281 lines
9.0 KiB
Diff
281 lines
9.0 KiB
Diff
From 939caf2a4fb27a1652ca60873551c94377203188 Mon Sep 17 00:00:00 2001
|
|
From: zhongtao <zhongtao17@huawei.com>
|
|
Date: Wed, 23 Aug 2023 01:44:18 +0000
|
|
Subject: [PATCH 02/10] !2116 clean up sensitive information in memory * clean
|
|
up sensitive information in memory
|
|
|
|
---
|
|
src/client/connect/rest/rest_images_client.c | 2 ++
|
|
.../entry/connect/grpc/grpc_images_service.cc | 2 ++
|
|
.../entry/connect/rest/rest_images_service.c | 3 +++
|
|
src/daemon/modules/image/oci/registry/auths.c | 2 ++
|
|
.../modules/image/oci/registry/http_request.c | 18 +++++++------
|
|
.../image/oci/registry/registry_apiv2.c | 2 +-
|
|
src/daemon/modules/image/oci/registry_type.c | 2 +-
|
|
src/utils/cutils/utils_array.c | 27 +++++++++++++++++++
|
|
src/utils/cutils/utils_array.h | 4 +++
|
|
src/utils/http/http.c | 2 +-
|
|
10 files changed, 53 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/src/client/connect/rest/rest_images_client.c b/src/client/connect/rest/rest_images_client.c
|
|
index 726d5ba5..ea7934af 100644
|
|
--- a/src/client/connect/rest/rest_images_client.c
|
|
+++ b/src/client/connect/rest/rest_images_client.c
|
|
@@ -618,6 +618,7 @@ static int image_login_request_to_rest(const struct isula_login_request *request
|
|
|
|
out:
|
|
free(err);
|
|
+ util_memset_sensitive_string(crequest->password);
|
|
free_image_login_request(crequest);
|
|
return ret;
|
|
}
|
|
@@ -654,6 +655,7 @@ out:
|
|
if (output != NULL) {
|
|
buffer_free(output);
|
|
}
|
|
+ util_memset_sensitive_string(body);
|
|
put_body(body);
|
|
return ret;
|
|
}
|
|
diff --git a/src/daemon/entry/connect/grpc/grpc_images_service.cc b/src/daemon/entry/connect/grpc/grpc_images_service.cc
|
|
index b1ca98b8..f078711e 100644
|
|
--- a/src/daemon/entry/connect/grpc/grpc_images_service.cc
|
|
+++ b/src/daemon/entry/connect/grpc/grpc_images_service.cc
|
|
@@ -517,6 +517,8 @@ Status ImagesServiceImpl::Login(ServerContext *context, const LoginRequest *requ
|
|
(void)cb->image.login(image_req, &image_res);
|
|
response_to_grpc(image_res, reply);
|
|
|
|
+ util_memset_sensitive_string(image_req->password);
|
|
+
|
|
free_image_login_request(image_req);
|
|
free_image_login_response(image_res);
|
|
|
|
diff --git a/src/daemon/entry/connect/rest/rest_images_service.c b/src/daemon/entry/connect/rest/rest_images_service.c
|
|
index bd367f29..d7d77826 100644
|
|
--- a/src/daemon/entry/connect/rest/rest_images_service.c
|
|
+++ b/src/daemon/entry/connect/rest/rest_images_service.c
|
|
@@ -19,6 +19,7 @@
|
|
#include "isula_libutils/log.h"
|
|
#include "callback.h"
|
|
#include "image.rest.h"
|
|
+#include "utils.h"
|
|
#include "rest_service_common.h"
|
|
|
|
/* image load request check */
|
|
@@ -569,6 +570,7 @@ static int image_login_request_from_rest(evhtp_request_t *req, image_login_reque
|
|
}
|
|
|
|
out:
|
|
+ util_memset_sensitive_string(body);
|
|
put_body(body);
|
|
free(err);
|
|
return ret;
|
|
@@ -629,6 +631,7 @@ static void rest_image_login_cb(evhtp_request_t *req, void *arg)
|
|
evhtp_send_image_login_repsponse(req, cresponse, RESTFUL_RES_OK);
|
|
|
|
out:
|
|
+ util_memset_sensitive_string(crequest->password);
|
|
free_image_login_request(crequest);
|
|
free_image_login_response(cresponse);
|
|
}
|
|
diff --git a/src/daemon/modules/image/oci/registry/auths.c b/src/daemon/modules/image/oci/registry/auths.c
|
|
index ce67d51b..1fbe2bd3 100644
|
|
--- a/src/daemon/modules/image/oci/registry/auths.c
|
|
+++ b/src/daemon/modules/image/oci/registry/auths.c
|
|
@@ -213,6 +213,7 @@ int auths_load(char *host, char **username, char **password)
|
|
}
|
|
|
|
out:
|
|
+ // it is not nessasary to clean auths, because it has been encrypted and load from file.
