diff --git a/SOURCES/Always-free-ciphertext-data-in-gp_encrypt_buffer.patch b/SOURCES/Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
new file mode 100644
index 0000000..979e277
--- /dev/null
+++ b/SOURCES/Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
@@ -0,0 +1,32 @@
+From ccac7b766cd871aa0baeaebd697b386a47c28812 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 15:35:40 -0400
+Subject: [PATCH] Always free ciphertext data in gp_encrypt_buffer
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+[rharwood@redhat.com: rewrote commit message]
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit fe9e3c29caab90daf19028fb31ff28622d8708a9)
+(cherry picked from commit d9a37354c9a040b151fbd737b84b7cacb315ec9d)
+---
+ src/gp_export.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/gp_export.c b/src/gp_export.c
+index a5681c0..fb2f81b 100644
+--- a/src/gp_export.c
++++ b/src/gp_export.c
+@@ -308,10 +308,9 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
+ ret = gp_conv_octet_string(enc_handle.ciphertext.length,
+ enc_handle.ciphertext.data,
+ out);
+- if (ret) {
+- free(enc_handle.ciphertext.data);
+- goto done;
+- }
++ /* the conversion function copies the data, so free our copy
++ * unconditionally, or we leak */
++ free(enc_handle.ciphertext.data);
+
+ done:
+ free(padded);
diff --git a/SOURCES/Avoid-leak-of-special-mechs-in-gss_mech_interposer.patch b/SOURCES/Avoid-leak-of-special-mechs-in-gss_mech_interposer.patch
new file mode 100644
index 0000000..5baa122
--- /dev/null
+++ b/SOURCES/Avoid-leak-of-special-mechs-in-gss_mech_interposer.patch
@@ -0,0 +1,34 @@
+From 87a1335a9618788f5d82de08ed0587feebe92c74 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 31 Jul 2020 13:23:30 -0400
+Subject: [PATCH] Avoid leak of special mechs in gss_mech_interposer()
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit dc405df92173cceac2cafc09a70b1724bb2b97c8)
+(cherry picked from commit 4b9e5f00d36d9b5c1f80835a989fa8865c045ff3)
+---
+ src/mechglue/gss_plugin.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
+index d735537..8b799cf 100644
+--- a/src/mechglue/gss_plugin.c
++++ b/src/mechglue/gss_plugin.c
+@@ -76,6 +76,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
+ gss_OID_set interposed_mechs;
+ OM_uint32 maj, min;
+ char *envval;
++ gss_OID_set special_mechs;
+
+ /* avoid looping in the gssproxy daemon by avoiding to interpose
+ * any mechanism */
+@@ -118,7 +119,8 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
+ }
+
+ /* while there also initiaize special_mechs */
+- (void)gpp_special_available_mechs(interposed_mechs);
++ special_mechs = gpp_special_available_mechs(interposed_mechs);
++ (void)gss_release_oid_set(&min, &special_mechs);
+
+ done:
+ if (maj != 0) {
diff --git a/SOURCES/Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch b/SOURCES/Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch
new file mode 100644
index 0000000..3f7d0f3
--- /dev/null
+++ b/SOURCES/Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch
@@ -0,0 +1,57 @@
+From 167d9775dd88cc91f74393fa487f126d21c560c7 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 17:20:44 -0400
+Subject: [PATCH] Avoid unnecessary allocation in gpm_inquire_mechs_for_name()
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+[rharwood@redhat.com: clarified commit message]
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit c0561c078bc22b9523ac25f515ad85b735c26a92)
+(cherry picked from commit ebd66fbf42887220a0ff38cfea03a7b20fa4da17)
+---
+ src/client/gpm_indicate_mechs.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
+index 4041dcd..73fadf0 100644
+--- a/src/client/gpm_indicate_mechs.c
++++ b/src/client/gpm_indicate_mechs.c
+@@ -390,7 +390,7 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
+ uint32_t ret_min;
+ uint32_t ret_maj;
+ uint32_t discard;
+- gss_OID name_type = GSS_C_NO_OID;
++ gss_OID_desc name_type;
+ int present;
+
+ if (!minor_status) {
+@@ -407,19 +407,14 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
+ return GSS_S_FAILURE;
+ }
+
+- ret_min = gp_conv_gssx_to_oid_alloc(&input_name->name_type, &name_type);
+- if (ret_min) {
+- ret_maj = GSS_S_FAILURE;
+- goto done;
+- }
+-
+ ret_maj = gss_create_empty_oid_set(&ret_min, mech_types);
+ if (ret_maj) {
+ goto done;
+ }
+
++ gp_conv_gssx_to_oid(&input_name->name_type, &name_type);
+ for (unsigned i = 0; i < global_mechs.info_len; i++) {
+- ret_maj = gss_test_oid_set_member(&ret_min, name_type,
++ ret_maj = gss_test_oid_set_member(&ret_min, &name_type,
