Explicitly erase Heimdal password copy

Explicitly erase the copy of the password made in the Heimdal
plugin before freeing memory.

diff --git a/NEWS b/NEWS
index ecd9377558bc6ade7af3163ff2425ffce5d4afde..5274ac01d601f34abe321a2b0dd5bbe1a8b61214 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ krb5-strength 3.3 (unreleased)
     heimdal-history now requires the Perl modules Const::Fast and
     JSON::MaybeXS instead of Readonly and JSON.
 
+    Explicitly erase the copy of the password made in the Heimdal plugin.
+
     Update to rra-c-util 10.5:
 
     * Assume a working snprintf rather than supplying a replacement.

diff --git a/plugin/heimdal.c b/plugin/heimdal.c
index b6bd54710fdc40bd0969e207cab17bf0ca2ab3b0..0ca38b42712cae200524801e40db29c5347ca06d 100644 (file)
--- a/plugin/heimdal.c
+++ b/plugin/heimdal.c
@@ -12,7 +12,7 @@
  * instead.
  *
  * Written by Russ Allbery <eagle@eyrie.org>
- * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020, 2023 Russ Allbery <eagle@eyrie.org>
  * Copyright 2009, 2013
  *     The Board of Trustees of the Leland Stanford Junior University
  *
@@ -61,8 +61,8 @@ convert_error(krb5_context ctx, krb5_error_code code, const char *prefix,
  */
 static int
 heimdal_pwcheck(krb5_context ctx, krb5_principal principal,
-                krb5_data *password, const char *tuning UNUSED, char *message,
-                size_t length)
+                krb5_data *password, const char *tuning UNUSED,
+                char *message, size_t length)
 {
     krb5_pwqual_moddata data = NULL;
     char *pastring;
@@ -99,6 +99,7 @@ heimdal_pwcheck(krb5_context ctx, krb5_principal principal,
         convert_error(ctx, code, NULL, message, length);
 
 done:
+    explicit_bzero(pastring, password->length);
     free(pastring);
     if (name != NULL)
         krb5_free_unparsed_name(ctx, name);