diff options
| author | Greg Hudson <ghudson@mit.edu> | 2015-10-21 13:21:48 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2015-10-28 19:26:32 -0400 |
| commit | 54393f97906996b7a20c3abf0948a04ce9062f49 (patch) | |
| tree | 396374a5cd9320f5f969e973b42095430a6e78b4 | |
| parent | b32e0380cd37f90a009e4655a29d9fe7c6375fcb (diff) | |
| download | krb5-54393f97906996b7a20c3abf0948a04ce9062f49.zip krb5-54393f97906996b7a20c3abf0948a04ce9062f49.tar.gz krb5-54393f97906996b7a20c3abf0948a04ce9062f49.tar.bz2 | |
Zap secure cookie contents when freeing
Secure cookies are intended to hold secret values which may contribute
to key data, and therefore should be sanitized when released. Also
fix a memory leak in kdc_fast_make_cookie().
(cherry picked from commit 73f0ee229fdd2e888bdefe580bb183d2a6c57365)
ticket: 8271
version_fixed: 1.14
status: resolved
| -rw-r--r-- | src/include/k5-int.h | 3 | ||||
| -rw-r--r-- | src/kdc/fast_util.c | 12 | ||||
| -rw-r--r-- | src/lib/krb5/krb/kfree.c | 16 | ||||
| -rw-r--r-- | src/lib/krb5/libkrb5.exports | 1 |
4 files changed, 27 insertions, 5 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 78391a6..41c3d1b 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -979,6 +979,9 @@ typedef struct _krb5_authdata_context *krb5_authdata_context; void k5_free_data_ptr_list(krb5_data **list); +void +k5_zapfree_pa_data(krb5_pa_data **val); + void KRB5_CALLCONV krb5int_free_data_list(krb5_context context, krb5_data *data); diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index f76ad37..9df9402 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -270,8 +270,8 @@ kdc_free_rstate (struct kdc_request_state *s) krb5_free_keyblock(kdc_context, s->armor_key); if (s->strengthen_key) krb5_free_keyblock(kdc_context, s->strengthen_key); - krb5_free_pa_data(NULL, s->in_cookie_padata); - krb5_free_pa_data(NULL, s->out_cookie_padata); + k5_zapfree_pa_data(s->in_cookie_padata); + k5_zapfree_pa_data(s->out_cookie_padata); free(s); } @@ -620,7 +620,7 @@ kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state, cookie->data = NULL; cleanup: - krb5_free_data_contents(context, &plain); + zapfree(plain.data, plain.length); krb5_free_keyblock(context, key); k5_free_secure_cookie(context, cookie); return 0; @@ -727,7 +727,11 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state, *cookie_out = pa; cleanup: - krb5_free_data(context, der_cookie); + krb5_free_keyblock(context, key); + if (der_cookie != NULL) { + zapfree(der_cookie->data, der_cookie->length); + free(der_cookie); + } krb5_free_data_contents(context, &enc.ciphertext); return ret; } diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index bb75eca..f857522 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -366,6 +366,20 @@ krb5_free_last_req(krb5_context context, krb5_last_req_entry **val) free(val); } +void +k5_zapfree_pa_data(krb5_pa_data **val) +{ + krb5_pa_data **pa; + + if (val == NULL) + return; + for (pa = val; *pa != NULL; pa++) { + zapfree((*pa)->contents, (*pa)->length); + zapfree(*pa, sizeof(**pa)); + } + free(val); +} + void KRB5_CALLCONV krb5_free_pa_data(krb5_context context, krb5_pa_data **val) { @@ -872,6 +886,6 @@ k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val) { if (val == NULL) return; - krb5_free_pa_data(context, val->data); + k5_zapfree_pa_data(val->data); free(val); } diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 7677dac..c623409 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -144,6 +144,7 @@ k5_plugin_register k5_plugin_register_dyn k5_unmarshal_cred k5_unmarshal_princ +k5_zapfree_pa_data krb524_convert_creds_kdc krb524_init_ets krb5_425_conv_principal |