gss: use _gss_secure_release_buffer_[set]

Use new helper APIs for securely zeroing and releasing buffers and buffer sets.
This commit is contained in:
Luke Howard
2020-04-15 16:20:06 +10:00
parent 689eef20ec
commit 2c8fa27224
8 changed files with 14 additions and 32 deletions

View File

@@ -232,7 +232,7 @@ _gsskrb5_export_sec_context(
ret = _gsskrb5_delete_sec_context (minor_status, context_handle,
GSS_C_NO_BUFFER);
if (ret != GSS_S_COMPLETE)
_gsskrb5_release_buffer (NULL, interprocess_token);
_gss_secure_release_buffer (&minor, interprocess_token);
*minor_status = 0;
return ret;
failure:

View File

@@ -44,6 +44,7 @@
#include <gssapi_mech.h>
#include <gssapi_krb5.h>
#include <assert.h>
#include <mech/utils.h>
#include "cfx.h"

View File

@@ -90,13 +90,13 @@ gss_export_cred(OM_uint32 * minor_status,
if (buffer.length) {
bytes = krb5_storage_write(sp, buffer.value, buffer.length);
if (bytes < 0 || (size_t)bytes != buffer.length) {
gss_release_buffer(minor_status, &buffer);
_gss_secure_release_buffer(minor_status, &buffer);
krb5_storage_free(sp);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
}
gss_release_buffer(minor_status, &buffer);
_gss_secure_release_buffer(minor_status, &buffer);
}
ret = krb5_storage_to_data(sp, &data);

View File

@@ -53,7 +53,7 @@ copy_cred_element(OM_uint32 *minor_status,
major_status = m->gm_export_cred(minor_status, mc->gmc_cred, &export);
if (major_status == GSS_S_COMPLETE) {
major_status = m->gm_import_cred(minor_status, &export, &dup_cred);
gss_release_buffer(&tmp, &export);
_gss_secure_release_buffer(&tmp, &export);
}
} else {
struct _gss_mechanism_name mn;

View File

@@ -84,7 +84,7 @@ gss_export_sec_context(OM_uint32 *minor_status,
p[1] = m->gm_mech_oid.length;
memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length);
memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length);
gss_release_buffer(minor_status, &buf);
_gss_secure_release_buffer(minor_status, &buf);
} else {
_gss_mg_error(m, *minor_status);
}

View File

@@ -58,8 +58,8 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
m = mc->gmc_mech;
if (m == NULL) {
gss_release_buffer_set(minor_status, &set);
*minor_status = 0;
_gss_secure_release_buffer_set(minor_status, &set);
minor_status = 0;
return GSS_S_BAD_MECH;
}
@@ -79,7 +79,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
if (status != GSS_S_COMPLETE)
break;
}
gss_release_buffer_set(minor_status, &rset);
_gss_secure_release_buffer_set(minor_status, &rset);
}
if (set == GSS_C_NO_BUFFER_SET && status == GSS_S_COMPLETE)
status = GSS_S_FAILURE;

View File

@@ -383,7 +383,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
*rctx = ctx;
out:
gss_release_buffer_set(minor_status, &data_set);
_gss_secure_release_buffer_set(minor_status, &data_set);
if (sp)
krb5_storage_free(sp);
if (context)
@@ -736,7 +736,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status,
return major_status;
if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
gss_release_buffer_set(minor_status, &data_set);
_gss_secure_release_buffer_set(minor_status, &data_set);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
@@ -757,7 +757,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status,
ret = krb5_ret_keyblock(sp, *keyblock);
out:
gss_release_buffer_set(minor_status, &data_set);
_gss_secure_release_buffer_set(minor_status, &data_set);
if (sp)
krb5_storage_free(sp);
if (ret && keyblock) {

View File

@@ -48,25 +48,6 @@
* authenticate the entire exchange.
*/
static void
zero_and_release_buffer_set(gss_buffer_set_t *pBuffers)
{
OM_uint32 tmpMinor;
gss_buffer_set_t buffers = *pBuffers;
size_t i;
if (buffers != GSS_C_NO_BUFFER_SET) {
for (i = 0; i < buffers->count; i++)
memset_s(buffers->elements[i].value,
buffers->elements[i].length, 0,
buffers->elements[i].length);
gss_release_buffer_set(&tmpMinor, &buffers);
}
*pBuffers = GSS_C_NO_BUFFER_SET;
}
static OM_uint32
buffer_set_to_crypto(OM_uint32 *minor,
krb5_context context,
@@ -120,7 +101,7 @@ get_session_keys(OM_uint32 *minor,
if (major == GSS_S_COMPLETE) {
major = buffer_set_to_crypto(minor, context,
buffers, &mech->crypto);
zero_and_release_buffer_set(&buffers);
_gss_secure_release_buffer_set(&tmpMinor, &buffers);
if (major != GSS_S_COMPLETE)
return major;
}
@@ -131,7 +112,7 @@ get_session_keys(OM_uint32 *minor,
if (major == GSS_S_COMPLETE) {
major = buffer_set_to_crypto(minor, context,
buffers, &mech->verify_crypto);
zero_and_release_buffer_set(&buffers);
_gss_secure_release_buffer_set(&tmpMinor, &buffers);
if (major != GSS_S_COMPLETE)
return major;
}