Skip to content

Commit 7e2d034

Browse files
gitstergitster
committed
Merge branch 'ap/credential-clear-fix'
Upon expiration event, the credential subsystem forgot to clear in-core authentication material other than password (whose support was added recently), which has been corrected. * ap/credential-clear-fix: credential: clear expired c->credential, unify secret clearing
2 parents 4d8ae4d + 27db485 commit 7e2d034

File tree

2 files changed

+28
-22
lines changed

2 files changed

+28
-22
lines changed

credential.c

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,11 @@ void credential_init(struct credential *c)
2020

2121
void credential_clear(struct credential *c)
2222
{
23+
credential_clear_secrets(c);
2324
free(c->protocol);
2425
free(c->host);
2526
free(c->path);
2627
free(c->username);
27-
free(c->password);
28-
free(c->credential);
2928
free(c->oauth_refresh_token);
3029
free(c->authtype);
3130
string_list_clear(&c->helpers, 0);
@@ -479,9 +478,15 @@ void credential_fill(struct credential *c, int all_capabilities)
479478

480479
for (i = 0; i < c->helpers.nr; i++) {
481480
credential_do(c, c->helpers.items[i].string, "get");
481+
482482
if (c->password_expiry_utc < time(NULL)) {
483-
/* Discard expired password */
484-
FREE_AND_NULL(c->password);
483+
/*
484+
* Don't use credential_clear() here: callers such as
485+
* cmd_credential() expect to still be able to call
486+
* credential_write() on a struct credential whose
487+
* secrets have expired.
488+
*/
489+
credential_clear_secrets(c);
485490
/* Reset expiry to maintain consistency */
486491
c->password_expiry_utc = TIME_MAX;
487492
}
@@ -528,9 +533,8 @@ void credential_reject(struct credential *c)
528533
for (i = 0; i < c->helpers.nr; i++)
529534
credential_do(c, c->helpers.items[i].string, "erase");
530535

536+
credential_clear_secrets(c);
531537
FREE_AND_NULL(c->username);
532-
FREE_AND_NULL(c->password);
533-
FREE_AND_NULL(c->credential);
534538
FREE_AND_NULL(c->oauth_refresh_token);
535539
c->password_expiry_utc = TIME_MAX;
536540
c->approved = 0;

credential.h

Lines changed: 18 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@
55
#include "strvec.h"
66

77
/**
8-
* The credentials API provides an abstracted way of gathering username and
9-
* password credentials from the user.
8+
* The credentials API provides an abstracted way of gathering
9+
* authentication credentials from the user.
1010
*
1111
* Typical setup
1212
* -------------
@@ -116,11 +116,12 @@ struct credential_capability {
116116
};
117117

118118
/**
119-
* This struct represents a single username/password combination
120-
* along with any associated context. All string fields should be
121-
* heap-allocated (or NULL if they are not known or not applicable).
122-
* The meaning of the individual context fields is the same as
123-
* their counterparts in the helper protocol.
119+
* This struct represents a single login credential (typically a
120+
* username/password combination) along with any associated
121+
* context. All string fields should be heap-allocated (or NULL if
122+
* they are not known or not applicable). The meaning of the
123+
* individual context fields is the same as their counterparts in
124+
* the helper protocol.
124125
*
125126
* This struct should always be initialized with `CREDENTIAL_INIT` or
126127
* `credential_init`.
@@ -207,11 +208,12 @@ void credential_clear(struct credential *);
207208

208209
/**
209210
* Instruct the credential subsystem to fill the username and
210-
* password fields of the passed credential struct by first
211-
* consulting helpers, then asking the user. After this function
212-
* returns, the username and password fields of the credential are
213-
* guaranteed to be non-NULL. If an error occurs, the function will
214-
* die().
211+
* password (or authtype and credential) fields of the passed
212+
* credential struct by first consulting helpers, then asking the
213+
* user. After this function returns, either the username and
214+
* password fields or the credential field of the credential are
215+
* guaranteed to be non-NULL. If an error occurs, the function
216+
* will die().
215217
*
216218
* If all_capabilities is set, this is an internal user that is prepared
217219
* to deal with all known capabilities, and we should advertise that fact.
@@ -232,10 +234,10 @@ void credential_approve(struct credential *);
232234
* have been rejected. This will cause the credential subsystem to
233235
* notify any helpers of the rejection (which allows them, for
234236
* example, to purge the invalid credentials from storage). It
235-
* will also free() the username and password fields of the
236-
* credential and set them to NULL (readying the credential for
237-
* another call to `credential_fill`). Any errors from helpers are
238-
* ignored.
237+
* will also free() the username, password, and credential fields
238+
* of the credential and set them to NULL (readying the credential
239+
* for another call to `credential_fill`). Any errors from helpers
240+
* are ignored.
239241
*/
240242
void credential_reject(struct credential *);
241243

0 commit comments

Comments
 (0)