+ global_mechs.info[i].name_types,
+ &present);
+ if (ret_maj) {
+@@ -437,7 +432,6 @@ OM_uint32 gpm_inquire_mechs_for_name(OM_uint32 *minor_status,
+ }
+
+ done:
+- gss_release_oid(&discard, &name_type);
+ if (ret_maj) {
+ gss_release_oid_set(&discard, mech_types);
+ *minor_status = ret_min;
diff --git a/SOURCES/Correctly-size-loop-counter-in-gpp_special_available.patch b/SOURCES/Correctly-size-loop-counter-in-gpp_special_available.patch
new file mode 100644
index 0000000..13e2b39
--- /dev/null
+++ b/SOURCES/Correctly-size-loop-counter-in-gpp_special_available.patch
@@ -0,0 +1,34 @@
+From 06cee2eb9ba3096cf5f1e532dae56132fd69c948 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 9 Apr 2020 12:00:04 -0400
+Subject: [PATCH] Correctly size loop counter in gpp_special_available_mechs()
+
+Fixes compiler warning for clang in CI.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit f9c0abb935125683972c9289db38dfe840f41b37)
+---
+ src/mechglue/gss_plugin.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
+index bf70d87..b9813dc 100644
+--- a/src/mechglue/gss_plugin.c
++++ b/src/mechglue/gss_plugin.c
+@@ -306,7 +306,6 @@ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
+ struct gpp_special_oid_list *item;
+ gss_OID n;
+ uint32_t maj, min;
+- int i;
+
+ item = gpp_get_special_oids();
+
+@@ -314,7 +313,7 @@ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
+ if (maj) {
+ return GSS_C_NO_OID_SET;
+ }
+- for (i = 0; i < mechs->count; i++) {
++ for (size_t i = 0; i < mechs->count; i++) {
+ while (item) {
+ if (gpp_is_special_oid(&mechs->elements[i])) {
+ maj = gss_add_oid_set_member(&min,
diff --git a/SOURCES/Document-config-file-non-merging.patch b/SOURCES/Document-config-file-non-merging.patch
new file mode 100644
index 0000000..5fa05a4
--- /dev/null
+++ b/SOURCES/Document-config-file-non-merging.patch
@@ -0,0 +1,30 @@
+From ceeb1ff9226d21ff166d6737bab34b91fa6660fa Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 10 Jun 2020 15:50:36 -0400
+Subject: [PATCH] Document config file non-merging
+
+Merges: #4
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+(cherry picked from commit a05b876badd52ba99d95c981f5f8b0e50de28c63)
+(cherry picked from commit 2592d32c5c6d39f30dc0bfdb78b5c292ed0af2ae)
+---
+ man/gssproxy.conf.5.xml | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
+index 53cae3d..c8dd504 100644
+--- a/man/gssproxy.conf.5.xml
++++ b/man/gssproxy.conf.5.xml
+@@ -37,7 +37,10 @@
+ of the form "##-foo.conf" (that is, start with two numbers
+ followed by a dash, and end in ".conf"). Files not conforming to
+ this will be ignored unless specifically requested through command
+- line parameters.
++ line parameters. Within a single file, any duplicate values or
++ sections will be merged. Across multiple files, duplicates will
++ generate a warning, and the first value encountered will take
++ precedence (i.e., there is no merging).
+ </para>
+ </refsect1>
+
diff --git a/SOURCES/Expand-use-of-global-static-mechs-to-conform-to-SPI.patch b/SOURCES/Expand-use-of-global-static-mechs-to-conform-to-SPI.patch
new file mode 100644
index 0000000..dd3fcf0
--- /dev/null
+++ b/SOURCES/Expand-use-of-global-static-mechs-to-conform-to-SPI.patch
@@ -0,0 +1,218 @@
+From 2ca80c193ffa13c89b9b63fb9cb690a9789d5842 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 11:34:45 -0400
+Subject: [PATCH] Expand use of global static mechs to conform to SPI
+
+GSSAPI requires some specific APIs to return "static" OIDs that the user
+does not have to free. The krb5 mechglue in fact requires mechanisms to
+also honor this or the mech oid will be irretrievably leaked in some
+cases.
+
+To accomodate this, expand use of global mechs structure we already
+allocate for the gss_inidicate_mechs case so we can return "static" OIDs
+from calls like ISC and ASC.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+[rharwood@redhat.com: commit message fixups]
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit a3f13b30ef3c90ff7344c3913f6e26e55b82451f)
+(cherry picked from commit b7ccb627f4663ca949e3483486478add8f61cb27)
+---
+ src/client/gpm_accept_sec_context.c | 22 ++++++-------------
+ src/client/gpm_common.c | 1 -
+ src/client/gpm_indicate_mechs.c | 34 +++++++++++++++++++++++++++++
+ src/client/gpm_init_sec_context.c | 19 +++++-----------
+ src/client/gssapi_gpm.h | 3 +++
+ src/mechglue/gss_plugin.c | 5 +++++
+ 6 files changed, 55 insertions(+), 29 deletions(-)
+
+diff --git a/src/client/gpm_accept_sec_context.c b/src/client/gpm_accept_sec_context.c
