Kerberos Heimdal Heimdal - General

Memory leak with Squid negotiate_kerberos_auth helper under OpenBSD 6.3

classic Classic list List threaded Threaded
6 messages Options
Silamael
Reply | Threaded
Open this post in threaded view
|

Memory leak with Squid negotiate_kerberos_auth helper under OpenBSD 6.3

Silamael
Hi,


I'm currently investigating a problem with Squids Kerberos
authentication helper using Heimdal 7.5.0 under OpenBSD 6.3.

Squid version is 3.2.27 and it's not the official OpenBSD port since it
lacks support for Kerberos at all.

I see a rapidly increasing memory consumption of the
negotiate_kerberos_auth process when processing authentication requests.

The helper is talking to a Windows 2016 AD server.

Are there any known problems with Heimdal under OpenBSD 6.3?

Can you perhaps give me some hints how to debug the problem?

The massive leak happened after Heimdal has been updated from version
1.5.3 to 7.4.0 in prior versions of OpenBSD.

After updating to OpenBSD 6.3 and Heimdal 7.5.0, the memory leak still
exists.


Thanks in advance!


-- Matthias

Harald Barth-2
Reply | Threaded
Open this post in threaded view
|

Re: Memory leak with Squid negotiate_kerberos_auth helper under OpenBSD 6.3

Harald Barth-2

This might help: http://www.drijf.net/malloc/

Harald.
Silamael
Reply | Threaded
Open this post in threaded view
|

Re: Memory leak with Squid negotiate_kerberos_auth helper under OpenBSD 6.3

Silamael
On 09/03/2018 01:49 PM, Harald Barth wrote:
> This might help: http://www.drijf.net/malloc/
>
> Harald.

Hello Harald,

Thanks for this hint but unfortunately that led to a totally broken
system :(
Any other ideas? Some debugging knobs in Heimdal itself?

-- Matthias
Viktor Dukhovni-2
Reply | Threaded
Open this post in threaded view
|

Re: Memory leak with Squid negotiate_kerberos_auth helper under OpenBSD 6.3

Viktor Dukhovni-2
In reply to this post by Silamael


> On Sep 3, 2018, at 7:16 AM, Silamael <[hidden email]> wrote:
>
> Are there any known problems with Heimdal under OpenBSD 6.3?

None known.  I'd change the code to exit the main loop after a number
of requests (say 100), and run it under valgrind.

--
        Viktor.

Alibek Jorajev
Reply | Threaded
Open this post in threaded view
|

Linking issues

Alibek Jorajev
Hi !

just a quick question - if someone knows straight away  - please reply, otherwise I will investigate myself.

I have build Heimdal 7.5.0 for Mac and ARM v.7.
when I am trying to do final link with the application, I am getting this:

Undefined symbols for architecture x86_64:
  "___heim_string_constant", referenced from:
      _an2ln_def_plug_an2ln in my_lib.a(libkrb5_la-aname_to_localname.o)
  "_heim_number_create", referenced from:
      _an2ln_def_plug_an2ln in my_lib.a(libkrb5_la-aname_to_localname.o)
  "_heim_data_ref_create", referenced from:
      _an2ln_def_plug_an2ln in my_lib.a(libkrb5_la-aname_to_localname.o)
  "_hc_RC4", referenced from:
      _v2_sign_message in my_lib.a(crypto.o)
      _v1_sign_message in my_lib.a(crypto.o)
      __gss_ntlm_verify_mic in my_lib.a(crypto.o)
      __gss_ntlm_wrap in my_lib.a(crypto.o)
      _v2_seal_message in my_lib.a(crypto.o)
      __gss_ntlm_unwrap in my_lib.a(crypto.o)
      _v2_unseal_message in my_lib.a(crypto.o)
      ...
  "_hc_EVP_CIPHER_CTX_block_size", referenced from:
      __krb5_evp_encrypt_cts in my_lib.a(libkrb5_la-crypto-evp.o)
  "_hc_EVP_CIPHER_CTX_iv_length", referenced from:
      __krb5_evp_encrypt in my_lib.a(libkrb5_la-crypto-evp.o)
  "_hc_DES_ede3_cbc_encrypt", referenced from:


and many other similar missing symbols, like "_hc_EVP_BytesToKey", "_hc_EVP_aes_192_cbc", etc.

I can see that these symbols are redefines of OpenSSL symbols. but it is not clear for me (at this moment) how it should be linked.


I am using these libraries :

libasn1.a    libcom_err.a    libgssapi.a    libheimntlm.a    libhx509.a    libkrb5.a    libroken.a    libwind.a



is there any additional steps I need to do here?

regards,
Alibek
Alibek Jorajev
Reply | Threaded
Open this post in threaded view
|

Re: Linking issues

Alibek Jorajev
ok, replying myself:


Heimdal 7.5.0 (as opposed to 1.4) has new libraries:  libheimbase, libhcrypto, etc.

so they all need to be passed to the linker.


Alibek



On Tuesday, 11 September 2018, 13:06:34 GMT+1, Alibek Jorajev <[hidden email]> wrote:


Hi !

just a quick question - if someone knows straight away  - please reply, otherwise I will investigate myself.

I have build Heimdal 7.5.0 for Mac and ARM v.7.
when I am trying to do final link with the application, I am getting this:

Undefined symbols for architecture x86_64:
  "___heim_string_constant", referenced from:
      _an2ln_def_plug_an2ln in my_lib.a(libkrb5_la-aname_to_localname.o)
  "_heim_number_create", referenced from:
      _an2ln_def_plug_an2ln in my_lib.a(libkrb5_la-aname_to_localname.o)
  "_heim_data_ref_create", referenced from:
      _an2ln_def_plug_an2ln in my_lib.a(libkrb5_la-aname_to_localname.o)
  "_hc_RC4", referenced from:
      _v2_sign_message in my_lib.a(crypto.o)
      _v1_sign_message in my_lib.a(crypto.o)
      __gss_ntlm_verify_mic in my_lib.a(crypto.o)
      __gss_ntlm_wrap in my_lib.a(crypto.o)
      _v2_seal_message in my_lib.a(crypto.o)
      __gss_ntlm_unwrap in my_lib.a(crypto.o)
      _v2_unseal_message in my_lib.a(crypto.o)
      ...
  "_hc_EVP_CIPHER_CTX_block_size", referenced from:
      __krb5_evp_encrypt_cts in my_lib.a(libkrb5_la-crypto-evp.o)
  "_hc_EVP_CIPHER_CTX_iv_length", referenced from:
      __krb5_evp_encrypt in my_lib.a(libkrb5_la-crypto-evp.o)
  "_hc_DES_ede3_cbc_encrypt", referenced from:


and many other similar missing symbols, like "_hc_EVP_BytesToKey", "_hc_EVP_aes_192_cbc", etc.

I can see that these symbols are redefines of OpenSSL symbols. but it is not clear for me (at this moment) how it should be linked.


I am using these libraries :

libasn1.a    libcom_err.a    libgssapi.a    libheimntlm.a    libhx509.a    libkrb5.a    libroken.a    libwind.a



is there any additional steps I need to do here?

regards,
Alibek
Free forum by Nabble Edit this page