|
|
free_registry_auths(auths);
|
|
auths = NULL;
|
|
free(err);
|
|
@@ -397,6 +398,7 @@ int auths_save(char *host, char *username, char *password)
|
|
}
|
|
|
|
out:
|
|
+ // it is not nessasary to clean auth, auths and json, because it has been encrypted and write to file.
|
|
free(json);
|
|
json = NULL;
|
|
free_registry_auths(auths);
|
|
diff --git a/src/daemon/modules/image/oci/registry/http_request.c b/src/daemon/modules/image/oci/registry/http_request.c
|
|
index f29c2017..10b8bf3c 100644
|
|
--- a/src/daemon/modules/image/oci/registry/http_request.c
|
|
+++ b/src/daemon/modules/image/oci/registry/http_request.c
|
|
@@ -164,11 +164,11 @@ static char *encode_auth(const char *username, const char *password)
|
|
}
|
|
|
|
out:
|
|
- free(auth);
|
|
+ util_free_sensitive_string(auth);
|
|
auth = NULL;
|
|
|
|
if (ret != 0) {
|
|
- free(auth_base64);
|
|
+ util_free_sensitive_string(auth_base64);
|
|
auth_base64 = NULL;
|
|
}
|
|
|
|
@@ -236,10 +236,10 @@ static char *basic_auth_header(const char *schema, const char *username, const c
|
|
}
|
|
|
|
out:
|
|
- free(auth_base64);
|
|
+ util_free_sensitive_string(auth_base64);
|
|
auth_base64 = NULL;
|
|
if (ret != 0) {
|
|
- free(auth_header);
|
|
+ util_free_sensitive_string(auth_header);
|
|
auth_header = NULL;
|
|
}
|
|
|
|
@@ -273,7 +273,7 @@ static int setup_auth_basic(pull_descriptor *desc, char ***custom_headers)
|
|
}
|
|
|
|
out:
|
|
- free(auth_header);
|
|
+ util_free_sensitive_string(auth_header);
|
|
auth_header = NULL;
|
|
|
|
return ret;
|
|
@@ -297,7 +297,7 @@ static int get_bearer_token(pull_descriptor *desc, challenge *c)
|
|
return 0;
|
|
}
|
|
|
|
- free(c->cached_token);
|
|
+ util_free_sensitive_string(c->cached_token);
|
|
c->cached_token = NULL;
|
|
c->expires_time = 0;
|
|
|
|
@@ -317,8 +317,10 @@ static int get_bearer_token(pull_descriptor *desc, challenge *c)
|
|
|
|
if (token->token != NULL) {
|
|
c->cached_token = util_strdup_s(token->token);
|
|
+ util_memset_sensitive_string(token->token);
|
|
} else if (token->access_token != NULL) {
|
|
c->cached_token = util_strdup_s(token->access_token);
|
|
+ util_memset_sensitive_string(token->access_token);
|
|
} else {
|
|
ret = -1;
|
|
ERROR("no valid token found");
|
|
@@ -399,7 +401,7 @@ static int setup_auth_challenges(pull_descriptor *desc, char ***custom_headers)
|
|
goto out;
|
|
}
|
|
count++;
|
|
- free(auth_header);
|
|
+ util_free_sensitive_string(auth_header);
|
|
auth_header = NULL;
|
|
}
|
|
|
|
@@ -408,7 +410,7 @@ static int setup_auth_challenges(pull_descriptor *desc, char ***custom_headers)
|
|
}
|
|
|
|
out:
|
|
- free(auth_header);
|
|
+ util_free_sensitive_string(auth_header);
|
|
auth_header = NULL;
|
|
|
|
return ret;
|
|
diff --git a/src/daemon/modules/image/oci/registry/registry_apiv2.c b/src/daemon/modules/image/oci/registry/registry_apiv2.c
|
|
index d5bfa723..885302cb 100644
|
|
--- a/src/daemon/modules/image/oci/registry/registry_apiv2.c
|
|
