Gssapi-keyex: fix issues found by static analysis

Related: RHEL-60564

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

openssh-9.6p1-gssapi-keyex.patch

@@ -1240,8 +1240,8 @@ diff --color -ruNp a/kexgen.c b/kexgen.c
      const struct sshbuf *client_version,
 diff --color -ruNp a/kexgssc.c b/kexgssc.c
 --- a/kexgssc.c	1970-01-01 01:00:00.000000000 +0100
-+++ b/kexgssc.c	2024-09-16 11:46:34.709940203 +0200
++++ b/kexgssc.c	2024-10-14 15:18:02.491798105 +0200
-@@ -0,0 +1,704 @@
+@@ -0,0 +1,706 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@@ -1603,6 +1603,7 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +	if  (gss->major & GSS_S_CONTINUE_NEEDED)
 +		return kexgss_init_ctx(ssh, &recv_tok);
 +
++	gss_release_buffer(&gss->minor, &recv_tok);
 +	return kexgss_final(ssh);
 +}
 +
@@ -1942,14 +1943,15 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +	if  (gss->major & GSS_S_CONTINUE_NEEDED)
 +		return kexgssgex_init_ctx(ssh, &recv_tok);
 +
++	gss_release_buffer(&gss->minor, &recv_tok);
 +	return kexgssgex_final(ssh);
 +}
 +
 +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
 diff --color -ruNp a/kexgsss.c b/kexgsss.c
 --- a/kexgsss.c	1970-01-01 01:00:00.000000000 +0100
-+++ b/kexgsss.c	2024-09-16 11:46:34.710940224 +0200
++++ b/kexgsss.c	2024-10-14 15:18:02.491798105 +0200
-@@ -0,0 +1,590 @@
+@@ -0,0 +1,601 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@@ -2082,6 +2084,9 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +	struct kex *kex = ssh->kex;
 +	Gssctxt *gss = kex->gss;
 +	gss_buffer_desc msg_tok;
++	u_char hash[SSH_DIGEST_MAX_LENGTH];
++	size_t hashlen;
++	struct sshbuf *shared_secret = NULL;
 +	int r;
 +
 +	ssh_dispatch_set(ssh, SSH2_MSG_KEXGSS_INIT, NULL);
@@ -2125,12 +2130,18 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +	gss_release_buffer(&gss->minor, send_tok);
 +	gss_release_buffer(&gss->minor, &msg_tok);
 +
++	hashlen = gss->hashlen;
++	memcpy(hash, gss->hash, hashlen);
++	explicit_bzero(gss->hash, sizeof(gss->hash));
++	shared_secret = gss->shared_secret;
++	gss->shared_secret = NULL;
++
 +	if (gss_kex_context == NULL)
 +		gss_kex_context = gss;
 +	else
 +		ssh_gssapi_delete_ctx(&kex->gss);
 +
-+	if ((r = kex_derive_keys(ssh, gss->hash, gss->hashlen, gss->shared_secret)) == 0)
++	if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
 +		r = kex_send_newkeys(ssh);
 +
 +	/* If this was a rekey, then save out any delegated credentials we
@@ -2139,12 +2150,11 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +		ssh_gssapi_rekey_creds();
 +
 +	if (kex->gss != NULL) {
-+		explicit_bzero(gss->hash, sizeof(gss->hash));
-+		sshbuf_free(gss->shared_secret);
-+		gss->shared_secret = NULL;
 +		sshbuf_free(gss->server_pubkey);
 +		gss->server_pubkey = NULL;
 +	}
++	explicit_bzero(hash, sizeof(hash));
++	sshbuf_free(shared_secret);
 +	return r;
 +}
 +
@@ -2187,7 +2197,8 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +	}
 +	if (r != 0) {
 +		sshbuf_free(client_pubkey);
-+                ssh_gssapi_delete_ctx(&kex->gss);
++		gss_release_buffer(&gss->minor, &recv_tok);
++		ssh_gssapi_delete_ctx(&kex->gss);
 +		return r;
 +	}
 +
@@ -2195,6 +2206,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +
 +	if ((empty = sshbuf_new()) == NULL) {
 +		sshbuf_free(client_pubkey);
++		gss_release_buffer(&gss->minor, &recv_tok);
 +		ssh_gssapi_delete_ctx(&kex->gss);
 +		return SSH_ERR_ALLOC_FAIL;
 +	}
@@ -2210,6 +2222,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +	sshbuf_free(empty);
 +	sshbuf_free(client_pubkey);
 +	if (r != 0) {
++		gss_release_buffer(&gss->minor, &recv_tok);
 +		ssh_gssapi_delete_ctx(&kex->gss);
 +		return r;
 +	}