gss: use _gss_secure_release_buffer_[set]
Use new helper APIs for securely zeroing and releasing buffers and buffer sets.
This commit is contained in:
@@ -232,7 +232,7 @@ _gsskrb5_export_sec_context(
|
||||
ret = _gsskrb5_delete_sec_context (minor_status, context_handle,
|
||||
GSS_C_NO_BUFFER);
|
||||
if (ret != GSS_S_COMPLETE)
|
||||
_gsskrb5_release_buffer (NULL, interprocess_token);
|
||||
_gss_secure_release_buffer (&minor, interprocess_token);
|
||||
*minor_status = 0;
|
||||
return ret;
|
||||
failure:
|
||||
|
@@ -44,6 +44,7 @@
|
||||
#include <gssapi_mech.h>
|
||||
#include <gssapi_krb5.h>
|
||||
#include <assert.h>
|
||||
#include <mech/utils.h>
|
||||
|
||||
#include "cfx.h"
|
||||
|
||||
|
@@ -90,13 +90,13 @@ gss_export_cred(OM_uint32 * minor_status,
|
||||
if (buffer.length) {
|
||||
bytes = krb5_storage_write(sp, buffer.value, buffer.length);
|
||||
if (bytes < 0 || (size_t)bytes != buffer.length) {
|
||||
gss_release_buffer(minor_status, &buffer);
|
||||
_gss_secure_release_buffer(minor_status, &buffer);
|
||||
krb5_storage_free(sp);
|
||||
*minor_status = EINVAL;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
}
|
||||
gss_release_buffer(minor_status, &buffer);
|
||||
_gss_secure_release_buffer(minor_status, &buffer);
|
||||
}
|
||||
|
||||
ret = krb5_storage_to_data(sp, &data);
|
||||
|
@@ -53,7 +53,7 @@ copy_cred_element(OM_uint32 *minor_status,
|
||||
major_status = m->gm_export_cred(minor_status, mc->gmc_cred, &export);
|
||||
if (major_status == GSS_S_COMPLETE) {
|
||||
major_status = m->gm_import_cred(minor_status, &export, &dup_cred);
|
||||
gss_release_buffer(&tmp, &export);
|
||||
_gss_secure_release_buffer(&tmp, &export);
|
||||
}
|
||||
} else {
|
||||
struct _gss_mechanism_name mn;
|
||||
|
@@ -84,7 +84,7 @@ gss_export_sec_context(OM_uint32 *minor_status,
|
||||
p[1] = m->gm_mech_oid.length;
|
||||
memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length);
|
||||
memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length);
|
||||
gss_release_buffer(minor_status, &buf);
|
||||
_gss_secure_release_buffer(minor_status, &buf);
|
||||
} else {
|
||||
_gss_mg_error(m, *minor_status);
|
||||
}
|
||||
|
@@ -58,8 +58,8 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
|
||||
|
||||
m = mc->gmc_mech;
|
||||
if (m == NULL) {
|
||||
gss_release_buffer_set(minor_status, &set);
|
||||
*minor_status = 0;
|
||||
_gss_secure_release_buffer_set(minor_status, &set);
|
||||
minor_status = 0;
|
||||
return GSS_S_BAD_MECH;
|
||||
}
|
||||
|
||||
@@ -79,7 +79,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
|
||||
if (status != GSS_S_COMPLETE)
|
||||
break;
|
||||
}
|
||||
gss_release_buffer_set(minor_status, &rset);
|
||||
_gss_secure_release_buffer_set(minor_status, &rset);
|
||||
}
|
||||
if (set == GSS_C_NO_BUFFER_SET && status == GSS_S_COMPLETE)
|
||||
status = GSS_S_FAILURE;
|
||||
|
@@ -383,7 +383,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
|
||||
*rctx = ctx;
|
||||
|
||||
out:
|
||||
gss_release_buffer_set(minor_status, &data_set);
|
||||
_gss_secure_release_buffer_set(minor_status, &data_set);
|
||||
if (sp)
|
||||
krb5_storage_free(sp);
|
||||
if (context)
|
||||
@@ -736,7 +736,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status,
|
||||
return major_status;
|
||||
|
||||
if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
|
||||
gss_release_buffer_set(minor_status, &data_set);
|
||||
_gss_secure_release_buffer_set(minor_status, &data_set);
|
||||
*minor_status = EINVAL;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
@@ -757,7 +757,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status,
|
||||
ret = krb5_ret_keyblock(sp, *keyblock);
|
||||
|
||||
out:
|
||||
gss_release_buffer_set(minor_status, &data_set);
|
||||
_gss_secure_release_buffer_set(minor_status, &data_set);
|
||||
if (sp)
|
||||
krb5_storage_free(sp);
|
||||
if (ret && keyblock) {
|
||||
|
@@ -48,25 +48,6 @@
|
||||
* authenticate the entire exchange.
|
||||
*/
|
||||
|
||||
static void
|
||||
zero_and_release_buffer_set(gss_buffer_set_t *pBuffers)
|
||||
{
|
||||
OM_uint32 tmpMinor;
|
||||
gss_buffer_set_t buffers = *pBuffers;
|
||||
size_t i;
|
||||
|
||||
if (buffers != GSS_C_NO_BUFFER_SET) {
|
||||
for (i = 0; i < buffers->count; i++)
|
||||
memset_s(buffers->elements[i].value,
|
||||
buffers->elements[i].length, 0,
|
||||
buffers->elements[i].length);
|
||||
|
||||
gss_release_buffer_set(&tmpMinor, &buffers);
|
||||
}
|
||||
|
||||
*pBuffers = GSS_C_NO_BUFFER_SET;
|
||||
}
|
||||
|
||||
static OM_uint32
|
||||
buffer_set_to_crypto(OM_uint32 *minor,
|
||||
krb5_context context,
|
||||
@@ -120,7 +101,7 @@ get_session_keys(OM_uint32 *minor,
|
||||
if (major == GSS_S_COMPLETE) {
|
||||
major = buffer_set_to_crypto(minor, context,
|
||||
buffers, &mech->crypto);
|
||||
zero_and_release_buffer_set(&buffers);
|
||||
_gss_secure_release_buffer_set(&tmpMinor, &buffers);
|
||||
if (major != GSS_S_COMPLETE)
|
||||
return major;
|
||||
}
|
||||
@@ -131,7 +112,7 @@ get_session_keys(OM_uint32 *minor,
|
||||
if (major == GSS_S_COMPLETE) {
|
||||
major = buffer_set_to_crypto(minor, context,
|
||||
buffers, &mech->verify_crypto);
|
||||
zero_and_release_buffer_set(&buffers);
|
||||
_gss_secure_release_buffer_set(&tmpMinor, &buffers);
|
||||
if (major != GSS_S_COMPLETE)
|
||||
return major;
|
||||
}
|
||||
|
Reference in New Issue
Block a user