krb5/SOURCES/Address-some-optimized-out-memset-calls.patch

From 722247aa6201d18a7ee69c4a9a05315226fe6383 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 30 Dec 2018 16:40:28 -0500
Subject: [PATCH] Address some optimized-out memset() calls

Ilja Van Sprundel reported a list of memset() calls which gcc
optimizes out.  In krb_auth_su.c, use zap() to clear the password, and
remove two memset() calls when there is no password to clear.  In
iakerb.c, remove an unnecessary memset() before setting the only two
fields of the IAKERB header structure.  In svr_principal.c, use
krb5_free_key_keyblock_contents() instead of hand-freeing key data.
In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack
shell before returning.

(cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997)
(cherry picked from commit 1dfff7202448a950c9133cdfe43d650092d930fd)
---
 src/clients/ksu/krb_auth_su.c      |  4 +---
 src/lib/gssapi/krb5/iakerb.c       |  1 -
 src/lib/kadm5/srv/svr_principal.c  | 10 ++--------
 src/lib/krb5/asn.1/asn1_k_encode.c |  1 -
 4 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index 7af48195c..e39685fff 100644
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
     if (code ) {
         com_err(prog_name, code, _("while reading password for '%s'\n"),
                 client_name);
-        memset(password, 0, sizeof(password));
         return (FALSE);
     }
 
     if ( pwsize == 0) {
         fprintf(stderr, _("No password given\n"));
         *zero_password = TRUE;
-        memset(password, 0, sizeof(password));
         return (FALSE);
     }
 
     code = krb5_get_init_creds_password(context, &creds, client, password,
                                         krb5_prompter_posix, NULL, 0, NULL,
                                         options);
-    memset(password, 0, sizeof(password));
+    zap(password, sizeof(password));
 
 
     if (code) {
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index bb1072fe4..47c161ec9 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx,
     /*
      * Assemble the IAKERB-HEADER from the realm and cookie
      */
-    memset(&iah, 0, sizeof(iah));
     iah.target_realm = *realm;
     iah.cookie = cookie;
 
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 21c53ece1..9ab2c5a74 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -2093,14 +2093,8 @@ static int decrypt_key_data(krb5_context context,
         ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
                                         NULL);
         if (ret) {
-            for (; i >= 0; i--) {
-                if (keys[i].contents) {
-                    memset (keys[i].contents, 0, keys[i].length);
-                    free( keys[i].contents );
-                }
-            }
-
-            memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
+            for (; i >= 0; i--)
+                krb5_free_keyblock_contents(context, &keys[i]);
             free(keys);
             return ret;
         }
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 65c84be2f..81a34bac9 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -528,7 +528,6 @@ decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len,
         if (ret) {
             free_kdc_req_body(b);
             free(h.server_realm.data);
-            memset(&h, 0, sizeof(h));
             return ret;
         }
         b->server->realm = h.server_realm;
import krb5-1.17-18.el8 2020-04-28 09:39:01 +00:00			`From 722247aa6201d18a7ee69c4a9a05315226fe6383 Mon Sep 17 00:00:00 2001`
import krb5-1.17-9.el8 2019-11-05 20:19:57 +00:00			`From: Greg Hudson <ghudson@mit.edu>`
			`Date: Sun, 30 Dec 2018 16:40:28 -0500`
			`Subject: [PATCH] Address some optimized-out memset() calls`

			`Ilja Van Sprundel reported a list of memset() calls which gcc`
			`optimizes out. In krb_auth_su.c, use zap() to clear the password, and`
			`remove two memset() calls when there is no password to clear. In`
			`iakerb.c, remove an unnecessary memset() before setting the only two`
			`fields of the IAKERB header structure. In svr_principal.c, use`
			`krb5_free_key_keyblock_contents() instead of hand-freeing key data.`
			`In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack`
			`shell before returning.`

			`(cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997)`
			`(cherry picked from commit 1dfff7202448a950c9133cdfe43d650092d930fd)`
			`---`
			`src/clients/ksu/krb_auth_su.c \| 4 +---`
			`src/lib/gssapi/krb5/iakerb.c \| 1 -`
			`src/lib/kadm5/srv/svr_principal.c \| 10 ++--------`
			`src/lib/krb5/asn.1/asn1_k_encode.c \| 1 -`
			`4 files changed, 3 insertions(+), 13 deletions(-)`

			`diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c`
			`index 7af48195c..e39685fff 100644`
			`--- a/src/clients/ksu/krb_auth_su.c`
			`+++ b/src/clients/ksu/krb_auth_su.c`
			`@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,`
			`if (code ) {`
			`com_err(prog_name, code, _("while reading password for '%s'\n"),`
			`client_name);`
			`- memset(password, 0, sizeof(password));`
			`return (FALSE);`
			`}`

			`if ( pwsize == 0) {`
			`fprintf(stderr, _("No password given\n"));`
			`*zero_password = TRUE;`
			`- memset(password, 0, sizeof(password));`
			`return (FALSE);`
			`}`

			`code = krb5_get_init_creds_password(context, &creds, client, password,`
			`krb5_prompter_posix, NULL, 0, NULL,`
			`options);`
			`- memset(password, 0, sizeof(password));`
			`+ zap(password, sizeof(password));`


			`if (code) {`
			`diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c`
			`index bb1072fe4..47c161ec9 100644`
			`--- a/src/lib/gssapi/krb5/iakerb.c`
			`+++ b/src/lib/gssapi/krb5/iakerb.c`
			`@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx,`
			`/*`
			`* Assemble the IAKERB-HEADER from the realm and cookie`
			`*/`
			`- memset(&iah, 0, sizeof(iah));`
			`iah.target_realm = *realm;`
			`iah.cookie = cookie;`

			`diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c`
			`index 21c53ece1..9ab2c5a74 100644`
			`--- a/src/lib/kadm5/srv/svr_principal.c`
			`+++ b/src/lib/kadm5/srv/svr_principal.c`
			`@@ -2093,14 +2093,8 @@ static int decrypt_key_data(krb5_context context,`
			`ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],`
			`NULL);`
			`if (ret) {`
			`- for (; i >= 0; i--) {`
			`- if (keys[i].contents) {`
			`- memset (keys[i].contents, 0, keys[i].length);`
			`- free( keys[i].contents );`
			`- }`
			`- }`
			`-`
			`- memset(keys, 0, n_key_data*sizeof(krb5_keyblock));`
			`+ for (; i >= 0; i--)`
			`+ krb5_free_keyblock_contents(context, &keys[i]);`
			`free(keys);`
			`return ret;`
			`}`
			`diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c`
			`index 65c84be2f..81a34bac9 100644`
			`--- a/src/lib/krb5/asn.1/asn1_k_encode.c`
			`+++ b/src/lib/krb5/asn.1/asn1_k_encode.c`
			`@@ -528,7 +528,6 @@ decode_kdc_req_body(const taginfo t, const uint8_t asn1, size_t len,`
			`if (ret) {`
			`free_kdc_req_body(b);`
			`free(h.server_realm.data);`
			`- memset(&h, 0, sizeof(h));`
			`return ret;`
			`}`
			`b->server->realm = h.server_realm;`