krb5 commit: Simplify password storage in krb5_gss_cred_id_rec

Greg Hudson ghudson at MIT.EDU
Wed Jun 27 12:37:29 EDT 2012 

https://github.com/krb5/krb5/commit/5bff5c5064a58eb206a6e2e1ba5ccf746569b761
commit 5bff5c5064a58eb206a6e2e1ba5ccf746569b761
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Jun 27 12:36:15 2012 -0400

    Simplify password storage in krb5_gss_cred_id_rec
    
    The password is always zero-terminated, so we can store it as a char *
    instead of a krb5_data.

 src/lib/gssapi/krb5/acquire_cred.c     |    6 +++---
 src/lib/gssapi/krb5/gssapiP_krb5.h     |    2 +-
 src/lib/gssapi/krb5/iakerb.c           |    7 +++----
 src/lib/gssapi/krb5/init_sec_context.c |    8 +++-----
 src/lib/gssapi/krb5/rel_cred.c         |    6 ++----
 5 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index a7a18a7..c7a156e 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -316,7 +316,7 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
 {
     krb5_error_code code;
     krb5_principal ccache_princ;
-    krb5_data password_data = make_data(password->value, password->length);
+    krb5_data pwdata = make_data(password->value, password->length), pwcopy;
     krb5_boolean eq;
     const char *cctype;
     krb5_ccache newcache = NULL;
@@ -353,10 +353,10 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
     }
 
     /* Stash the password for later. */
-    code = krb5int_copy_data_contents_add0(context, &password_data,
-                                           &cred->password);
+    code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy);
     if (code)
         return code;
+    cred->password = pwcopy.data;
 
     if (newcache) {
         krb5_cc_close(context, ccache);
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 54a536a..e263a2b 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -185,7 +185,7 @@ typedef struct _krb5_gss_cred_id_rec {
     krb5_ccache ccache;
     krb5_timestamp tgt_expire;
     krb5_enctype *req_enctypes;  /* limit negotiated enctypes to this list */
-    krb5_data password;
+    char *password;
 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
 
 typedef struct _krb5_gss_ctx_ext_rec {
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index 005c3fc..6081931 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -414,7 +414,7 @@ iakerb_init_creds_ctx(iakerb_ctx_id_t ctx,
 {
     krb5_error_code code;
 
-    if (cred->iakerb_mech == 0 || cred->password.data == NULL) {
+    if (cred->iakerb_mech == 0 || cred->password == NULL) {
         code = EINVAL;
         goto cleanup;
     }
@@ -444,8 +444,7 @@ iakerb_init_creds_ctx(iakerb_ctx_id_t ctx,
     if (code != 0)
         goto cleanup;
 
-    code = krb5_init_creds_set_password(ctx->k5c, ctx->icc,
-                                        cred->password.data);
+    code = krb5_init_creds_set_password(ctx->k5c, ctx->icc, cred->password);
     if (code != 0)
         goto cleanup;
 
@@ -678,7 +677,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
         code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED,
                                     cred->ccache,
                                     &in_creds, &out_creds);
-        if (code == KRB5_CC_NOTFOUND && cred->password.data != NULL) {
+        if (code == KRB5_CC_NOTFOUND && cred->password != NULL) {
             *state = IAKERB_AS_REQ;
             code = 0;
         } else if (code == 0) {
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 7fb5f71..1091d06 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -194,7 +194,7 @@ static krb5_error_code get_credentials(context, cred, server, now,
 
     code = krb5_get_credentials(context, flags, cred->ccache,
                                 &in_creds, &result_creds);
-    if (code == KRB5_CC_NOTFOUND && cred->password.data != NULL &&
+    if (code == KRB5_CC_NOTFOUND && cred->password != NULL &&
         !cred->iakerb_mech) {
         krb5_creds tgt_creds;
 
@@ -202,10 +202,8 @@ static krb5_error_code get_credentials(context, cred, server, now,
 
         /* No TGT in the ccache, but we can get one with the password. */
         code = krb5_get_init_creds_password(context, &tgt_creds,
-                                            in_creds.client,
-                                            cred->password.data,
-                                            NULL, NULL,
-                                            0, NULL, NULL);
+                                            in_creds.client, cred->password,
+                                            NULL, NULL, 0, NULL, NULL);
         if (code)
             goto cleanup;
 
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
index 4fd3694..a69fb19 100644
--- a/src/lib/gssapi/krb5/rel_cred.c
+++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -76,10 +76,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
     if (cred->req_enctypes)
         free(cred->req_enctypes);
 
-    if (cred->password.data) {
-        zap(cred->password.data, cred->password.length);
-        krb5_free_data_contents(context, &cred->password);
-    }
+    if (cred->password != NULL)
+        zapfree(cred->password, strlen(cred->password));
 
     xfree(cred);

More information about the cvs-krb5 mailing list