krb5 commit [krb5-1.14]: Zap secure cookie contents when freeing

Tom Yu tlyu at mit.edu
Wed Oct 28 19:27:13 EDT 2015


https://github.com/krb5/krb5/commit/54393f97906996b7a20c3abf0948a04ce9062f49
commit 54393f97906996b7a20c3abf0948a04ce9062f49
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Oct 21 13:21:48 2015 -0400

    Zap secure cookie contents when freeing
    
    Secure cookies are intended to hold secret values which may contribute
    to key data, and therefore should be sanitized when released.  Also
    fix a memory leak in kdc_fast_make_cookie().
    
    (cherry picked from commit 73f0ee229fdd2e888bdefe580bb183d2a6c57365)
    
    ticket: 8271
    version_fixed: 1.14
    status: resolved

 src/include/k5-int.h         |    3 +++
 src/kdc/fast_util.c          |   12 ++++++++----
 src/lib/krb5/krb/kfree.c     |   16 +++++++++++++++-
 src/lib/krb5/libkrb5.exports |    1 +
 4 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 78391a6..41c3d1b 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -979,6 +979,9 @@ typedef struct _krb5_authdata_context *krb5_authdata_context;
 void
 k5_free_data_ptr_list(krb5_data **list);
 
+void
+k5_zapfree_pa_data(krb5_pa_data **val);
+
 void KRB5_CALLCONV
 krb5int_free_data_list(krb5_context context, krb5_data *data);
 
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index f76ad37..9df9402 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -270,8 +270,8 @@ kdc_free_rstate (struct kdc_request_state *s)
         krb5_free_keyblock(kdc_context, s->armor_key);
     if (s->strengthen_key)
         krb5_free_keyblock(kdc_context, s->strengthen_key);
-    krb5_free_pa_data(NULL, s->in_cookie_padata);
-    krb5_free_pa_data(NULL, s->out_cookie_padata);
+    k5_zapfree_pa_data(s->in_cookie_padata);
+    k5_zapfree_pa_data(s->out_cookie_padata);
     free(s);
 }
 
@@ -620,7 +620,7 @@ kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state,
     cookie->data = NULL;
 
 cleanup:
-    krb5_free_data_contents(context, &plain);
+    zapfree(plain.data, plain.length);
     krb5_free_keyblock(context, key);
     k5_free_secure_cookie(context, cookie);
     return 0;
@@ -727,7 +727,11 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state,
     *cookie_out = pa;
 
 cleanup:
-    krb5_free_data(context, der_cookie);
+    krb5_free_keyblock(context, key);
+    if (der_cookie != NULL) {
+        zapfree(der_cookie->data, der_cookie->length);
+        free(der_cookie);
+    }
     krb5_free_data_contents(context, &enc.ciphertext);
     return ret;
 }
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index bb75eca..f857522 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -366,6 +366,20 @@ krb5_free_last_req(krb5_context context, krb5_last_req_entry **val)
     free(val);
 }
 
+void
+k5_zapfree_pa_data(krb5_pa_data **val)
+{
+    krb5_pa_data **pa;
+
+    if (val == NULL)
+        return;
+    for (pa = val; *pa != NULL; pa++) {
+        zapfree((*pa)->contents, (*pa)->length);
+        zapfree(*pa, sizeof(**pa));
+    }
+    free(val);
+}
+
 void KRB5_CALLCONV
 krb5_free_pa_data(krb5_context context, krb5_pa_data **val)
 {
@@ -872,6 +886,6 @@ k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val)
 {
     if (val == NULL)
         return;
-    krb5_free_pa_data(context, val->data);
+    k5_zapfree_pa_data(val->data);
     free(val);
 }
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 7677dac..c623409 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -144,6 +144,7 @@ k5_plugin_register
 k5_plugin_register_dyn
 k5_unmarshal_cred
 k5_unmarshal_princ
+k5_zapfree_pa_data
 krb524_convert_creds_kdc
 krb524_init_ets
 krb5_425_conv_principal


More information about the cvs-krb5 mailing list