+index ef5e79c..ab20b03 100644
+--- a/src/client/gpm_accept_sec_context.c
++++ b/src/client/gpm_accept_sec_context.c
+@@ -21,7 +21,6 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
+ gssx_res_accept_sec_context *res = &ures.accept_sec_context;
+ gssx_ctx *ctx = NULL;
+ gssx_name *name = NULL;
+- gss_OID_desc *mech = NULL;
+ gss_buffer_t outbuf = NULL;
+ uint32_t ret_maj;
+ int ret;
+@@ -70,15 +69,6 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
+ goto done;
+ }
+
+- if (mech_type) {
+- if (res->status.mech.octet_string_len) {
+- ret = gp_conv_gssx_to_oid_alloc(&res->status.mech, &mech);
+- if (ret) {
+- goto done;
+- }
+- }
+- }
+-
+ ctx = res->context_handle;
+ /* we are stealing the delegated creds on success, so we do not want
+ * it to be freed by xdr_free */
+@@ -101,8 +91,14 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
+ }
+
+ if (mech_type) {
+- *mech_type = mech;
++ gss_OID_desc mech;
++ gp_conv_gssx_to_oid(&res->status.mech, &mech);
++ ret = gpm_mech_to_static(&mech, mech_type);
++ if (ret) {
++ goto done;
++ }
+ }
++
+ if (src_name) {
+ *src_name = name;
+ }
+@@ -145,10 +141,6 @@ done:
+ xdr_free((xdrproc_t)xdr_gssx_name, (char *)name);
+ free(name);
+ }
+- if (mech) {
+- free(mech->elements);
+- free(mech);
+- }
+ if (outbuf) {
+ free(outbuf->value);
+ free(outbuf);
+diff --git a/src/client/gpm_common.c b/src/client/gpm_common.c
+index d932ba2..02325c4 100644
+--- a/src/client/gpm_common.c
++++ b/src/client/gpm_common.c
+@@ -795,4 +795,3 @@ void gpm_free_xdrs(int proc, union gp_rpc_arg *arg, union gp_rpc_res *res)
+ xdr_free(gpm_xdr_set[proc].arg_fn, (char *)arg);
+ xdr_free(gpm_xdr_set[proc].res_fn, (char *)res);
+ }
+-
+diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
+index b019a96..86c7de3 100644
+--- a/src/client/gpm_indicate_mechs.c
++++ b/src/client/gpm_indicate_mechs.c
+@@ -300,6 +300,40 @@ static int gpmint_init_global_mechs(void)
+ return 0;
+ }
+
++/* GSSAPI requires some APIs to return "static" mechs that callers do not need
++ * to free. So match a radom mech and return from our global "static" array */
++int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static)
++{
++ int ret;
++
++ ret = gpmint_init_global_mechs();
++ if (ret) {
++ return ret;
++ }
++
++ *mech_static = GSS_C_NO_OID;
++ for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
++ if (gpm_equal_oids(&global_mechs.mech_set->elements[i], mech_type)) {
++ *mech_static = &global_mechs.mech_set->elements[i];
++ return 0;
++ }
++ }
++ /* TODO: potentially in future add the mech to the list if missing */
++ return ENOENT;
++}
++
++bool gpm_mech_is_static(gss_OID mech_type)
++{
++ if (global_mechs.mech_set) {
++ for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
++ if (&global_mechs.mech_set->elements[i] == mech_type) {
++ return true;
++ }
++ }
++ }
++ return false;
++}
++
+ OM_uint32 gpm_indicate_mechs(OM_uint32 *minor_status, gss_OID_set *mech_set)
+ {
+ uint32_t ret_min;
+diff --git a/src/client/gpm_init_sec_context.c b/src/client/gpm_init_sec_context.c
+index bea2010..b84ff94 100644
+--- a/src/client/gpm_init_sec_context.c
++++ b/src/client/gpm_init_sec_context.c
+@@ -43,7 +43,6 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
+ gssx_arg_init_sec_context *arg = &uarg.init_sec_context;
+ gssx_res_init_sec_context *res = &ures.init_sec_context;
+ gssx_ctx *ctx = NULL;
+- gss_OID_desc *mech = NULL;
+ gss_buffer_t outbuf = NULL;
+ uint32_t ret_maj = GSS_S_COMPLETE;
+ uint32_t ret_min = 0;
+@@ -100,11 +99,12 @@ OM_uint32 gpm_init_sec_context(OM_uint32 *minor_status,
+
+ /* return values */
+ if (actual_mech_type) {
+- if (res->status.mech.octet_string_len) {
+- ret = gp_conv_gssx_to_oid_alloc(&res->status.mech, &mech);
+- if (ret) {
+- goto done;
+- }
++ gss_OID_desc mech;
++ gp_conv_gssx_to_oid(&res->status.mech, &mech);
++ ret = gpm_mech_to_static(&mech, actual_mech_type);
++ if (ret) {
++ gpm_save_internal_status(ret, gp_strerror(ret));
++ goto done;
+ }
+ }
+
+@@ -151,9 +151,6 @@ done:
+ gpm_free_xdrs(GSSX_INIT_SEC_CONTEXT, &uarg, &ures);
+
+ if (ret_maj == GSS_S_COMPLETE || ret_maj == GSS_S_CONTINUE_NEEDED) {
+- if (actual_mech_type) {
+- *actual_mech_type = mech;
+- }
+ if (outbuf) {
+ *output_token = *outbuf;
+ free(outbuf);
+@@ -170,10 +167,6 @@ done:
+ free(ctx);
+ ctx = NULL;
+ }
+- if (mech) {
+- free(mech->elements);
+- free(mech);
+- }
+ if (outbuf) {
+ free(outbuf->value);
+ free(outbuf);
+diff --git a/src/client/gssapi_gpm.h b/src/client/gssapi_gpm.h
+index 61124e0..b7ba04b 100644
+--- a/src/client/gssapi_gpm.h
