add an option for minimum lifetime

Browse Source 
* Remove unused patch files
* Fix date typographical error in changelog

Resolves: rhbz#2184333
Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2023-04-03 15:30:43 +02:00
parent 634e05ea42
commit b4a8dd811a
15 changed files with 148 additions and 931 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
0001-Add-an-option-for-minimum-lifetime.patch Normal file
View File

@ -0,0 +1,139 @@
From 7945bd756c5e41ec223c058b2c698809f04f3c77 Mon Sep 17 00:00:00 2001
From: Scott Mayhew <smayhew@redhat.com>
Date: Thu, 2 Sep 2021 12:44:27 -0400
Subject: [PATCH] Add an option for minimum lifetime
It's possible for gssproxy to return a cached credential with a very
small remaining lifetime. This can be problematic for NFS clients since
it requires a round trip to the NFS server to establish a GSS context.
Add a min_lifetime option that represents the lowest value that the
lifetime of the cached credential can be. Any lower than that, and
gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that
gp_add_krb5_creds() is forced to try to obtain a new credential.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
examples/99-nfs-client.conf.in | 1 +
man/gssproxy.conf.5.xml | 15 +++++++++++++++
src/gp_config.c | 12 ++++++++++++
src/gp_creds.c | 12 ++++++++++--
src/gp_proxy.h | 1 +
5 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in
index c0985d9..9dd1891 100644
--- a/examples/99-nfs-client.conf.in
+++ b/examples/99-nfs-client.conf.in
@@ -7,3 +7,4 @@
allow_any_uid = yes
trusted = yes
euid = 0
+ min_lifetime = 60
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
index 67dce68..f02b1d3 100644
--- a/man/gssproxy.conf.5.xml
+++ b/man/gssproxy.conf.5.xml
@@ -331,6 +331,21 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>min_lifetime (integer)</term>
+ <listitem>
+ <para>Minimum lifetime of a cached credential, in seconds.</para>
+ <para>If non-zero, when gssproxy is deciding whether to use
+ a cached credential, it will compare the lifetime of the
+ cached credential to this value. If the lifetime of the
+ cached credential is lower, gssproxy will treat the cached
+ credential as expired and will attempt to obtain a new
+ credential.
+ </para>
+ <para>Default: min_lifetime = 15</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>program (string)</term>
<listitem>
diff --git a/src/gp_config.c b/src/gp_config.c
index 88d5f29..6a6aa90 100644
--- a/src/gp_config.c
+++ b/src/gp_config.c
@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = {
#define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG
#define DEFAULT_ENFORCED_FLAGS 0
+#define DEFAULT_MIN_LIFETIME 15
static void free_str_array(const char ***a, int *count)
{
@@ -538,6 +539,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
goto done;
}
}
+
+ cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME;
+ ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);
+ if (ret == 0) {
+ if (valnum >= 0) {
+ cfg->svcs[n]->min_lifetime = valnum;
+ } else {
+ GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",
+ valnum, secname);
+ }
+ }
}
safefree(secname);
}
diff --git a/src/gp_creds.c b/src/gp_creds.c
index 92a6f13..843d1a3 100644
--- a/src/gp_creds.c
+++ b/src/gp_creds.c
@@ -492,6 +492,7 @@ done:
}
static uint32_t gp_check_cred(uint32_t *min,
+ struct gp_service *svc,
gss_cred_id_t in_cred,
gssx_name *desired_name,
gss_cred_usage_t cred_usage)
@@ -563,7 +564,14 @@ static uint32_t gp_check_cred(uint32_t *min,
if (lifetime == 0) {
ret_maj = GSS_S_CREDENTIALS_EXPIRED;
} else {
- ret_maj = GSS_S_COMPLETE;
+ if (svc->min_lifetime && lifetime < svc->min_lifetime) {
+ GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) "
+ "for service \"%s\" - returning\n",
+ __func__, lifetime, svc->min_lifetime, svc->name);
+ ret_maj = GSS_S_CREDENTIALS_EXPIRED;
+ } else {
+ ret_maj = GSS_S_COMPLETE;
+ }
}
done:
@@ -622,7 +630,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
* function completely */
/* just check if it is a valid krb5 cred */
- ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
+ ret_maj = gp_check_cred(&ret_min, gpcall->service, in_cred, desired_name, cred_usage);
if (ret_maj == GSS_S_COMPLETE) {
return GSS_S_COMPLETE;
} else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
diff --git a/src/gp_proxy.h b/src/gp_proxy.h
index 3f58a43..f56d640 100644
--- a/src/gp_proxy.h
+++ b/src/gp_proxy.h
@@ -45,6 +45,7 @@ struct gp_service {
gss_cred_usage_t cred_usage;
uint32_t filter_flags;
uint32_t enforce_flags;
+ uint32_t min_lifetime;
char *program;
uint32_t mechs;
--
2.39.2