+++ b/src/daemon/modules/image/oci/registry/registry_apiv2.c
|
|
@@ -193,7 +193,7 @@ static int parse_auth(pull_descriptor *desc, char *auth)
|
|
}
|
|
|
|
out:
|
|
- free(origin_tmp_auth);
|
|
+ util_free_sensitive_string(origin_tmp_auth);
|
|
origin_tmp_auth = NULL;
|
|
|
|
return ret;
|
|
diff --git a/src/daemon/modules/image/oci/registry_type.c b/src/daemon/modules/image/oci/registry_type.c
|
|
index 51fc1697..4556617f 100644
|
|
--- a/src/daemon/modules/image/oci/registry_type.c
|
|
+++ b/src/daemon/modules/image/oci/registry_type.c
|
|
@@ -32,7 +32,7 @@ void free_challenge(challenge *c)
|
|
c->realm = NULL;
|
|
free(c->service);
|
|
c->service = NULL;
|
|
- free(c->cached_token);
|
|
+ util_free_sensitive_string(c->cached_token);
|
|
c->cached_token = NULL;
|
|
c->expires_time = 0;
|
|
|
|
diff --git a/src/utils/cutils/utils_array.c b/src/utils/cutils/utils_array.c
|
|
index 4e2ed6fd..2d7dc556 100644
|
|
--- a/src/utils/cutils/utils_array.c
|
|
+++ b/src/utils/cutils/utils_array.c
|
|
@@ -38,6 +38,22 @@ void util_free_array_by_len(char **array, size_t len)
|
|
free(array);
|
|
}
|
|
|
|
+void util_free_sensitive_array_by_len(char **array, size_t len)
|
|
+{
|
|
+ size_t i = 0;
|
|
+
|
|
+ if (array == NULL) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ for (; i < len; i++) {
|
|
+ util_free_sensitive_string(array[i]);
|
|
+ array[i] = NULL;
|
|
+ }
|
|
+
|
|
+ free(array);
|
|
+}
|
|
+
|
|
size_t util_array_len(const char **array)
|
|
{
|
|
const char **pos;
|
|
@@ -60,6 +76,17 @@ void util_free_array(char **array)
|
|
free(array);
|
|
}
|
|
|
|
+void util_free_sensitive_array(char **array)
|
|
+{
|
|
+ char **p;
|
|
+
|
|
+ for (p = array; p != NULL && *p != NULL; p++) {
|
|
+ util_free_sensitive_string(*p);
|
|
+ *p = NULL;
|
|
+ }
|
|
+ free(array);
|
|
+}
|
|
+
|
|
int util_array_append(char ***array, const char *element)
|
|
{
|
|
size_t len;
|
|
diff --git a/src/utils/cutils/utils_array.h b/src/utils/cutils/utils_array.h
|
|
index de465d2a..c1403f85 100644
|
|
--- a/src/utils/cutils/utils_array.h
|
|
+++ b/src/utils/cutils/utils_array.h
|
|
@@ -36,6 +36,10 @@ int util_grow_array(char ***orig_array, size_t *orig_capacity, size_t size,
|
|
|
|
int util_array_append(char ***array, const char *element);
|
|
|
|
+void util_free_sensitive_array(char **array);
|
|
+
|
|
+void util_free_sensitive_array_by_len(char **array, size_t len);
|
|
+
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
diff --git a/src/utils/http/http.c b/src/utils/http/http.c
|
|
index 6759a28d..2b77c422 100644
|
|
--- a/src/utils/http/http.c
|
|
+++ b/src/utils/http/http.c
|
|
@@ -65,7 +65,7 @@ void free_http_get_options(struct http_get_options *options)
|
|
free(options->unix_socket_path);
|
|
options->unix_socket_path = NULL;
|
|
|
|
- util_free_array(options->custom_headers);
|
|
+ util_free_sensitive_array(options->custom_headers);
|
|
options->custom_headers = NULL;
|
|
|
|
free(options->ca_file);
|
|
--
|
|
2.25.1
|
|
|