++++ b/src/client/gssapi_gpm.h
+@@ -27,6 +27,9 @@ void gpm_display_status_init_once(void);
+ void gpm_save_status(gssx_status *status);
+ void gpm_save_internal_status(uint32_t err, char *err_str);
+
++int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static);
++bool gpm_mech_is_static(gss_OID mech_type);
++
+ OM_uint32 gpm_display_status(OM_uint32 *minor_status,
+ OM_uint32 status_value,
+ int status_type,
+diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
+index 8b799cf..bf70d87 100644
+--- a/src/mechglue/gss_plugin.c
++++ b/src/mechglue/gss_plugin.c
+@@ -377,6 +377,11 @@ OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
+ item = gpp_next_special_oids(item);
+ }
+
++ if (gpm_mech_is_static(*oid)) {
++ *oid = GSS_C_NO_OID;
++ return GSS_S_COMPLETE;
++ }
++
+ /* none matched, it's not ours */
+ return GSS_S_CONTINUE_NEEDED;
+ }
diff --git a/SOURCES/Fix-leak-of-mech-OID-in-gssi_inquire_context.patch b/SOURCES/Fix-leak-of-mech-OID-in-gssi_inquire_context.patch
new file mode 100644
index 0000000..dbde259
--- /dev/null
+++ b/SOURCES/Fix-leak-of-mech-OID-in-gssi_inquire_context.patch
@@ -0,0 +1,27 @@
+From 7777d261923e0f0c3bd9cb2b7f0c2ac81b83f2c3 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 26 Aug 2020 13:36:50 -0400
+Subject: [PATCH] Fix leak of mech OID in gssi_inquire_context()
+
+The name it creates holds a copy of the OID, which we need to release.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 482349fa6bd536471216a898713c83260c78c08d)
+(cherry picked from commit ce271e38be223a9442efd406c9a8fa961930e35b)
+---
+ src/mechglue/gpp_import_and_canon_name.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/mechglue/gpp_import_and_canon_name.c b/src/mechglue/gpp_import_and_canon_name.c
+index 745be20..7d6829f 100644
+--- a/src/mechglue/gpp_import_and_canon_name.c
++++ b/src/mechglue/gpp_import_and_canon_name.c
+@@ -257,6 +257,8 @@ OM_uint32 gssi_release_name(OM_uint32 *minor_status,
+ return GSS_S_BAD_NAME;
+ }
+
++ (void)gss_release_oid(&rmin, &name->mech_type);
++
+ rmaj = gpm_release_name(&rmin, &name->remote);
+
+ if (name->local) {
diff --git a/SOURCES/Fix-leaks-in-our-test-suite-itself.patch b/SOURCES/Fix-leaks-in-our-test-suite-itself.patch
new file mode 100644
index 0000000..70348af
--- /dev/null
+++ b/SOURCES/Fix-leaks-in-our-test-suite-itself.patch
@@ -0,0 +1,157 @@
+From 5881a9dbc87f20cd149f53f444b95e8b579638c7 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 13:23:49 -0400
+Subject: [PATCH] Fix leaks in our test suite itself
+
+These are mostly laziness in freeing since the programs are short-lived.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+[rharwood@redhat.com: rewrote commit message]
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit dc56c86f1dcb1ae4dbc35facf5f50fb21c9d5049)
+(cherry picked from commit 617d9ee9ce967cf20462e3cc7a575fda0f945075)
+---
+ tests/interposetest.c | 22 +++++++++++++++-------
+ tests/t_impersonate.c | 11 ++++++++---
+ tests/t_init.c | 2 ++
+ tests/t_setcredopt.c | 8 ++++++--
+ 4 files changed, 31 insertions(+), 12 deletions(-)
+
+diff --git a/tests/interposetest.c b/tests/interposetest.c
+index a00904f..0cdd473 100644
+--- a/tests/interposetest.c
++++ b/tests/interposetest.c
+@@ -71,6 +71,8 @@ static int gptest_inq_context(gss_ctx_id_t ctx)
+ DEBUG("Context validity: %d sec.\n", time_rec);
+
+ done:
++ (void)gss_release_name(&min, &src_name);
++ (void)gss_release_name(&min, &targ_name);
+ (void)gss_release_buffer(&min, &sname);
+ (void)gss_release_buffer(&min, &tname);
+ (void)gss_release_buffer(&min, &mechstr);
+@@ -274,7 +276,7 @@ void run_client(struct aproc *data)
+ gp_log_failure(GSS_C_NO_OID, ret_maj, ret_min);
+ goto done;
+ }
+- fprintf(stdout, "Client, RECV: [%s]\n", buffer);
++ fprintf(stdout, "Client, RECV: [%*s]\n", buflen, buffer);
+
+ /* test gss_wrap_iov_length */
+
+@@ -837,19 +839,22 @@ int main(int argc, const char *main_argv[])
+
+ if (opt_version) {
+ puts(VERSION""DISTRO_VERSION""PRERELEASE_VERSION);
+- return 0;
++ ret = 0;
++ goto done;
+ }
+
+ if (opt_target == NULL) {
+ fprintf(stderr, "Missing target!\n");
+ poptPrintUsage(pc, stderr, 0);
+- return 1;
++ ret = 1;
++ goto done;
+ }
+
+ if (!opt_all) {
+- return run_cli_srv_test(PROXY_LOCAL_ONLY,
+- PROXY_LOCAL_ONLY,
+- opt_target);
++ ret = run_cli_srv_test(PROXY_LOCAL_ONLY,
++ PROXY_LOCAL_ONLY,
++ opt_target);
++ goto done;
+ }
+
+ for (i=0; i<4; i++) {
+@@ -861,10 +866,13 @@ int main(int argc, const char *main_argv[])
+ lookup_gssproxy_behavior(k),
+ ret ? "failed" : "succeeded");
