[29123] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.14]: Zap secure cookie contents when freeing
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Oct 28 19:27:18 2015
Date: Wed, 28 Oct 2015 19:27:13 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201510282327.t9SNRDwD015544@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/54393f97906996b7a20c3abf0948a04ce9062f49
commit 54393f97906996b7a20c3abf0948a04ce9062f49
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Oct 21 13:21:48 2015 -0400
Zap secure cookie contents when freeing
Secure cookies are intended to hold secret values which may contribute
to key data, and therefore should be sanitized when released. Also
fix a memory leak in kdc_fast_make_cookie().
(cherry picked from commit 73f0ee229fdd2e888bdefe580bb183d2a6c57365)
ticket: 8271
version_fixed: 1.14
status: resolved
src/include/k5-int.h | 3 +++
src/kdc/fast_util.c | 12 ++++++++----
src/lib/krb5/krb/kfree.c | 16 +++++++++++++++-
src/lib/krb5/libkrb5.exports | 1 +
4 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 78391a6..41c3d1b 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -979,6 +979,9 @@ typedef struct _krb5_authdata_context *krb5_authdata_context;
void
k5_free_data_ptr_list(krb5_data **list);
+void
+k5_zapfree_pa_data(krb5_pa_data **val);
+
void KRB5_CALLCONV
krb5int_free_data_list(krb5_context context, krb5_data *data);
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index f76ad37..9df9402 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -270,8 +270,8 @@ kdc_free_rstate (struct kdc_request_state *s)
krb5_free_keyblock(kdc_context, s->armor_key);
if (s->strengthen_key)
krb5_free_keyblock(kdc_context, s->strengthen_key);
- krb5_free_pa_data(NULL, s->in_cookie_padata);
- krb5_free_pa_data(NULL, s->out_cookie_padata);
+ k5_zapfree_pa_data(s->in_cookie_padata);
+ k5_zapfree_pa_data(s->out_cookie_padata);
free(s);
}
@@ -620,7 +620,7 @@ kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state,
cookie->data = NULL;
cleanup:
- krb5_free_data_contents(context, &plain);
+ zapfree(plain.data, plain.length);
krb5_free_keyblock(context, key);
k5_free_secure_cookie(context, cookie);
return 0;
@@ -727,7 +727,11 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state,
*cookie_out = pa;
cleanup:
- krb5_free_data(context, der_cookie);
+ krb5_free_keyblock(context, key);
+ if (der_cookie != NULL) {
+ zapfree(der_cookie->data, der_cookie->length);
+ free(der_cookie);
+ }
krb5_free_data_contents(context, &enc.ciphertext);
return ret;
}
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index bb75eca..f857522 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -366,6 +366,20 @@ krb5_free_last_req(krb5_context context, krb5_last_req_entry **val)
free(val);
}
+void
+k5_zapfree_pa_data(krb5_pa_data **val)
+{
+ krb5_pa_data **pa;
+
+ if (val == NULL)
+ return;
+ for (pa = val; *pa != NULL; pa++) {
+ zapfree((*pa)->contents, (*pa)->length);
+ zapfree(*pa, sizeof(**pa));
+ }
+ free(val);
+}
+
void KRB5_CALLCONV
krb5_free_pa_data(krb5_context context, krb5_pa_data **val)
{
@@ -872,6 +886,6 @@ k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val)
{
if (val == NULL)
return;
- krb5_free_pa_data(context, val->data);
+ k5_zapfree_pa_data(val->data);
free(val);
}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 7677dac..c623409 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -144,6 +144,7 @@ k5_plugin_register
k5_plugin_register_dyn
k5_unmarshal_cred
k5_unmarshal_princ
+k5_zapfree_pa_data
krb524_convert_creds_kdc
krb524_init_ets
krb5_425_conv_principal
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
