mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-12-22 04:32:37 +01:00
eap-ttls: Memzero copies of secrets
The AVP buffers are cleared because some plaintext secrets get written into them.
This commit is contained in:
Andrew Zaborowski
Denis Kenzior
parent
14572c0f1a
commit
2133e8a9fc
@ -155,6 +155,7 @@ static uint8_t *avp_builder_free(struct avp_builder *builder, bool free_data,
|
|||||||
uint8_t *ret;
|
uint8_t *ret;
|
||||||
|
|
||||||
if (free_data) {
|
if (free_data) {
|
||||||
|
explicit_bzero(builder->buf, builder->pos);
|
||||||
l_free(builder->buf);
|
l_free(builder->buf);
|
||||||
builder->buf = NULL;
|
builder->buf = NULL;
|
||||||
}
|
}
|
||||||
@ -514,10 +515,12 @@ static bool eap_ttls_phase2_chap_init(struct eap_state *eap)
|
|||||||
build_avp_user_name(builder, credentials->username);
|
build_avp_user_name(builder, credentials->username);
|
||||||
build_avp_chap_challenge(builder, challenge);
|
build_avp_chap_challenge(builder, challenge);
|
||||||
build_avp_chap_password(builder, &ident, password_hash);
|
build_avp_chap_password(builder, &ident, password_hash);
|
||||||
|
explicit_bzero(password_hash, sizeof(password_hash));
|
||||||
|
|
||||||
data = avp_builder_free(builder, false, &data_len);
|
data = avp_builder_free(builder, false, &data_len);
|
||||||
|
|
||||||
eap_tls_common_tunnel_send(eap, data, data_len);
|
eap_tls_common_tunnel_send(eap, data, data_len);
|
||||||
|
explicit_bzero(data, data_len);
|
||||||
l_free(data);
|
l_free(data);
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
@ -556,10 +559,12 @@ static bool eap_ttls_phase2_ms_chap_init(struct eap_state *eap)
|
|||||||
mschap_nt_password_hash(credentials->password, password_hash);
|
mschap_nt_password_hash(credentials->password, password_hash);
|
||||||
|
|
||||||
build_avp_ms_chap_response(builder, &ident, challenge, password_hash);
|
build_avp_ms_chap_response(builder, &ident, challenge, password_hash);
|
||||||
|
explicit_bzero(password_hash, sizeof(password_hash));
|
||||||
|
|
||||||
data = avp_builder_free(builder, false, &data_len);
|
data = avp_builder_free(builder, false, &data_len);
|
||||||
|
|
||||||
eap_tls_common_tunnel_send(eap, data, data_len);
|
eap_tls_common_tunnel_send(eap, data, data_len);
|
||||||
|
explicit_bzero(data, data_len);
|
||||||
l_free(data);
|
l_free(data);
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
@ -664,6 +669,7 @@ static bool eap_ttls_phase2_mschapv2_handle_success(struct eap_state *eap,
|
|||||||
uint8_t nt_response[MSCHAPV2_RESPONSE_LEN];
|
uint8_t nt_response[MSCHAPV2_RESPONSE_LEN];
|
||||||
char nt_server_response[MSCHAPV2_SERVER_RESPONSE_LEN];
|
char nt_server_response[MSCHAPV2_SERVER_RESPONSE_LEN];
|
||||||
uint8_t password_hash_hash[16];
|
uint8_t password_hash_hash[16];
|
||||||
|
bool r;
|
||||||
|
|
||||||
if (len != CHAP_IDENT_LEN + MSCHAPV2_SERVER_RESPONSE_LEN) {
|
if (len != CHAP_IDENT_LEN + MSCHAPV2_SERVER_RESPONSE_LEN) {
|
||||||
l_error("TTLS Tunneled MSCHAPv2: Server response has invalid "
|
l_error("TTLS Tunneled MSCHAPv2: Server response has invalid "
|
||||||
@ -688,12 +694,15 @@ static bool eap_ttls_phase2_mschapv2_handle_success(struct eap_state *eap,
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!mschapv2_generate_authenticator_response(
|
r = mschapv2_generate_authenticator_response(
|
||||||
password_hash_hash, nt_response,
|
password_hash_hash, nt_response,
|
||||||
mschapv2_state->peer_challenge,
|
mschapv2_state->peer_challenge,
|
||||||
mschapv2_state->server_challenge,
|
mschapv2_state->server_challenge,
|
||||||
credentials->username,
|
credentials->username,
|
||||||
nt_server_response)) {
|
nt_server_response);
|
||||||
|
explicit_bzero(password_hash_hash, sizeof(password_hash_hash));
|
||||||
|
|
||||||
|
if (!r) {
|
||||||
l_error("TTLS Tunneled-MSCHAPv2: Failed to generate server "
|
l_error("TTLS Tunneled-MSCHAPv2: Failed to generate server "
|
||||||
"response.");
|
"response.");
|
||||||
goto error;
|
goto error;
|
||||||
@ -767,6 +776,7 @@ static bool eap_ttls_phase2_pap_init(struct eap_state *eap)
|
|||||||
buf = avp_builder_free(builder, false, &buf_len);
|
buf = avp_builder_free(builder, false, &buf_len);
|
||||||
|
|
||||||
eap_tls_common_tunnel_send(eap, buf, buf_len);
|
eap_tls_common_tunnel_send(eap, buf, buf_len);
|
||||||
|
explicit_bzero(buf, buf_len);
|
||||||
l_free(buf);
|
l_free(buf);
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
@ -909,6 +919,7 @@ static bool eap_ttls_tunnel_ready(struct eap_state *eap,
|
|||||||
msk_emsk, 128);
|
msk_emsk, 128);
|
||||||
|
|
||||||
eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, NULL, 0);
|
eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, NULL, 0);
|
||||||
|
explicit_bzero(msk_emsk, sizeof(msk_emsk));
|
||||||
|
|
||||||
if (phase2->ops->init)
|
if (phase2->ops->init)
|
||||||
return phase2->ops->init(eap);
|
return phase2->ops->init(eap);
|
||||||
@ -1014,7 +1025,8 @@ static int eap_ttls_check_tunneled_auth_settings(struct l_settings *settings,
|
|||||||
password_key, NULL, identity,
|
password_key, NULL, identity,
|
||||||
EAP_CACHE_TEMPORARY);
|
EAP_CACHE_TEMPORARY);
|
||||||
}
|
}
|
||||||
}
|
} else
|
||||||
|
explicit_bzero(password, strlen(password));
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user