+ if (ret) {
+- return ret;
++ goto done;
+ }
+ }
+ }
+
++done:
++ poptFreeContext(pc);
++ free(opt_target);
+ return ret;
+ }
+diff --git a/tests/t_impersonate.c b/tests/t_impersonate.c
+index 8ca6e9c..e7b0bc2 100644
+--- a/tests/t_impersonate.c
++++ b/tests/t_impersonate.c
+@@ -12,9 +12,9 @@ int main(int argc, const char *argv[])
+ gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;
+ gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
+- gss_name_t user_name;
+- gss_name_t proxy_name;
+- gss_name_t target_name;
++ gss_name_t user_name = GSS_C_NO_NAME;
++ gss_name_t proxy_name = GSS_C_NO_NAME;
++ gss_name_t target_name = GSS_C_NO_NAME;
+ gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) };
+ uint32_t ret_maj;
+ uint32_t ret_min;
+@@ -207,9 +207,14 @@ int main(int argc, const char *argv[])
+ ret = 0;
+
+ done:
++ gss_release_name(&ret_min, &user_name);
++ gss_release_name(&ret_min, &proxy_name);
++ gss_release_name(&ret_min, &target_name);
+ gss_release_buffer(&ret_min, &in_token);
+ gss_release_buffer(&ret_min, &out_token);
+ gss_release_cred(&ret_min, &impersonator_cred_handle);
+ gss_release_cred(&ret_min, &cred_handle);
++ gss_delete_sec_context(&ret_min, &accept_ctx, GSS_C_NO_BUFFER);
++ gss_delete_sec_context(&ret_min, &init_ctx, GSS_C_NO_BUFFER);
+ return ret;
+ }
+diff --git a/tests/t_init.c b/tests/t_init.c
+index 02407ce..76bd4c1 100644
+--- a/tests/t_init.c
++++ b/tests/t_init.c
+@@ -82,6 +82,8 @@ int main(int argc, const char *argv[])
+ goto done;
+ }
+
++ gss_release_buffer(&ret_min, &out_token);
++
+ ret = t_recv_buffer(STDIN_FD, buffer, &buflen);
+ if (ret != 0) {
+ DEBUG("Failed to read token from STDIN\n");
+diff --git a/tests/t_setcredopt.c b/tests/t_setcredopt.c
+index 1399474..bc5e13f 100644
+--- a/tests/t_setcredopt.c
++++ b/tests/t_setcredopt.c
+@@ -12,8 +12,8 @@ int main(int argc, const char *argv[])
+ gss_ctx_id_t accept_ctx = GSS_C_NO_CONTEXT;
+ gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
+- gss_name_t user_name;
+- gss_name_t target_name;
++ gss_name_t user_name = GSS_C_NO_NAME;
++ gss_name_t target_name = GSS_C_NO_NAME;
+ gss_OID_set_desc oid_set = { 1, discard_const(gss_mech_krb5) };
+ uint32_t ret_maj;
+ uint32_t ret_min;
+@@ -160,8 +160,12 @@ int main(int argc, const char *argv[])
+ ret = 0;
+
+ done:
++ gss_release_name(&ret_min, &user_name);
++ gss_release_name(&ret_min, &target_name);
+ gss_release_buffer(&ret_min, &in_token);
+ gss_release_buffer(&ret_min, &out_token);
+ gss_release_cred(&ret_min, &cred_handle);
++ gss_delete_sec_context(&ret_min, &init_ctx, GSS_C_NO_BUFFER);
++ gss_delete_sec_context(&ret_min, &accept_ctx, GSS_C_NO_BUFFER);
+ return ret;
+ }
diff --git a/SOURCES/Initialize-interposed-mech-list-without-allocation.patch b/SOURCES/Initialize-interposed-mech-list-without-allocation.patch
new file mode 100644
index 0000000..3b8bb4f
--- /dev/null
+++ b/SOURCES/Initialize-interposed-mech-list-without-allocation.patch
@@ -0,0 +1,93 @@
+From 70f30d61e7f5da178e47dcfc8feb083a17be74ff Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 12:32:06 -0400
+Subject: [PATCH] Initialize interposed mech list without allocation
+
+While we had already fixed the leak here in main, the code performed
+unnecessary extra work, so just replacethe whole lot with a function
+that does not do any extra allocation or copy.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+[rharwood@redhat.com: commit message]
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 447d5352c2a81e219ccf04348a87b2ff25b7de15)
+(cherry picked from commit 4abda7e47551f39adfc074fc017f6006a4b91a19)
+---
+ src/mechglue/gss_plugin.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/src/mechglue/gss_plugin.c b/src/mechglue/gss_plugin.c
+index b9813dc..79e04d0 100644
+--- a/src/mechglue/gss_plugin.c
++++ b/src/mechglue/gss_plugin.c
+@@ -65,6 +65,8 @@ enum gpp_behavior gpp_get_behavior(void)
+ return behavior;
+ }
+
++static void gpp_init_special_available_mechs(const gss_OID_set mechs);
++
+ /* 2.16.840.1.113730.3.8.15.1 */
+ const gss_OID_desc gssproxy_mech_interposer = {
+ .length = 11,
+@@ -76,7 +78,6 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
+ gss_OID_set interposed_mechs;
+ OM_uint32 maj, min;
+ char *envval;
+- gss_OID_set special_mechs;
+
+ /* avoid looping in the gssproxy daemon by avoiding to interpose
+ * any mechanism */
+@@ -119,8 +120,7 @@ gss_OID_set gss_mech_interposer(gss_OID mech_type)
+ }
+
+ /* while there also initiaize special_mechs */
