eap-tls,eap-peap: Memzero copies of secrets

2019-03-19 01:25:22 +01:00 · 2019-03-19 01:25:22 +01:00 · 5306e37279
parent a090b1ef52
commit 5306e37279
3 changed files with 7 additions and 0 deletions
--- a/src/eap-peap.c
+++ b/src/eap-peap.c
@ -201,6 +201,7 @@ static bool eap_peap_tunnel_ready(struct eap_state *eap,
 								msk_emsk, 128);

 	eap_set_key_material(eap, msk_emsk + 0, 64, NULL, 0, NULL, 0);
+	explicit_bzero(msk_emsk, sizeof(msk_emsk));

 	eap_tls_common_send_empty_response(eap);

--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@ -912,6 +912,10 @@ done:
 			(l_queue_destroy_func_t) l_cert_free);
 	l_certchain_free(cert);
 	l_key_free(priv_key);
+
+	if (passphrase)
+		explicit_bzero(passphrase, strlen(passphrase));
+
 	return ret;
 }

--- a/src/eap-tls.c
+++ b/src/eap-tls.c
@ -49,6 +49,8 @@ static bool eap_tls_tunnel_ready(struct eap_state *eap,
 									iv, 64);

 	eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, iv, 64);
+	explicit_bzero(msk_emsk, sizeof(msk_emsk));
+	explicit_bzero(iv, sizeof(iv));

 	eap_tls_common_send_empty_response(eap);