Bug 2982

Summary:

gssapi_cleanup: supported mechs should be freed via gss_release_oid_set

Product:

Portable OpenSSH

Reporter:

Markus <markus>

Component:

ssh

Assignee:

Damien Miller <djm>

Status:

ASSIGNED ---

Severity:

normal

CC:

djm, dtucker

Priority:

Version:

7.9p1

Hardware:

All

OS:

Windows 10

Bug Depends on:

Bug Blocks:

3549

Attachments:

Description	Flags
free 'supported mechs' through gss_release_oid_set() call	none
better version	none
use existing cleanup mechanism	none
cleanup GSSAPI mechanisms at end of authentication	djm: ok? (dtucker)

Description Markus 2019-03-15 20:37:26 AEDT

Created attachment 3254 [details]
free 'supported mechs' through gss_release_oid_set() call

Attached is a small patch that should be applied before the 8.0 release.

It fixes a problem with a recent patch (authored by me), where gssapi_cleanup was introduced and gssapi resources are freed.

It turns out that the supported_mechs should not be just freed but instead freed through gss_release_oid_set.

The error is probably irrelevant in the *ix/bsd environments, but turned out to be an error under Windows if a dynamic lib (gssapi.dll) from MIT Kerbereros is used.

Comment 1 Markus 2019-04-23 19:05:38 AEST

Created attachment 3269 [details]
better version


It turns out that the mechs should not only be freed via gss_release_oid_set.

I also found that that it would be better to do this at the end of the userauth2() function because gss_cleanup is called multiple times when more than one method is reported/tried.

Comment 2 Damien Miller 2019-07-12 14:05:17 AEST

Created attachment 3299 [details]
use existing cleanup mechanism

I think we should reuse the existing cleanup mechanism here. I don't have a working krb/gssapi installation ATM so I can't really test this though.

Comment 3 Markus 2019-07-12 17:30:48 AEST

> I think we should reuse the existing cleanup mechanism here. I don't
> have a working krb/gssapi installation ATM so I can't really test
> this though.

I have debugged this and found that in some circumstances, gssapi_cleanup() is called multiple times (see comment1).

If the gssapi system reports multiple mechs it goes through the cycle init/cleanup for each mech.  

So the supported-mechs-list is on sort of a higher level than a single gssapi auth attempt.

Hence, releasing the mechs-list itself should not be done in the gssapi_cleanup function but at the very end of authentication.

Comment 4 Markus 2019-07-12 17:32:59 AEST

(If you are not comfortable with this change, please go back to the old behavior (I think in 7.8 before gssapi_cleanup was introducted) and let the supported-mechs list leak instead.)

Comment 5 Damien Miller 2019-10-09 15:07:27 AEDT

Retarget these bugs to 8.2 release

Comment 6 Damien Miller 2020-02-04 11:44:23 AEDT

Prepare for 8.2 release; retarget bugs

Comment 7 Damien Miller 2020-05-08 13:39:16 AEST

Retarget bugs to 8.4 release

Comment 8 Damien Miller 2021-03-04 09:47:03 AEDT

retarget to 8.6

Comment 9 Damien Miller 2021-04-23 14:50:13 AEST

retarget after 8.6p1 release

Comment 10 Damien Miller 2021-07-02 14:36:41 AEST

Created attachment 3533 [details]
cleanup GSSAPI mechanisms at end of authentication