+- special_mechs = gpp_special_available_mechs(interposed_mechs);
+- (void)gss_release_oid_set(&min, &special_mechs);
++ gpp_init_special_available_mechs(interposed_mechs);
+
+ done:
+ if (maj != 0) {
+@@ -307,13 +307,13 @@ gss_OID_set gpp_special_available_mechs(const gss_OID_set mechs)
+ gss_OID n;
+ uint32_t maj, min;
+
+- item = gpp_get_special_oids();
+-
+ maj = gss_create_empty_oid_set(&min, &amechs);
+ if (maj) {
+ return GSS_C_NO_OID_SET;
+ }
+ for (size_t i = 0; i < mechs->count; i++) {
++ item = gpp_get_special_oids();
++
+ while (item) {
+ if (gpp_is_special_oid(&mechs->elements[i])) {
+ maj = gss_add_oid_set_member(&min,
+@@ -354,6 +354,27 @@ done:
+ return amechs;
+ }
+
++static void gpp_init_special_available_mechs(const gss_OID_set mechs)
++{
++ struct gpp_special_oid_list *item;
++
++ for (size_t i = 0; i < mechs->count; i++) {
++ item = gpp_get_special_oids();
++
++ while (item) {
++ if (gpp_is_special_oid(&mechs->elements[i]) ||
++ gpp_special_equal(&item->special_oid, &mechs->elements[i])) {
++ break;
++ }
++ item = gpp_next_special_oids(item);
++ }
++ if (item == NULL) {
++ /* not found, add to static list */
++ (void)gpp_new_special_mech(&mechs->elements[i]);
++ }
++ }
++}
++
+ OM_uint32 gssi_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid)
+ {
+ struct gpp_special_oid_list *item = NULL;
diff --git a/SOURCES/Initialize-our-epoll_event-structures.patch b/SOURCES/Initialize-our-epoll_event-structures.patch
new file mode 100644
index 0000000..44751d9
--- /dev/null
+++ b/SOURCES/Initialize-our-epoll_event-structures.patch
@@ -0,0 +1,38 @@
+From c824b8ef3b5ec630edb0f8be78b64b2431c4482f Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 30 Jul 2020 16:43:30 -0400
+Subject: [PATCH] Initialize our epoll_event structures
+
+Fixes a valgrind error for the other fields of epoll_event.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 48bfadc538bca3b9ca478c711af75245163d0b67)
+(cherry picked from commit 35579d9de1d3f295fb4548c73fc6a729d04128c6)
+---
+ src/client/gpm_common.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/client/gpm_common.c b/src/client/gpm_common.c
+index 808f350..d932ba2 100644
+--- a/src/client/gpm_common.c
++++ b/src/client/gpm_common.c
+@@ -195,6 +195,8 @@ static int gpm_epoll_setup(struct gpm_ctx *gpmctx)
+ struct epoll_event ev;
+ int ret;
+
++ memset(&ev, 0, sizeof(ev));
++
+ if (gpmctx->epollfd >= 0) {
+ gpm_epoll_close(gpmctx);
+ }
+@@ -276,6 +278,10 @@ static int gpm_epoll_wait(struct gpm_ctx *gpmctx, uint32_t event_flags)
+ struct epoll_event events[2];
+ uint64_t timer_read;
+
++ memset(&ev, 0, sizeof(ev));
++ memset(&events[0], 0, sizeof(events[0]));
++ memset(&events[1], 0, sizeof(events[1]));
++
+ if (gpmctx->epollfd < 0) {
+ ret = gpm_epoll_setup(gpmctx);
+ if (ret)
diff --git a/SOURCES/Make-sure-to-free-also-the-remote-ctx-struct.patch b/SOURCES/Make-sure-to-free-also-the-remote-ctx-struct.patch
new file mode 100644
index 0000000..95f93f1
--- /dev/null
+++ b/SOURCES/Make-sure-to-free-also-the-remote-ctx-struct.patch
@@ -0,0 +1,28 @@
+From a02741d82ff44b3c93747615f560dae1bbe7c57b Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 12:44:45 -0400
+Subject: [PATCH] Make sure to free also the remote ctx struct
+
+The xdr_free() call only frees the contents and not the containing
+structure itself.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit e6811347c23b6c62d9f1869da089ab9900f97a84)
+(cherry picked from commit 8d5457c290d513781b54be54ede9c81cc5d1fff8)
+---
+ src/client/gpm_release_handle.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/client/gpm_release_handle.c b/src/client/gpm_release_handle.c
+index 8f49ee9..2f70781 100644
+--- a/src/client/gpm_release_handle.c
++++ b/src/client/gpm_release_handle.c
+@@ -106,5 +106,7 @@ rel_done:
+ gpm_free_xdrs(GSSX_RELEASE_HANDLE, &uarg, &ures);
+ done:
+ xdr_free((xdrproc_t)xdr_gssx_ctx, (char *)r);
++ free(r);
++ *context_handle = NULL;
+ return ret;
+ }
diff --git a/SOURCES/Return-static-oids-for-naming-functions.patch b/SOURCES/Return-static-oids-for-naming-functions.patch
new file mode 100644
index 0000000..3444050
--- /dev/null
+++ b/SOURCES/Return-static-oids-for-naming-functions.patch
@@ -0,0 +1,157 @@
+From 0987e0e137854285d4022f5a910e7923d4e663fd Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 17:01:39 -0400
+Subject: [PATCH] Return static oids for naming functions
+
+gss_display_name and gss_inquire_name reteurn "static" oids, that are
+generally not freed by callers, so make sure to match and return actual
+static OIDs exported by GSSAPI.