31
Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
View File

@ -1,31 +0,0 @@
From d9a37354c9a040b151fbd737b84b7cacb315ec9d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 15:35:40 -0400
Subject: [PATCH] Always free ciphertext data in gp_encrypt_buffer
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: rewrote commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit fe9e3c29caab90daf19028fb31ff28622d8708a9)
---
src/gp_export.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/gp_export.c b/src/gp_export.c
index a5681c0..fb2f81b 100644
--- a/src/gp_export.c
+++ b/src/gp_export.c
@@ -308,10 +308,9 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
ret = gp_conv_octet_string(enc_handle.ciphertext.length,
enc_handle.ciphertext.data,
out);
- if (ret) {
- free(enc_handle.ciphertext.data);
- goto done;
- }
+ /* the conversion function copies the data, so free our copy
+ * unconditionally, or we leak */
+ free(enc_handle.ciphertext.data);
done:
free(padded);

33
Avoid-leak-of-special-mechs-in-gss_mech_interposer.patch
View File

@ -1,33 +0,0 @@
From 4b9e5f00d36d9b5c1f80835a989fa8865c045ff3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 31 Jul 2020 13:23:30 -0400
Subject: [PATCH] Avoid leak of special mechs in gss_mech_interposer()
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit dc405df92173cceac2cafc09a70b1724bb2b97c8)
---
src/mechglue/gss_plugin.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
index 69a9644..9ce3e15 100644
--- a/src/mechglue/gss_plugin.c
+++ b/src/mechglue/gss_plugin.c
@@ -76,6 +76,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
gss_OID_set interposed_mechs;
OM_uint32 maj, min;
char *envval;
+ gss_OID_set special_mechs;
/* avoid looping in the gssproxy daemon by avoiding to interpose
* any mechanism */
@@ -118,7 +119,8 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
}
/* while there also initiaize special_mechs */
- (void)gpp_special_available_mechs(interposed_mechs);
+ special_mechs = gpp_special_available_mechs(interposed_mechs);
+ (void)gss_release_oid_set(&min, &special_mechs);
done:
if (maj != 0) {

56
Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch
View File

@ -1,56 +0,0 @@
From ebd66fbf42887220a0ff38cfea03a7b20fa4da17 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 17:20:44 -0400
Subject: [PATCH] Avoid unnecessary allocation in gpm_inquire_mechs_for_name()
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: clarified commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit c0561c078bc22b9523ac25f515ad85b735c26a92)
---
src/client/gpm_indicate_mechs.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
index 4041dcd..73fadf0 100644
--- a/src/client/gpm_indicate_mechs.c
+++ b/src/client/gpm_indicate_mechs.c
@@ -390,7 +390,7 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
uint32_t ret_min;
uint32_t ret_maj;
uint32_t discard;
- gss_OID name_type = GSS_C_NO_OID;
+ gss_OID_desc name_type;
int present;
if (!minor_status) {
@@ -407,19 +407,14 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
- ret_min = gp_conv_gssx_to_oid_alloc(&input_name->name_type, &name_type);
- if (ret_min) {
- ret_maj = GSS_S_FAILURE;
- goto done;
- }
-
ret_maj = gss_create_empty_oid_set(&ret_min, mech_types);
if (ret_maj) {
goto done;
}
+ gp_conv_gssx_to_oid(&input_name->name_type, &name_type);
for (unsigned i = 0; i < global_mechs.info_len; i++) {
- ret_maj = gss_test_oid_set_member(&ret_min, name_type,
+ ret_maj = gss_test_oid_set_member(&ret_min, &name_type,
global_mechs.info[i].name_types,
&present);
if (ret_maj) {
@@ -437,7 +432,6 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
}
done:
- gss_release_oid(&discard, &name_type);
if (ret_maj) {
gss_release_oid_set(&discard, mech_types);
*minor_status = ret_min;

29
Document-config-file-non-merging.patch
View File

@ -1,29 +0,0 @@
From 2592d32c5c6d39f30dc0bfdb78b5c292ed0af2ae Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 10 Jun 2020 15:50:36 -0400
Subject: [PATCH] Document config file non-merging
Merges: #4
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit a05b876badd52ba99d95c981f5f8b0e50de28c63)
---
man/gssproxy.conf.5.xml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
index 04059a8..5e240ab 100644
--- a/man/gssproxy.conf.5.xml
+++ b/man/gssproxy.conf.5.xml
@@ -37,7 +37,10 @@
of the form "##-foo.conf" (that is, start with two numbers
followed by a dash, and end in ".conf"). Files not conforming to
this will be ignored unless specifically requested through command
- line parameters.
+ line parameters. Within a single file, any duplicate values or
+ sections will be merged. Across multiple files, duplicates will
+ generate a warning, and the first value encountered will take
+ precedence (i.e., there is no merging).
</para>
</refsect1>

