3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-22 21:22:37 +01:00

eap,eapol,crypto: Replace uses of memset with explicit_bzero

Replace existing uses of memset to clear secrets with explicit_bzero to
make sure it doesn't get optimized away.  This has some side effects as
documented in gcc docs but is still recommended.

In eap_secret_info_free make sure we clear both strings in the case of
EAP_SECRET_REMOTE_USER_PASSWORD secrets.
This commit is contained in:
Andrew Zaborowski 2019-03-22 00:56:53 +01:00 committed by Denis Kenzior
parent acbba6028b
commit fa7db4be4d
5 changed files with 22 additions and 15 deletions

View File

@ -635,8 +635,8 @@ bool crypto_derive_pmk_r0(const uint8_t *xxkey,
r = true; r = true;
exit: exit:
memset(context, 0, pos); explicit_bzero(context, pos);
memset(output, 0, 48); explicit_bzero(output, 48);
return r; return r;
} }
@ -667,7 +667,7 @@ bool crypto_derive_pmk_r1(const uint8_t *pmk_r0,
sha256 = l_checksum_new(L_CHECKSUM_SHA256); sha256 = l_checksum_new(L_CHECKSUM_SHA256);
if (!sha256) { if (!sha256) {
memset(out_pmk_r1, 0, 32); explicit_bzero(out_pmk_r1, 32);
goto exit; goto exit;
} }
@ -679,7 +679,7 @@ bool crypto_derive_pmk_r1(const uint8_t *pmk_r0,
r = true; r = true;
exit: exit:
memset(context, 0, sizeof(context)); explicit_bzero(context, sizeof(context));
return r; return r;
} }
@ -714,7 +714,7 @@ bool crypto_derive_ft_ptk(const uint8_t *pmk_r1, const uint8_t *pmk_r1_name,
sha256 = l_checksum_new(L_CHECKSUM_SHA256); sha256 = l_checksum_new(L_CHECKSUM_SHA256);
if (!sha256) { if (!sha256) {
memset(out_ptk, 0, ptk_len); explicit_bzero(out_ptk, ptk_len);
goto exit; goto exit;
} }
@ -726,7 +726,7 @@ bool crypto_derive_ft_ptk(const uint8_t *pmk_r1, const uint8_t *pmk_r1_name,
r = true; r = true;
exit: exit:
memset(context, 0, sizeof(context)); explicit_bzero(context, sizeof(context));
return r; return r;
} }

View File

@ -194,9 +194,9 @@ static bool eap_mschapv2_reset_state(struct eap_state *eap)
static void eap_mschapv2_state_free(struct eap_mschapv2_state *state) static void eap_mschapv2_state_free(struct eap_mschapv2_state *state)
{ {
memset(state->password_hash, 0, sizeof(state->password_hash)); explicit_bzero(state->password_hash, sizeof(state->password_hash));
memset(state->user, 0, state->user_len); explicit_bzero(state->user, state->user_len);
l_free(state->user); l_free(state->user);
state->user_len = 0; state->user_len = 0;

View File

@ -180,7 +180,8 @@ void eap_tls_common_state_free(struct eap_state *eap)
l_free(eap_tls->client_key); l_free(eap_tls->client_key);
if (eap_tls->passphrase) { if (eap_tls->passphrase) {
memset(eap_tls->passphrase, 0, strlen(eap_tls->passphrase)); explicit_bzero(eap_tls->passphrase,
strlen(eap_tls->passphrase));
l_free(eap_tls->passphrase); l_free(eap_tls->passphrase);
} }

View File

@ -430,7 +430,8 @@ static void eap_ttls_phase2_credentials_destroy(
return; return;
if (credentials->password) if (credentials->password)
memset(credentials->password, 0, strlen(credentials->password)); explicit_bzero(credentials->password,
strlen(credentials->password));
l_free(credentials->username); l_free(credentials->username);
l_free(credentials->password); l_free(credentials->password);
@ -587,10 +588,10 @@ static void mschapv2_state_destroy(struct phase2_method *phase2)
if (!state) if (!state)
return; return;
memset(state->server_challenge, 0, MSCHAPV2_CHALLENGE_LEN + explicit_bzero(state->server_challenge, MSCHAPV2_CHALLENGE_LEN +
CHAP_IDENT_LEN); CHAP_IDENT_LEN);
memset(state->peer_challenge, 0, MSCHAPV2_CHALLENGE_LEN); explicit_bzero(state->peer_challenge, MSCHAPV2_CHALLENGE_LEN);
memset(state->password_hash, 0, 16); explicit_bzero(state->password_hash, 16);
l_free(state); l_free(state);
phase2->state = NULL; phase2->state = NULL;

View File

@ -404,12 +404,17 @@ void eap_secret_info_free(void *data)
return; return;
if (info->value) { if (info->value) {
memset(info->value, 0, strlen(info->value)); size_t value_len = strlen(info->value) + 1;
if (info->type == EAP_SECRET_REMOTE_USER_PASSWORD)
value_len += strlen(info->value + value_len);
explicit_bzero(info->value, value_len);
l_free(info->value); l_free(info->value);
} }
if (info->parameter) { if (info->parameter) {
memset(info->parameter, 0, strlen(info->parameter)); explicit_bzero(info->parameter, strlen(info->parameter));
l_free(info->parameter); l_free(info->parameter);
} }