+
+Also remove gpm_equal_oids() and use the library provided gss_oid_equal
+function instead.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 6ea8391257e687dfb3981b634c06cf7a55008eb0)
+(cherry picked from commit 41cb9683627d6c3b136a4b48e1b1842619132f16)
+---
+ src/client/gpm_import_and_canon_name.c | 28 ++++++++++++++++++++++++--
+ src/client/gpm_indicate_mechs.c | 24 +++++-----------------
+ src/client/gssapi_gpm.h | 1 +
+ 3 files changed, 32 insertions(+), 21 deletions(-)
+
+diff --git a/src/client/gpm_import_and_canon_name.c b/src/client/gpm_import_and_canon_name.c
+index 70149a3..88b8d7c 100644
+--- a/src/client/gpm_import_and_canon_name.c
++++ b/src/client/gpm_import_and_canon_name.c
+@@ -2,6 +2,26 @@
+
+ #include "gssapi_gpm.h"
+
++static int gpm_name_oid_to_static(gss_OID name_type, gss_OID *name_static)
++{
++#define ret_static(b) \
++ if (gss_oid_equal(name_type, b)) { \
++ *name_static = b; \
++ return 0; \
++ }
++ ret_static(GSS_C_NT_USER_NAME);
++ ret_static(GSS_C_NT_MACHINE_UID_NAME);
++ ret_static(GSS_C_NT_STRING_UID_NAME);
++ ret_static(GSS_C_NT_HOSTBASED_SERVICE_X);
++ ret_static(GSS_C_NT_HOSTBASED_SERVICE);
++ ret_static(GSS_C_NT_ANONYMOUS);
++ ret_static(GSS_C_NT_EXPORT_NAME);
++ ret_static(GSS_C_NT_COMPOSITE_EXPORT);
++ ret_static(GSS_KRB5_NT_PRINCIPAL_NAME);
++ ret_static(gss_nt_krb5_name);
++ return ENOENT;
++}
++
+ OM_uint32 gpm_display_name(OM_uint32 *minor_status,
+ gssx_name *in_name,
+ gss_buffer_t output_name_buffer,
+@@ -57,7 +77,9 @@ OM_uint32 gpm_display_name(OM_uint32 *minor_status,
+ }
+
+ if (output_name_type) {
+- ret = gp_conv_gssx_to_oid_alloc(&in_name->name_type, output_name_type);
++ gss_OID_desc oid;
++ gp_conv_gssx_to_oid(&in_name->name_type, &oid);
++ ret = gpm_name_oid_to_static(&oid, output_name_type);
+ if (ret) {
+ gss_release_buffer(&discard, output_name_buffer);
+ ret_min = ret;
+@@ -285,7 +307,9 @@ OM_uint32 gpm_inquire_name(OM_uint32 *minor_status,
+ }
+
+ if (MN_mech != NULL) {
+- ret = gp_conv_gssx_to_oid_alloc(&name->name_type, MN_mech);
++ gss_OID_desc oid;
++ gp_conv_gssx_to_oid(&name->name_type, &oid);
++ ret = gpm_name_oid_to_static(&oid, MN_mech);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+diff --git a/src/client/gpm_indicate_mechs.c b/src/client/gpm_indicate_mechs.c
+index 86c7de3..4041dcd 100644
+--- a/src/client/gpm_indicate_mechs.c
++++ b/src/client/gpm_indicate_mechs.c
+@@ -95,20 +95,6 @@ static uint32_t gpm_copy_gss_buffer(uint32_t *minor_status,
+ return GSS_S_COMPLETE;
+ }
+
+-static bool gpm_equal_oids(gss_const_OID a, gss_const_OID b)
+-{
+- int ret;
+-
+- if (a->length == b->length) {
+- ret = memcmp(a->elements, b->elements, a->length);
+- if (ret == 0) {
+- return true;
+- }
+- }
+-
+- return false;
+-}
+-
+ static void gpmint_indicate_mechs(void)
+ {
+ union gp_rpc_arg uarg;
+@@ -313,7 +299,7 @@ int gpm_mech_to_static(gss_OID mech_type, gss_OID *mech_static)
+
+ *mech_static = GSS_C_NO_OID;
+ for (size_t i = 0; i < global_mechs.mech_set->count; i++) {
+- if (gpm_equal_oids(&global_mechs.mech_set->elements[i], mech_type)) {
++ if (gss_oid_equal(&global_mechs.mech_set->elements[i], mech_type)) {
+ *mech_static = &global_mechs.mech_set->elements[i];
+ return 0;
+ }
+@@ -383,7 +369,7 @@ OM_uint32 gpm_inquire_names_for_mech(OM_uint32 *minor_status,
+ }
+
+ for (unsigned i = 0; i < global_mechs.info_len; i++) {
+- if (!gpm_equal_oids(global_mechs.info[i].mech, mech_type)) {
++ if (!gss_oid_equal(global_mechs.info[i].mech, mech_type)) {
+ continue;
+ }
+ ret_maj = gpm_copy_gss_OID_set(&ret_min,
+@@ -481,7 +467,7 @@ OM_uint32 gpm_inquire_attrs_for_mech(OM_uint32 *minor_status,
+ }
+
+ for (unsigned i = 0; i < global_mechs.info_len; i++) {
+- if (!gpm_equal_oids(global_mechs.info[i].mech, mech)) {
++ if (!gss_oid_equal(global_mechs.info[i].mech, mech)) {
+ continue;
+ }
+
+@@ -540,7 +526,7 @@ OM_uint32 gpm_inquire_saslname_for_mech(OM_uint32 *minor_status,
+ }
+
+ for (unsigned i = 0; i < global_mechs.info_len; i++) {
+- if (!gpm_equal_oids(global_mechs.info[i].mech, desired_mech)) {
++ if (!gss_oid_equal(global_mechs.info[i].mech, desired_mech)) {
+ continue;
+ }
+ ret_maj = gpm_copy_gss_buffer(&ret_min,
+@@ -598,7 +584,7 @@ OM_uint32 gpm_display_mech_attr(OM_uint32 *minor_status,
+ }
+
+ for (unsigned i = 0; i < global_mechs.desc_len; i++) {
+- if (!gpm_equal_oids(global_mechs.desc[i].attr, mech_attr)) {
++ if (!gss_oid_equal(global_mechs.desc[i].attr, mech_attr)) {
+ continue;
+ }
+ ret_maj = gpm_copy_gss_buffer(&ret_min,
+diff --git a/src/client/gssapi_gpm.h b/src/client/gssapi_gpm.h
+index b7ba04b..bdf12e1 100644
+--- a/src/client/gssapi_gpm.h
++++ b/src/client/gssapi_gpm.h
+@@ -10,6 +10,7 @@
+ #include <string.h>
+ #include <gssapi/gssapi.h>
+ #include <gssapi/gssapi_ext.h>
++#include <gssapi/gssapi_krb5.h>
+ #include "rpcgen/gp_rpc.h"
+ #include "rpcgen/gss_proxy.h"
+ #include "src/gp_common.h"
diff --git a/SOURCES/Use-static-OIDs-in-gss_inquire_context.patch b/SOURCES/Use-static-OIDs-in-gss_inquire_context.patch
