mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-12-22 21:22:37 +01:00
eap,eapol,crypto: Replace uses of memset with explicit_bzero
Replace existing uses of memset to clear secrets with explicit_bzero to make sure it doesn't get optimized away. This has some side effects as documented in gcc docs but is still recommended. In eap_secret_info_free make sure we clear both strings in the case of EAP_SECRET_REMOTE_USER_PASSWORD secrets.
This commit is contained in:
parent
acbba6028b
commit
fa7db4be4d
12
src/crypto.c
12
src/crypto.c
@ -635,8 +635,8 @@ bool crypto_derive_pmk_r0(const uint8_t *xxkey,
|
|||||||
r = true;
|
r = true;
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
memset(context, 0, pos);
|
explicit_bzero(context, pos);
|
||||||
memset(output, 0, 48);
|
explicit_bzero(output, 48);
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -667,7 +667,7 @@ bool crypto_derive_pmk_r1(const uint8_t *pmk_r0,
|
|||||||
|
|
||||||
sha256 = l_checksum_new(L_CHECKSUM_SHA256);
|
sha256 = l_checksum_new(L_CHECKSUM_SHA256);
|
||||||
if (!sha256) {
|
if (!sha256) {
|
||||||
memset(out_pmk_r1, 0, 32);
|
explicit_bzero(out_pmk_r1, 32);
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -679,7 +679,7 @@ bool crypto_derive_pmk_r1(const uint8_t *pmk_r0,
|
|||||||
r = true;
|
r = true;
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
memset(context, 0, sizeof(context));
|
explicit_bzero(context, sizeof(context));
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -714,7 +714,7 @@ bool crypto_derive_ft_ptk(const uint8_t *pmk_r1, const uint8_t *pmk_r1_name,
|
|||||||
|
|
||||||
sha256 = l_checksum_new(L_CHECKSUM_SHA256);
|
sha256 = l_checksum_new(L_CHECKSUM_SHA256);
|
||||||
if (!sha256) {
|
if (!sha256) {
|
||||||
memset(out_ptk, 0, ptk_len);
|
explicit_bzero(out_ptk, ptk_len);
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -726,7 +726,7 @@ bool crypto_derive_ft_ptk(const uint8_t *pmk_r1, const uint8_t *pmk_r1_name,
|
|||||||
r = true;
|
r = true;
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
memset(context, 0, sizeof(context));
|
explicit_bzero(context, sizeof(context));
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
@ -194,9 +194,9 @@ static bool eap_mschapv2_reset_state(struct eap_state *eap)
|
|||||||
|
|
||||||
static void eap_mschapv2_state_free(struct eap_mschapv2_state *state)
|
static void eap_mschapv2_state_free(struct eap_mschapv2_state *state)
|
||||||
{
|
{
|
||||||
memset(state->password_hash, 0, sizeof(state->password_hash));
|
explicit_bzero(state->password_hash, sizeof(state->password_hash));
|
||||||
|
|
||||||
memset(state->user, 0, state->user_len);
|
explicit_bzero(state->user, state->user_len);
|
||||||
l_free(state->user);
|
l_free(state->user);
|
||||||
state->user_len = 0;
|
state->user_len = 0;
|
||||||
|
|
||||||
|
@ -180,7 +180,8 @@ void eap_tls_common_state_free(struct eap_state *eap)
|
|||||||
l_free(eap_tls->client_key);
|
l_free(eap_tls->client_key);
|
||||||
|
|
||||||
if (eap_tls->passphrase) {
|
if (eap_tls->passphrase) {
|
||||||
memset(eap_tls->passphrase, 0, strlen(eap_tls->passphrase));
|
explicit_bzero(eap_tls->passphrase,
|
||||||
|
strlen(eap_tls->passphrase));
|
||||||
l_free(eap_tls->passphrase);
|
l_free(eap_tls->passphrase);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -430,7 +430,8 @@ static void eap_ttls_phase2_credentials_destroy(
|
|||||||
return;
|
return;
|
||||||
|
|
||||||
if (credentials->password)
|
if (credentials->password)
|
||||||
memset(credentials->password, 0, strlen(credentials->password));
|
explicit_bzero(credentials->password,
|
||||||
|
strlen(credentials->password));
|
||||||
|
|
||||||
l_free(credentials->username);
|
l_free(credentials->username);
|
||||||
l_free(credentials->password);
|
l_free(credentials->password);
|
||||||
@ -587,10 +588,10 @@ static void mschapv2_state_destroy(struct phase2_method *phase2)
|
|||||||
if (!state)
|
if (!state)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
memset(state->server_challenge, 0, MSCHAPV2_CHALLENGE_LEN +
|
explicit_bzero(state->server_challenge, MSCHAPV2_CHALLENGE_LEN +
|
||||||
CHAP_IDENT_LEN);
|
CHAP_IDENT_LEN);
|
||||||
memset(state->peer_challenge, 0, MSCHAPV2_CHALLENGE_LEN);
|
explicit_bzero(state->peer_challenge, MSCHAPV2_CHALLENGE_LEN);
|
||||||
memset(state->password_hash, 0, 16);
|
explicit_bzero(state->password_hash, 16);
|
||||||
|
|
||||||
l_free(state);
|
l_free(state);
|
||||||
phase2->state = NULL;
|
phase2->state = NULL;
|
||||||
|
@ -404,12 +404,17 @@ void eap_secret_info_free(void *data)
|
|||||||
return;
|
return;
|
||||||
|
|
||||||
if (info->value) {
|
if (info->value) {
|
||||||
memset(info->value, 0, strlen(info->value));
|
size_t value_len = strlen(info->value) + 1;
|
||||||
|
|
||||||
|
if (info->type == EAP_SECRET_REMOTE_USER_PASSWORD)
|
||||||
|
value_len += strlen(info->value + value_len);
|
||||||
|
|
||||||
|
explicit_bzero(info->value, value_len);
|
||||||
l_free(info->value);
|
l_free(info->value);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (info->parameter) {
|
if (info->parameter) {
|
||||||
memset(info->parameter, 0, strlen(info->parameter));
|
explicit_bzero(info->parameter, strlen(info->parameter));
|
||||||
l_free(info->parameter);
|
l_free(info->parameter);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user