Simplify password storage in krb5_gss_cred_id_rec

The password is always zero-terminated, so we can store it as a char *
instead of a krb5_data.

src/lib/gssapi/krb5/acquire_cred.c

@@ -316,7 +316,7 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
 {
     krb5_error_code code;
     krb5_principal ccache_princ;
-    krb5_data password_data = make_data(password->value, password->length);
+    krb5_data pwdata = make_data(password->value, password->length), pwcopy;
     krb5_boolean eq;
     const char *cctype;
     krb5_ccache newcache = NULL;
@@ -353,10 +353,10 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
     }
 
     /* Stash the password for later. */
-    code = krb5int_copy_data_contents_add0(context, &password_data,
-                                           &cred->password);
+    code = krb5int_copy_data_contents_add0(context, &pwdata, &pwcopy);
     if (code)
         return code;
+    cred->password = pwcopy.data;
 
     if (newcache) {
         krb5_cc_close(context, ccache);

src/lib/gssapi/krb5/gssapiP_krb5.h

@@ -185,7 +185,7 @@ typedef struct _krb5_gss_cred_id_rec {
     krb5_ccache ccache;
     krb5_timestamp tgt_expire;
     krb5_enctype *req_enctypes;  /* limit negotiated enctypes to this list */
-    krb5_data password;
+    char *password;
 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
 
 typedef struct _krb5_gss_ctx_ext_rec {

src/lib/gssapi/krb5/iakerb.c

@@ -414,7 +414,7 @@ iakerb_init_creds_ctx(iakerb_ctx_id_t ctx,
 {
     krb5_error_code code;
 
-    if (cred->iakerb_mech == 0 || cred->password.data == NULL) {
+    if (cred->iakerb_mech == 0 || cred->password == NULL) {
         code = EINVAL;
         goto cleanup;
     }
@@ -444,8 +444,7 @@ iakerb_init_creds_ctx(iakerb_ctx_id_t ctx,
     if (code != 0)
         goto cleanup;
 
-    code = krb5_init_creds_set_password(ctx->k5c, ctx->icc,
-                                        cred->password.data);
+    code = krb5_init_creds_set_password(ctx->k5c, ctx->icc, cred->password);
     if (code != 0)
         goto cleanup;
 
@@ -678,7 +677,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
         code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED,
                                     cred->ccache,
                                     &in_creds, &out_creds);
-        if (code == KRB5_CC_NOTFOUND && cred->password.data != NULL) {
+        if (code == KRB5_CC_NOTFOUND && cred->password != NULL) {
             *state = IAKERB_AS_REQ;
             code = 0;
         } else if (code == 0) {

src/lib/gssapi/krb5/init_sec_context.c

@@ -194,18 +194,16 @@ static krb5_error_code get_credentials(context, cred, server, now,
 
     code = krb5_get_credentials(context, flags, cred->ccache,
                                 &in_creds, &result_creds);
-    if (code == KRB5_CC_NOTFOUND && cred->password.data != NULL &&
+    if (code == KRB5_CC_NOTFOUND && cred->password != NULL &&
         !cred->iakerb_mech) {
         krb5_creds tgt_creds;
 
         memset(&tgt_creds, 0, sizeof(tgt_creds));
 
         /* No TGT in the ccache, but we can get one with the password. */
         code = krb5_get_init_creds_password(context, &tgt_creds,
-                                            in_creds.client,
-                                            cred->password.data,
-                                            NULL, NULL,
-                                            0, NULL, NULL);
+                                            in_creds.client, cred->password,
+                                            NULL, NULL, 0, NULL, NULL);
         if (code)
             goto cleanup;
 

src/lib/gssapi/krb5/rel_cred.c

@@ -76,10 +76,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
     if (cred->req_enctypes)
         free(cred->req_enctypes);
 
-    if (cred->password.data) {
-        zap(cred->password.data, cred->password.length);
-        krb5_free_data_contents(context, &cred->password);
-    }
+    if (cred->password != NULL)
+        zapfree(cred->password, strlen(cred->password));
 
     xfree(cred);