new file mode 100644
index 0000000..614d9e4
--- /dev/null
+++ b/SOURCES/Use-static-OIDs-in-gss_inquire_context.patch
@@ -0,0 +1,31 @@
+From 448501f1b3e0204353544ab245dd4ec77d46faae Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 17:21:03 -0400
+Subject: [PATCH] Use static OIDs in gss_inquire_context()
+
+As per other functions gssapi expect a static OID here.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+[rharwood@redhat.com: commit message fixup]
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 502e448b3b126bf828ed871496dd7520d5075564)
+(cherry picked from commit 9cc525b1f1184241483705dfc0a4162bc0c55632)
+---
+ src/client/gpm_inquire_context.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/client/gpm_inquire_context.c b/src/client/gpm_inquire_context.c
+index 8c683fe..5800a8d 100644
+--- a/src/client/gpm_inquire_context.c
++++ b/src/client/gpm_inquire_context.c
+@@ -51,7 +51,9 @@ OM_uint32 gpm_inquire_context(OM_uint32 *minor_status,
+ }
+
+ if (mech_type) {
+- ret = gp_conv_gssx_to_oid_alloc(&context_handle->mech, mech_type);
++ gss_OID_desc mech;
++ gp_conv_gssx_to_oid(&context_handle->mech, &mech);
++ ret = gpm_mech_to_static(&mech, mech_type);
+ if (ret) {
+ if (src_name) {
+ (void)gpm_release_name(&tmp_min, src_name);
diff --git a/SOURCES/Use-the-correct-function-to-free-unused-creds.patch b/SOURCES/Use-the-correct-function-to-free-unused-creds.patch
new file mode 100644
index 0000000..6e275c7
--- /dev/null
+++ b/SOURCES/Use-the-correct-function-to-free-unused-creds.patch
@@ -0,0 +1,40 @@
+From a23fd33ce8bdf4cdc4d2d00153d3bbf89f363475 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 13:20:49 -0400
+Subject: [PATCH] Use the correct function to free unused creds
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit a2ffd1230fd572d7fa9099af2365dfb7ac394d07)
+(cherry picked from commit f77b75b7928a2c7813aebc8a1ec107d495627685)
+---
+ src/mechglue/gpp_creds.c | 2 +-
+ src/mechglue/gpp_init_sec_context.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mechglue/gpp_creds.c b/src/mechglue/gpp_creds.c
+index e87da82..338fadd 100644
+--- a/src/mechglue/gpp_creds.c
++++ b/src/mechglue/gpp_creds.c
+@@ -895,7 +895,7 @@ done:
+ if (maj == GSS_S_COMPLETE) {
+ *cred_handle = (gss_cred_id_t)cred;
+ } else {
+- free(cred);
++ (void)gpp_cred_handle_free(&min, cred);
+ }
+ (void)gss_release_buffer(&min, &wrap_token);
+ return maj;
+diff --git a/src/mechglue/gpp_init_sec_context.c b/src/mechglue/gpp_init_sec_context.c
+index 94d9b01..bb878df 100644
+--- a/src/mechglue/gpp_init_sec_context.c
++++ b/src/mechglue/gpp_init_sec_context.c
+@@ -215,7 +215,7 @@ done:
+ *context_handle = (gss_ctx_id_t)ctx_handle;
+
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
+- free(cred_handle);
++ (void)gpp_cred_handle_free(&min, cred_handle);
+ }
+ return maj;
+ }
diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec
index 577c2e5..61737db 100644
--- a/SPECS/gssproxy.spec
+++ b/SPECS/gssproxy.spec
@@ -1,7 +1,7 @@
Name: gssproxy
Version: 0.8.0
-Release: 16%{?dist}
+Release: 19%{?dist}
Summary: GSSAPI Proxy
Group: System Environment/Libraries
@@ -28,6 +28,20 @@ Patch11: Change-the-way-we-handle-encrypted-buffers.patch
Patch12: Avoid-uninitialized-free-when-allocating-buffers.patch
Patch13: Make-syslog-of-call-status-configurable.patch
Patch14: Delay-gssproxy-start-until-after-network.target.patch
+Patch15: Document-config-file-non-merging.patch
+Patch16: Initialize-our-epoll_event-structures.patch
+Patch17: Avoid-leak-of-special-mechs-in-gss_mech_interposer.patch
+Patch18: Fix-leak-of-mech-OID-in-gssi_inquire_context.patch
+Patch19: Expand-use-of-global-static-mechs-to-conform-to-SPI.patch
+Patch20: Correctly-size-loop-counter-in-gpp_special_available.patch
+Patch21: Initialize-interposed-mech-list-without-allocation.patch
+Patch22: Make-sure-to-free-also-the-remote-ctx-struct.patch
+Patch23: Use-the-correct-function-to-free-unused-creds.patch
+Patch24: Fix-leaks-in-our-test-suite-itself.patch
+Patch25: Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
+Patch26: Return-static-oids-for-naming-functions.patch
+Patch27: Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch
+Patch28: Use-static-OIDs-in-gss_inquire_context.patch
### Dependencies ###
Requires: krb5-libs >= 1.12.0
@@ -122,6 +136,18 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache
%systemd_postun_with_restart gssproxy.service
%changelog
+* Thu Oct 29 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.0-19
+- More leak fixes
+- Resolves: #1813200
+
+* Wed Oct 14 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.0-18
+- Fix leak of mech OID in gssi_inquire_context()
+- Resolves: #1813200
+
+* Tue Oct 13 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.0-17
+- Document config file non-merging
+- Resolves: #1838222
+
* Mon Apr 06 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.0-16
- Delay gssproxy start until after network.target
- Resolves: #1780876