217
Expand-use-of-global-static-mechs-to-conform-to-SPI.patch
View File

@ -1,217 +0,0 @@
From b7ccb627f4663ca949e3483486478add8f61cb27 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 11:34:45 -0400
Subject: [PATCH] Expand use of global static mechs to conform to SPI
GSSAPI requires some specific APIs to return "static" OIDs that the user
does not have to free. The krb5 mechglue in fact requires mechanisms to
also honor this or the mech oid will be irretrievably leaked in some
cases.
To accomodate this, expand use of global mechs structure we already
allocate for the gss_inidicate_mechs case so we can return "static" OIDs
from calls like ISC and ASC.
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: commit message fixups]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit a3f13b30ef3c90ff7344c3913f6e26e55b82451f)
---
src/client/gpm_accept_sec_context.c | 22 ++++++-------------
src/client/gpm_common.c | 1 -
src/client/gpm_indicate_mechs.c | 34 +++++++++++++++++++++++++++++
src/client/gpm_init_sec_context.c | 19 +++++-----------
src/client/gssapi_gpm.h | 3 +++
src/mechglue/gss_plugin.c | 5 +++++
6 files changed, 55 insertions(+), 29 deletions(-)
diff --git a/src/client/gpm_accept_sec_context.c b/src/client/gpm_accept_sec_context.c
index ef5e79c..ab20b03 100644
--- a/src/client/gpm_accept_sec_context.c
+++ b/src/client/gpm_accept_sec_context.c
@@ -21,7 +21,6 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
gssx_res_accept_sec_context *res = &ures.accept_sec_context;
gssx_ctx *ctx = NULL;
gssx_name *name = NULL;
- gss_OID_desc *mech = NULL;
gss_buffer_t outbuf = NULL;
uint32_t ret_maj;
int ret;
@@ -70,15 +69,6 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
goto done;
}
- if (mech_type) {
- if (res->status.mech.octet_string_len) {
- ret = gp_conv_gssx_to_oid_alloc(&res->status.mech, &mech);
- if (ret) {
- goto done;
- }
- }
- }
-
ctx = res->context_handle;
/* we are stealing the delegated creds on success, so we do not want
* it to be freed by xdr_free */
@@ -101,8 +91,14 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
}
if (mech_type) {
- *mech_type = mech;
+ gss_OID_desc mech;
+ gp_conv_gssx_to_oid(&res->status.mech, &mech);
+ ret = gpm_mech_to_static(&mech, mech_type);
+ if (ret) {
+ goto done;
+ }
}
+
if (src_name) {
*src_name = name;
}
@@ -145,10 +141,6 @@ done:
xdr_free((xdrproc_t)xdr_gssx_name, (char *)name);
free(name);
}
- if (mech) {
- free(mech->elements);
- free(mech);
- }
if (outbuf) {
free(outbuf->value);
free(outbuf);
diff --git a/src/client/gpm_common.c b/src/client/gpm_common.c
index 786a77b..820243e 100644
--- a/src/client/gpm_common.c
+++ b/src/client/gpm_common.c
@@ -799,4 +799,3 @@ void gpm_free_xdrs(int proc, union gp_rpc_arg *arg, union gp_rpc_res *res)
xdr_free(gpm_xdr_set[proc].arg_fn, (char *)arg);
xdr_free(gpm_xdr_set[proc].res_fn, (char *)res);
}
-
diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
index b019a96..86c7de3 100644
--- a/src/client/gpm_indicate_mechs.c
+++ b/src/client/gpm_indicate_mechs.c
@@ -300,6 +300,40 @@ static int gpmint_init_global_mechs(void)
return 0;
}
+/* GSSAPI requires some APIs to return "static" mechs that callers do not need
