From b1317d39840688070268acb960f4abbb4b537621 Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Tue, 19 Mar 2019 01:25:25 +0100 Subject: [PATCH] eap-aka: Memzero secrets after use --- src/eap-aka.c | 44 +++++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/src/eap-aka.c b/src/eap-aka.c index 24674ef8..2f5b15d4 100644 --- a/src/eap-aka.c +++ b/src/eap-aka.c @@ -107,6 +107,16 @@ struct eap_aka_handle { unsigned int auth_watch; }; +static void eap_aka_clear_secrets(struct eap_aka_handle *aka) +{ + explicit_bzero(aka->mk, sizeof(aka->mk)); + explicit_bzero(aka->k_encr, sizeof(aka->k_encr)); + explicit_bzero(aka->k_aut, sizeof(aka->k_aut)); + explicit_bzero(aka->k_re, sizeof(aka->k_re)); + explicit_bzero(aka->msk, sizeof(aka->msk)); + explicit_bzero(aka->emsk, sizeof(aka->emsk)); +} + static void eap_aka_free(struct eap_state *eap) { struct eap_aka_handle *aka = eap_get_data(eap); @@ -114,6 +124,8 @@ static void eap_aka_free(struct eap_state *eap) if (aka->auth) sim_auth_unregistered_watch_remove(aka->auth, aka->auth_watch); + eap_aka_clear_secrets(aka); + l_free(aka->identity); l_free(aka->kdf_in); l_free(aka); @@ -160,12 +172,9 @@ static void check_milenage_cb(const uint8_t *res, const uint8_t *ck, struct eap_state *eap = data; struct eap_aka_handle *aka = eap_get_data(eap); - uint8_t prng_buf[160]; size_t resp_len = aka->protected ? 44 : 40; uint8_t response[resp_len + 4]; uint8_t *pos = response; - uint8_t ik_p[EAP_AKA_IK_LEN]; - uint8_t ck_p[EAP_AKA_CK_LEN]; if (auts) { /* @@ -190,6 +199,10 @@ static void check_milenage_cb(const uint8_t *res, const uint8_t *ck, goto chal_error; if (aka->type == EAP_TYPE_AKA_PRIME) { + bool r; + uint8_t ik_p[EAP_AKA_IK_LEN]; + uint8_t ck_p[EAP_AKA_CK_LEN]; + if (!eap_aka_derive_primes(ck, ik, aka->autn, (uint8_t *)aka->kdf_in, strlen(aka->kdf_in), ck_p, ik_p)) { @@ -197,12 +210,19 @@ static void check_milenage_cb(const uint8_t *res, const uint8_t *ck, goto chal_fatal; } - if (!eap_aka_prf_prime(ik_p, ck_p, aka->identity, aka->k_encr, - aka->k_aut, aka->k_re, aka->msk, aka->emsk)) { + r = eap_aka_prf_prime(ik_p, ck_p, aka->identity, aka->k_encr, + aka->k_aut, aka->k_re, aka->msk, aka->emsk); + explicit_bzero(ik_p, sizeof(ik_p)); + explicit_bzero(ck_p, sizeof(ck_p)); + + if (!r) { l_error("could not derive encryption keys"); goto chal_fatal; } } else { + uint8_t prng_buf[160]; + bool r; + if (!derive_aka_mk(aka->identity, ik, ck, aka->mk)) { l_error("error deriving MK"); goto chal_fatal; @@ -210,8 +230,11 @@ static void check_milenage_cb(const uint8_t *res, const uint8_t *ck, eap_sim_fips_prf(aka->mk, 20, prng_buf, 160); - if (!eap_sim_get_encryption_keys(prng_buf, aka->k_encr, - aka->k_aut, aka->msk, aka->emsk)) { + r = eap_sim_get_encryption_keys(prng_buf, aka->k_encr, + aka->k_aut, aka->msk, aka->emsk); + explicit_bzero(prng_buf, sizeof(prng_buf)); + + if (!r) { l_error("could not derive encryption keys"); goto chal_fatal; } @@ -695,12 +718,7 @@ static bool eap_aka_reset_state(struct eap_state *eap) l_free(aka->chal_pkt); aka->chal_pkt = NULL; - memset(aka->mk, 0, sizeof(aka->mk)); - memset(aka->k_encr, 0, sizeof(aka->k_encr)); - memset(aka->k_aut, 0, sizeof(aka->k_aut)); - memset(aka->msk, 0, sizeof(aka->msk)); - memset(aka->emsk, 0, sizeof(aka->emsk)); - memset(aka->k_re, 0, sizeof(aka->k_re)); + eap_aka_clear_secrets(aka); memset(aka->autn, 0, sizeof(aka->autn)); return true;