Kernel/iwd
3
0
Fork 0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2025-01-03 02:02:33 +01:00
Code Releases Activity

mschaputil: Memzero copies of secrets

Browse Source
This commit is contained in:
Andrew Zaborowski 2019-03-19 01:25:21 +01:00 committed by Denis Kenzior
parent 7031045dfb
commit 14572c0f1a
1 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
src/mschaputil.c
View File

@ -51,6 +51,8 @@ static bool mschap_des_encrypt(const uint8_t challenge[static 8],
pkey[i] = next | 1; pkey[i] = next | 1;
cipher = l_cipher_new(L_CIPHER_DES, pkey, 8); cipher = l_cipher_new(L_CIPHER_DES, pkey, 8);
explicit_bzero(pkey, 8);
if (!cipher) if (!cipher)
return false; return false;
@ -64,20 +66,17 @@ bool mschap_challenge_response(const uint8_t *challenge,
const uint8_t *password_hash, uint8_t *response) const uint8_t *password_hash, uint8_t *response)
{ {
uint8_t buf[21]; uint8_t buf[21];
bool r;
memset(buf, 0, sizeof(buf)); memset(buf, 0, sizeof(buf));
memcpy(buf, password_hash, 16); memcpy(buf, password_hash, 16);
if (!mschap_des_encrypt(challenge, buf + 0, response + 0)) r = mschap_des_encrypt(challenge, buf + 0, response + 0) &&
return false; mschap_des_encrypt(challenge, buf + 7, response + 8) &&
mschap_des_encrypt(challenge, buf + 14, response + 16);
if (!mschap_des_encrypt(challenge, buf + 7, response + 8)) explicit_bzero(buf, sizeof(buf));
return false; return r;
if (!mschap_des_encrypt(challenge, buf + 14, response + 16))
return false;
return true;
} }
/** /**
@ -95,6 +94,7 @@ bool mschap_nt_password_hash(const char *password, uint8_t *password_hash)
uint16_t buffer[size]; uint16_t buffer[size];
unsigned int i, pos; unsigned int i, pos;
struct l_checksum *check; struct l_checksum *check;
bool r = false;
for (i = 0, pos = 0; i < size; ++i) { for (i = 0, pos = 0; i < size; ++i) {
wchar_t val; wchar_t val;
@ -104,7 +104,7 @@ bool mschap_nt_password_hash(const char *password, uint8_t *password_hash)
if (val > 0xFFFF) { if (val > 0xFFFF) {
l_error("Encountered password with value not valid in " l_error("Encountered password with value not valid in "
"ucs-2"); "ucs-2");
return false; goto cleanup;
} }
buffer[i] = L_CPU_TO_LE16(val); buffer[i] = L_CPU_TO_LE16(val);
@ -112,13 +112,16 @@ bool mschap_nt_password_hash(const char *password, uint8_t *password_hash)
check = l_checksum_new(L_CHECKSUM_MD4); check = l_checksum_new(L_CHECKSUM_MD4);
if (!check) if (!check)
return false; goto cleanup;
l_checksum_update(check, (uint8_t *) buffer, size * 2); l_checksum_update(check, (uint8_t *) buffer, size * 2);
l_checksum_get_digest(check, password_hash, 16); l_checksum_get_digest(check, password_hash, 16);
l_checksum_free(check); l_checksum_free(check);
r = true;
return true; cleanup:
explicit_bzero(buffer, size * 2);
return r;
} }
static const char *mschapv2_exlude_domain_name(const char *username) static const char *mschapv2_exlude_domain_name(const char *username)
@ -189,6 +192,7 @@ bool mschapv2_generate_nt_response(const uint8_t password_hash[static 16],
{ {
uint8_t challenge[8]; uint8_t challenge[8];
uint8_t buffer[21]; uint8_t buffer[21];
bool r;
if (!mschapv2_challenge_hash(peer_challenge, server_challenge, user, if (!mschapv2_challenge_hash(peer_challenge, server_challenge, user,
challenge)) challenge))
@ -197,16 +201,12 @@ bool mschapv2_generate_nt_response(const uint8_t password_hash[static 16],
memset(buffer, 0, sizeof(buffer)); memset(buffer, 0, sizeof(buffer));
memcpy(buffer, password_hash, 16); memcpy(buffer, password_hash, 16);
if (!mschap_des_encrypt(challenge, buffer + 0, response + 0)) r = mschap_des_encrypt(challenge, buffer + 0, response + 0) &&
return false; mschap_des_encrypt(challenge, buffer + 7, response + 8) &&
mschap_des_encrypt(challenge, buffer + 14, response + 16);
if (!mschap_des_encrypt(challenge, buffer + 7, response + 8)) explicit_bzero(buffer, sizeof(buffer));
return false; return r;
if (!mschap_des_encrypt(challenge, buffer + 14, response + 16))
return false;
return true;
} }
/** /**