+ * to free. So match a radom mech and return from our global "static" array */
+int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static)
+{
+ int ret;
+
+ ret = gpmint_init_global_mechs();
+ if (ret) {
+ return ret;
+ }
+
+ *mech_static = GSS_C_NO_OID;
+ for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
+ if (gpm_equal_oids(&global_mechs.mech_set->elements[i], mech_type)) {
+ *mech_static = &global_mechs.mech_set->elements[i];
+ return 0;
+ }
+ }
+ /* TODO: potentially in future add the mech to the list if missing */
+ return ENOENT;
+}
+
+bool gpm_mech_is_static(gss_OID mech_type)
+{
+ if (global_mechs.mech_set) {
+ for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
+ if (&global_mechs.mech_set->elements[i] == mech_type) {
+ return true;
+ }
+ }
+ }
+ return false;
+}
+
OM_uint32 gpm_indicate_mechs(OM_uint32 *minor_status, gss_OID_set *mech_set)
{
uint32_t ret_min;
diff --git a/src/client/gpm_init_sec_context.c b/src/client/gpm_init_sec_context.c
index bea2010..b84ff94 100644
--- a/src/client/gpm_init_sec_context.c
+++ b/src/client/gpm_init_sec_context.c
@@ -43,7 +43,6 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
gssx_arg_init_sec_context *arg = &uarg.init_sec_context;
gssx_res_init_sec_context *res = &ures.init_sec_context;
gssx_ctx *ctx = NULL;
- gss_OID_desc *mech = NULL;
gss_buffer_t outbuf = NULL;
uint32_t ret_maj = GSS_S_COMPLETE;
uint32_t ret_min = 0;
@@ -100,11 +99,12 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
/* return values */
if (actual_mech_type) {
- if (res->status.mech.octet_string_len) {
- ret = gp_conv_gssx_to_oid_alloc(&res->status.mech, &mech);
- if (ret) {
- goto done;
- }
+ gss_OID_desc mech;
+ gp_conv_gssx_to_oid(&res->status.mech, &mech);
+ ret = gpm_mech_to_static(&mech, actual_mech_type);
+ if (ret) {
+ gpm_save_internal_status(ret, gp_strerror(ret));
+ goto done;
}
}
@@ -151,9 +151,6 @@ done:
gpm_free_xdrs(GSSX_INIT_SEC_CONTEXT, &uarg, &ures);
if (ret_maj == GSS_S_COMPLETE || ret_maj == GSS_S_CONTINUE_NEEDED) {
- if (actual_mech_type) {
- *actual_mech_type = mech;
- }
if (outbuf) {
*output_token = *outbuf;
free(outbuf);
@@ -170,10 +167,6 @@ done:
free(ctx);
ctx = NULL;
}
- if (mech) {
- free(mech->elements);
- free(mech);
- }
if (outbuf) {
free(outbuf->value);
free(outbuf);
diff --git a/src/client/gssapi_gpm.h b/src/client/gssapi_gpm.h
index 61124e0..b7ba04b 100644
--- a/src/client/gssapi_gpm.h
+++ b/src/client/gssapi_gpm.h
@@ -27,6 +27,9 @@ void gpm_display_status_init_once(void);
void gpm_save_status(gssx_status *status);
void gpm_save_internal_status(uint32_t err, char *err_str);
+int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static);
+bool gpm_mech_is_static(gss_OID mech_type);
+
OM_uint32 gpm_display_status(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
index 9ce3e15..8f401e9 100644
--- a/src/mechglue/gss_plugin.c
+++ b/src/mechglue/gss_plugin.c
@@ -376,6 +376,11 @@ OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
item = gpp_next_special_oids(item);
}
+ if (gpm_mech_is_static(*oid)) {
+ *oid = GSS_C_NO_OID;
+ return GSS_S_COMPLETE;
+ }
+
/* none matched, it's not ours */
return GSS_S_CONTINUE_NEEDED;
}

