Skip Menu |
 

Subject: GSSAPI opaque types should be pointers to opaque structs, not void*
Download (untitled) / with headers
text/plain 1.8KiB
In other words:

-typedef void * gss_name_t;
+struct gss_name_struct;
+typedef struct gss_name_struct * gss_name_t;

-typedef void * gss_cred_id_t;
+struct gss_cred_id_struct;
+typedef struct gss_cred_id_struct * gss_cred_id_t;

-typedef void * gss_ctx_id_t;
+struct gss_ctx_id_struct;
+typedef struct gss_ctx_id_struct * gss_ctx_id_t;

The problem with using void* in a C API is that it prevents static type checking. As a result
it's far too easy for callers to accidentally pass random things into GSSAPI function that take
these types without noticing. Because the our implementation does pointer validation, these
types of errors often turn into runtime errors such as memory leaks which go unnoticed for a
long time.

For reference purposes, here are the specifications of the opaque types in RFC 2744:

3.5. Credentials

A credential handle is a caller-opaque atomic datum that identifies a
GSS-API credential data structure. It is represented by the caller-
opaque type gss_cred_id_t, which should be implemented as a pointer
or arithmetic type. If a pointer implementation is chosen, care must
be taken to ensure that two gss_cred_id_t values may be compared with
the == operator.
[...]
3.6. Contexts

The gss_ctx_id_t data type contains a caller-opaque atomic value that
identifies one end of a GSS-API security context. It should be
implemented as a pointer or arithmetic type. If a pointer type is
chosen, care should be taken to ensure that two gss_ctx_id_t values
may be compared with the == operator.
[...]
3.10. Names
[...]
The gss_name_t datatype should be implemented as a pointer type. To
allow the compiler to aid the application programmer by performing
type-checking, the use of (void *) is discouraged. A pointer to an
implementation-defined type is the preferred choice.
From: lxs@mit.edu
Subject: SVN Commit
Changed GSSAPI opaque types (gss_name_t, gss_cred_id_t, gss_ctx_id_t) from
void* to pointers to opaque structs. This change removed some casts and
introduced or changed a bunch of other casts to suppress warnings.

krb5_gss_accept_sec_context(): Fixed a bug found by the above changes
where krb5_gss_release_cred() was being called with the wrong argument 2
(gss_cred_id_t instead of gss_cred_id_t*).

Commit By: lxs



Revision: 18396
Changed Files:
U trunk/src/lib/gssapi/generic/gssapi.hin
U trunk/src/lib/gssapi/generic/gssapiP_generic.h
U trunk/src/lib/gssapi/generic/util_validate.c
U trunk/src/lib/gssapi/krb5/accept_sec_context.c
U trunk/src/lib/gssapi/krb5/add_cred.c
U trunk/src/lib/gssapi/krb5/delete_sec_context.c
U trunk/src/lib/gssapi/krb5/duplicate_name.c
U trunk/src/lib/gssapi/krb5/init_sec_context.c
U trunk/src/lib/gssapi/krb5/inq_cred.c
U trunk/src/lib/gssapi/krb5/process_context_token.c
U trunk/src/lib/gssapi/krb5/rel_cred.c
U trunk/src/lib/gssapi/mechglue/g_glue.c
U trunk/src/lib/gssapi/mechglue/mglueP.h
Passed to Tom for code review.
Reviewed earlier; closing.