26
Fix-leak-of-mech-OID-in-gssi_inquire_context.patch
View File

@ -1,26 +0,0 @@
From ce271e38be223a9442efd406c9a8fa961930e35b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 26 Aug 2020 13:36:50 -0400
Subject: [PATCH] Fix leak of mech OID in gssi_inquire_context()
The name it creates holds a copy of the OID, which we need to release.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 482349fa6bd536471216a898713c83260c78c08d)
---
src/mechglue/gpp_import_and_canon_name.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/mechglue/gpp_import_and_canon_name.c b/src/mechglue/gpp_import_and_canon_name.c
index 745be20..7d6829f 100644
--- a/src/mechglue/gpp_import_and_canon_name.c
+++ b/src/mechglue/gpp_import_and_canon_name.c
@@ -257,6 +257,8 @@ OM_uint32 gssi_release_name(OM_uint32 *minor_status,
return GSS_S_BAD_NAME;
}
+ (void)gss_release_oid(&rmin, &name->mech_type);
+
rmaj = gpm_release_name(&rmin, &name->remote);
if (name->local) {

156
Fix-leaks-in-our-test-suite-itself.patch
View File

@ -1,156 +0,0 @@
From 617d9ee9ce967cf20462e3cc7a575fda0f945075 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 13:23:49 -0400
Subject: [PATCH] Fix leaks in our test suite itself
These are mostly laziness in freeing since the programs are short-lived.
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: rewrote commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit dc56c86f1dcb1ae4dbc35facf5f50fb21c9d5049)
---
tests/interposetest.c | 22 +++++++++++++++-------
tests/t_impersonate.c | 11 ++++++++---
tests/t_init.c | 2 ++
tests/t_setcredopt.c | 8 ++++++--
4 files changed, 31 insertions(+), 12 deletions(-)
diff --git a/tests/interposetest.c b/tests/interposetest.c
index a00904f..0cdd473 100644
--- a/tests/interposetest.c
+++ b/tests/interposetest.c
@@ -71,6 +71,8 @@ static int gptest_inq_context(gss_ctx_id_t ctx)
DEBUG("Context validity: %d sec.\n", time_rec);
done:
+ (void)gss_release_name(&min, &src_name);
+ (void)gss_release_name(&min, &targ_name);
(void)gss_release_buffer(&min, &sname);
(void)gss_release_buffer(&min, &tname);
(void)gss_release_buffer(&min, &mechstr);
@@ -274,7 +276,7 @@ void run_client(struct aproc *data)
gp_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
goto done;
}
- fprintf(stdout, "Client, RECV: [%s]\n", buffer);
+ fprintf(stdout, "Client, RECV: [%*s]\n", buflen, buffer);
/* test gss_wrap_iov_length */
@@ -837,19 +839,22 @@ int main(int argc, const char *main_argv[])
if (opt_version) {
puts(VERSION""DISTRO_VERSION""PRERELEASE_VERSION);
- return 0;
+ ret = 0;
+ goto done;
}
if (opt_target == NULL) {
fprintf(stderr, "Missing target!\n");
poptPrintUsage(pc, stderr, 0);
- return 1;
+ ret = 1;
+ goto done;
}
if (!opt_all) {
- return run_cli_srv_test(PROXY_LOCAL_ONLY,
- PROXY_LOCAL_ONLY,
- opt_target);
+ ret = run_cli_srv_test(PROXY_LOCAL_ONLY,
+ PROXY_LOCAL_ONLY,
+ opt_target);
+ goto done;
}
for (i=0; i<4; i++) {
@@ -861,10 +866,13 @@ int main(int argc, const char *main_argv[])
lookup_gssproxy_behavior(k),
ret ? "failed" : "succeeded");
if (ret) {
- return ret;
+ goto done;
}
}
}
+done:
+ poptFreeContext(pc);
+ free(opt_target);
return ret;
}
diff --git a/tests/t_impersonate.c b/tests/t_impersonate.c
index 8ca6e9c..e7b0bc2 100644
--- a/tests/t_impersonate.c
+++ b/tests/t_impersonate.c
@@ -12,9 +12,9 @@ int main(int argc, const char *argv[])
gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;
gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
- gss_name_t user_name;
- gss_name_t proxy_name;
- gss_name_t target_name;
+ gss_name_t user_name = GSS_C_NO_NAME;
+ gss_name_t proxy_name = GSS_C_NO_NAME;
+ gss_name_t target_name = GSS_C_NO_NAME;
gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) };
uint32_t ret_maj;
uint32_t ret_min;
@@ -207,9 +207,14 @@ int main(int argc, const char *argv[])
ret = 0;
done:
+ gss_release_name(&ret_min, &user_name);
+ gss_release_name(&ret_min, &proxy_name);
+ gss_release_name(&ret_min, &target_name);
gss_release_buffer(&ret_min, &in_token);
gss_release_buffer(&ret_min, &out_token);
gss_release_cred(&ret_min, &impersonator_cred_handle);
gss_release_cred(&ret_min, &cred_handle);
+ gss_delete_sec_context(&ret_min, &accept_ctx, GSS_C_NO_BUFFER);
+ gss_delete_sec_context(&ret_min, &init_ctx, GSS_C_NO_BUFFER);
return ret;
}
diff --git a/tests/t_init.c b/tests/t_init.c
index 02407ce..76bd4c1 100644
--- a/tests/t_init.c
+++ b/tests/t_init.c
@@ -82,6 +82,8 @@ int main(int argc, const char *argv[])
goto done;
}
+ gss_release_buffer(&ret_min, &out_token);
+
ret = t_recv_buffer(STDIN_FD, buffer, &buflen);
if (ret != 0) {
DEBUG("Failed to read token from STDIN\n");
diff --git a/tests/t_setcredopt.c b/tests/t_setcredopt.c
index 1399474..bc5e13f 100644
--- a/tests/t_setcredopt.c
+++ b/tests/t_setcredopt.c
@@ -12,8 +12,8 @@ int main(int argc, const char *argv[])
gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;
gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
- gss_name_t user_name;
- gss_name_t target_name;
+ gss_name_t user_name = GSS_C_NO_NAME;
+ gss_name_t target_name = GSS_C_NO_NAME;
gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) };
uint32_t ret_maj;
uint32_t ret_min;
@@ -160,8 +160,12 @@ int main(int argc, const char *argv[])
ret = 0;
done:
+ gss_release_name(&ret_min, &user_name);
+ gss_release_name(&ret_min, &target_name);
gss_release_buffer(&ret_min, &in_token);
gss_release_buffer(&ret_min, &out_token);
gss_release_cred(&ret_min, &cred_handle);
+ gss_delete_sec_context(&ret_min, &init_ctx, GSS_C_NO_BUFFER);
+ gss_delete_sec_context(&ret_min, &accept_ctx, GSS_C_NO_BUFFER);
return ret;
}

92
Initialize-interposed-mech-list-without-allocation.patch
View File

@ -1,92 +0,0 @@
From 4abda7e47551f39adfc074fc017f6006a4b91a19 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 12:32:06 -0400
Subject: [PATCH] Initialize interposed mech list without allocation
While we had already fixed the leak here in main, the code performed
unnecessary extra work, so just replacethe whole lot with a function
that does not do any extra allocation or copy.
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 447d5352c2a81e219ccf04348a87b2ff25b7de15)
---
src/mechglue/gss_plugin.c | 31 ++++++++++++++++++++++++++-----
1 file changed, 26 insertions(+), 5 deletions(-)
diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
index 8f401e9..5767f4d 100644
--- a/src/mechglue/gss_plugin.c
+++ b/src/mechglue/gss_plugin.c
@@ -65,6 +65,8 @@ enum gpp_behavior gpp_get_behavior(void)
return behavior;
}
+static void gpp_init_special_available_mechs(const gss_OID_set mechs);
+
/* 2.16.840.1.113730.3.8.15.1 */
const gss_OID_desc gssproxy_mech_interposer = {
.length = 11,
@@ -76,7 +78,6 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
gss_OID_set interposed_mechs;
OM_uint32 maj, min;
char *envval;
- gss_OID_set special_mechs;
/* avoid looping in the gssproxy daemon by avoiding to interpose
* any mechanism */
@@ -119,8 +120,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
}
/* while there also initiaize special_mechs */
- special_mechs = gpp_special_available_mechs(interposed_mechs);
- (void)gss_release_oid_set(&min, &special_mechs);
+ gpp_init_special_available_mechs(interposed_mechs);
done:
if (maj != 0) {
@@ -307,13 +307,13 @@ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
gss_OID n;
uint32_t maj, min;
- item = gpp_get_special_oids();
-
maj = gss_create_empty_oid_set(&min, &amechs);
if (maj) {
return GSS_C_NO_OID_SET;
}
for (size_t i = 0; i < mechs->count; i++) {
+ item = gpp_get_special_oids();
+
while (item) {
if (gpp_is_special_oid(&mechs->elements[i])) {
maj = gss_add_oid_set_member(&min,
@@ -354,6 +354,27 @@ done:
return amechs;
}
+static void gpp_init_special_available_mechs(const gss_OID_set mechs)
+{
+ struct gpp_special_oid_list *item;
+
+ for (size_t i = 0; i < mechs->count; i++) {
+ item = gpp_get_special_oids();
+
+ while (item) {
+ if (gpp_is_special_oid(&mechs->elements[i]) ||
+ gpp_special_equal(&item->special_oid, &mechs->elements[i])) {
+ break;
+ }
+ item = gpp_next_special_oids(item);
+ }
+ if (item == NULL) {
+ /* not found, add to static list */
+ (void)gpp_new_special_mech(&mechs->elements[i]);
+ }
+ }
+}
+
OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
{
struct gpp_special_oid_list *item = NULL;

37
Initialize-our-epoll_event-structures.patch
View File

@ -1,37 +0,0 @@
From 35579d9de1d3f295fb4548c73fc6a729d04128c6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 30 Jul 2020 16:43:30 -0400
Subject: [PATCH] Initialize our epoll_event structures
Fixes a valgrind error for the other fields of epoll_event.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 48bfadc538bca3b9ca478c711af75245163d0b67)
---
src/client/gpm_common.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/client/gpm_common.c b/src/client/gpm_common.c
index 60b1fdc..786a77b 100644
--- a/src/client/gpm_common.c
+++ b/src/client/gpm_common.c
@@ -199,6 +199,8 @@ static int gpm_epoll_setup(struct gpm_ctx *gpmctx)
struct epoll_event ev;
int ret;
+ memset(&ev, 0, sizeof(ev));
+
if (gpmctx->epollfd >= 0) {
gpm_epoll_close(gpmctx);
}
@@ -280,6 +282,10 @@ static int gpm_epoll_wait(struct gpm_ctx *gpmctx, uint32_t event_flags)
struct epoll_event events[2];
uint64_t timer_read;
+ memset(&ev, 0, sizeof(ev));
+ memset(&events[0], 0, sizeof(events[0]));
+ memset(&events[1], 0, sizeof(events[1]));
+
if (gpmctx->epollfd < 0) {
ret = gpm_epoll_setup(gpmctx);
if (ret)

27
Make-sure-to-free-also-the-remote-ctx-struct.patch
View File

@ -1,27 +0,0 @@
From 8d5457c290d513781b54be54ede9c81cc5d1fff8 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 12:44:45 -0400
Subject: [PATCH] Make sure to free also the remote ctx struct
The xdr_free() call only frees the contents and not the containing
structure itself.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit e6811347c23b6c62d9f1869da089ab9900f97a84)
---
src/client/gpm_release_handle.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/client/gpm_release_handle.c b/src/client/gpm_release_handle.c
index 8f49ee9..2f70781 100644
--- a/src/client/gpm_release_handle.c
+++ b/src/client/gpm_release_handle.c
@@ -106,5 +106,7 @@ rel_done:
gpm_free_xdrs(GSSX_RELEASE_HANDLE, &uarg, &ures);
done:
xdr_free((xdrproc_t)xdr_gssx_ctx, (char *)r);
+ free(r);
+ *context_handle = NULL;
return ret;
}

156
Return-static-oids-for-naming-functions.patch
View File

@ -1,156 +0,0 @@
From 41cb9683627d6c3b136a4b48e1b1842619132f16 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 17:01:39 -0400
Subject: [PATCH] Return static oids for naming functions
gss_display_name and gss_inquire_name reteurn "static" oids, that are
generally not freed by callers, so make sure to match and return actual
static OIDs exported by GSSAPI.
Also remove gpm_equal_oids() and use the library provided gss_oid_equal
function instead.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 6ea8391257e687dfb3981b634c06cf7a55008eb0)
---
src/client/gpm_import_and_canon_name.c | 28 ++++++++++++++++++++++++--
src/client/gpm_indicate_mechs.c | 24 +++++-----------------
src/client/gssapi_gpm.h | 1 +
3 files changed, 32 insertions(+), 21 deletions(-)
diff --git a/src/client/gpm_import_and_canon_name.c b/src/client/gpm_import_and_canon_name.c
index 70149a3..88b8d7c 100644
--- a/src/client/gpm_import_and_canon_name.c
+++ b/src/client/gpm_import_and_canon_name.c
@@ -2,6 +2,26 @@
#include "gssapi_gpm.h"
+static int gpm_name_oid_to_static(gss_OID name_type, gss_OID *name_static)
+{
+#define ret_static(b) \
+ if (gss_oid_equal(name_type, b)) { \
+ *name_static = b; \
+ return 0; \
+ }
+ ret_static(GSS_C_NT_USER_NAME);
+ ret_static(GSS_C_NT_MACHINE_UID_NAME);
+ ret_static(GSS_C_NT_STRING_UID_NAME);
+ ret_static(GSS_C_NT_HOSTBASED_SERVICE_X);
+ ret_static(GSS_C_NT_HOSTBASED_SERVICE);
+ ret_static(GSS_C_NT_ANONYMOUS);
+ ret_static(GSS_C_NT_EXPORT_NAME);
+ ret_static(GSS_C_NT_COMPOSITE_EXPORT);
+ ret_static(GSS_KRB5_NT_PRINCIPAL_NAME);
+ ret_static(gss_nt_krb5_name);
+ return ENOENT;
+}
+
OM_uint32 gpm_display_name(OM_uint32 *minor_status,
gssx_name *in_name,
gss_buffer_t output_name_buffer,
@@ -57,7 +77,9 @@ OM_uint32 gpm_display_name(OM_uint32 *minor_status,
}
if (output_name_type) {
- ret = gp_conv_gssx_to_oid_alloc(&in_name->name_type, output_name_type);
+ gss_OID_desc oid;
+ gp_conv_gssx_to_oid(&in_name->name_type, &oid);
+ ret = gpm_name_oid_to_static(&oid, output_name_type);
if (ret) {
gss_release_buffer(&discard, output_name_buffer);
ret_min = ret;
@@ -285,7 +307,9 @@ OM_uint32 gpm_inquire_name(OM_uint32 *minor_status,
}
if (MN_mech != NULL) {
- ret = gp_conv_gssx_to_oid_alloc(&name->name_type, MN_mech);
+ gss_OID_desc oid;
+ gp_conv_gssx_to_oid(&name->name_type, &oid);
+ ret = gpm_name_oid_to_static(&oid, MN_mech);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
index 86c7de3..4041dcd 100644
--- a/src/client/gpm_indicate_mechs.c
+++ b/src/client/gpm_indicate_mechs.c
@@ -95,20 +95,6 @@ static uint32_t gpm_copy_gss_buffer(uint32_t *minor_status,
return GSS_S_COMPLETE;
}
-static bool gpm_equal_oids(gss_const_OID a, gss_const_OID b)
-{
- int ret;
-
- if (a->length == b->length) {
- ret = memcmp(a->elements, b->elements, a->length);
- if (ret == 0) {
- return true;
- }
- }
-
- return false;
-}
-
static void gpmint_indicate_mechs(void)
{
union gp_rpc_arg uarg;
@@ -313,7 +299,7 @@ int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static)
*mech_static = GSS_C_NO_OID;
for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
- if (gpm_equal_oids(&global_mechs.mech_set->elements[i], mech_type)) {
+ if (gss_oid_equal(&global_mechs.mech_set->elements[i], mech_type)) {
*mech_static = &global_mechs.mech_set->elements[i];
return 0;
}
@@ -383,7 +369,7 @@ OM_uint32 gpm_inquire_names_for_mech(OM_uint32 *minor_status,
}
for (unsigned i = 0; i < global_mechs.info_len; i++) {
- if (!gpm_equal_oids(global_mechs.info[i].mech, mech_type)) {
+ if (!gss_oid_equal(global_mechs.info[i].mech, mech_type)) {
continue;
}
ret_maj = gpm_copy_gss_OID_set(&ret_min,
@@ -481,7 +467,7 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
}
for (unsigned i = 0; i < global_mechs.info_len; i++) {
- if (!gpm_equal_oids(global_mechs.info[i].mech, mech)) {
+ if (!gss_oid_equal(global_mechs.info[i].mech, mech)) {
continue;
}
@@ -540,7 +526,7 @@ OM_uint32 gpm_inquire_saslname_for_mech(OM_uint32 *minor_status,
}
for (unsigned i = 0; i < global_mechs.info_len; i++) {
- if (!gpm_equal_oids(global_mechs.info[i].mech, desired_mech)) {
+ if (!gss_oid_equal(global_mechs.info[i].mech, desired_mech)) {
continue;
}
ret_maj = gpm_copy_gss_buffer(&ret_min,
@@ -598,7 +584,7 @@ OM_uint32 gpm_display_mech_attr(OM_uint32 *minor_status,
}
for (unsigned i = 0; i < global_mechs.desc_len; i++) {
- if (!gpm_equal_oids(global_mechs.desc[i].attr, mech_attr)) {
+ if (!gss_oid_equal(global_mechs.desc[i].attr, mech_attr)) {
continue;
}
ret_maj = gpm_copy_gss_buffer(&ret_min,
diff --git a/src/client/gssapi_gpm.h b/src/client/gssapi_gpm.h
index b7ba04b..bdf12e1 100644
--- a/src/client/gssapi_gpm.h
+++ b/src/client/gssapi_gpm.h
@@ -10,6 +10,7 @@
#include <string.h>
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_ext.h>
+#include <gssapi/gssapi_krb5.h>
#include "rpcgen/gp_rpc.h"
#include "rpcgen/gss_proxy.h"
#include "src/gp_common.h"

30
Use-static-OIDs-in-gss_inquire_context.patch
View File

@ -1,30 +0,0 @@
From 9cc525b1f1184241483705dfc0a4162bc0c55632 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 17:21:03 -0400
Subject: [PATCH] Use static OIDs in gss_inquire_context()
As per other functions gssapi expect a static OID here.
Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: commit message fixup]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 502e448b3b126bf828ed871496dd7520d5075564)
---
src/client/gpm_inquire_context.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/client/gpm_inquire_context.c b/src/client/gpm_inquire_context.c
index 8c683fe..5800a8d 100644
--- a/src/client/gpm_inquire_context.c
+++ b/src/client/gpm_inquire_context.c
@@ -51,7 +51,9 @@ OM_uint32 gpm_inquire_context(OM_uint32 *minor_status,
}
if (mech_type) {
- ret = gp_conv_gssx_to_oid_alloc(&context_handle->mech, mech_type);
+ gss_OID_desc mech;
+ gp_conv_gssx_to_oid(&context_handle->mech, &mech);
+ ret = gpm_mech_to_static(&mech, mech_type);
if (ret) {
if (src_name) {
(void)gpm_release_name(&tmp_min, src_name);

39
Use-the-correct-function-to-free-unused-creds.patch
View File

@ -1,39 +0,0 @@
From f77b75b7928a2c7813aebc8a1ec107d495627685 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 27 Aug 2020 13:20:49 -0400
Subject: [PATCH] Use the correct function to free unused creds
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit a2ffd1230fd572d7fa9099af2365dfb7ac394d07)
---
src/mechglue/gpp_creds.c | 2 +-
src/mechglue/gpp_init_sec_context.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mechglue/gpp_creds.c b/src/mechglue/gpp_creds.c
index e87da82..338fadd 100644
--- a/src/mechglue/gpp_creds.c
+++ b/src/mechglue/gpp_creds.c
@@ -895,7 +895,7 @@ done:
if (maj == GSS_S_COMPLETE) {
*cred_handle = (gss_cred_id_t)cred;
} else {
- free(cred);
+ (void)gpp_cred_handle_free(&min, cred);
}
(void)gss_release_buffer(&min, &wrap_token);
return maj;
diff --git a/src/mechglue/gpp_init_sec_context.c b/src/mechglue/gpp_init_sec_context.c
index 94d9b01..bb878df 100644
--- a/src/mechglue/gpp_init_sec_context.c
+++ b/src/mechglue/gpp_init_sec_context.c
@@ -215,7 +215,7 @@ done:
*context_handle = (gss_ctx_id_t)ctx_handle;
if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
- free(cred_handle);
+ (void)gpp_cred_handle_free(&min, cred_handle);
}
return maj;
}

11
gssproxy.spec
View File

@ -1,7 +1,7 @@
Name: gssproxy Name: gssproxy
Version: 0.8.4 Version: 0.8.4
Release: 4%{?dist} Release: 5%{?dist}
Summary: GSSAPI Proxy Summary: GSSAPI Proxy
License: MIT License: MIT
@ -14,6 +14,7 @@ Source1: rwtab
%global gpstatedir %{_localstatedir}/lib/gssproxy %global gpstatedir %{_localstatedir}/lib/gssproxy
### Patches ### ### Patches ###
Patch0001: 0001-Add-an-option-for-minimum-lifetime.patch
### Dependencies ### ### Dependencies ###
Requires: krb5-libs >= 1.12.0 Requires: krb5-libs >= 1.12.0
@ -110,6 +111,12 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy
%systemd_postun_with_restart gssproxy.service %systemd_postun_with_restart gssproxy.service
%changelog %changelog
* Mon Apr 03 2023 Julien Rische <jrische@redhat.com> - 0.8.4-5
- Add an option for minimum lifetime
- Resolves: rhbz#2184333
- Remove unused patch files
- Fix date typographical error in changelog
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688
@ -120,7 +127,7 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.4-2 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 13 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.4-1 * Wed Jan 13 2021 Robbie Harwood <rharwood@redhat.com> - 0.8.4-1
- New upstream release (0.8.4) - New upstream release (0.8.4)
* Thu Oct 29 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.3-6 * Thu Oct 29 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.3-6