diff options
| author |   mestre <mestre@openbsd.org> | 2017-05-03 09:51:39 +0000 |
|---|---|---|
| committer | mestre <mestre@openbsd.org> | 2017-05-03 09:51:39 +0000 |
| commit | 3a7efd937573e0e5ebd63e3cb5eba79209e397fc (patch) | |
| tree | 16cbdf26d86193742cae841dc8da6d0d1096596d | |
| parent | Change the ip6_setmoptions() function to receive the rdomain as a new (diff) | |
| download | wireguard-openbsd-3a7efd937573e0e5ebd63e3cb5eba79209e397fc.tar.xz wireguard-openbsd-3a7efd937573e0e5ebd63e3cb5eba79209e397fc.zip | |
Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.
Discussed aeons ago with tb@, OK deraadt@ and beck@
| -rw-r--r-- | sbin/init/init.c | 7 | ||||
| -rw-r--r-- | usr.bin/encrypt/encrypt.c | 3 | ||||
| -rw-r--r-- | usr.bin/lock/lock.c | 14 | ||||
| -rw-r--r-- | usr.bin/skey/skey.c | 8 | ||||
| -rw-r--r-- | usr.bin/x99token/x99token.c | 6 | ||||
| -rw-r--r-- | usr.sbin/tokeninit/tokeninit.c | 4 |
6 files changed, 27 insertions, 15 deletions
diff --git a/sbin/init/init.c b/sbin/init/init.c index a2dff9bfafa..1c0e4ce5e73 100644 --- a/sbin/init/init.c +++ b/sbin/init/init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: init.c,v 1.63 2017/03/02 10:38:09 natano Exp $ */ +/* $OpenBSD: init.c,v 1.64 2017/05/03 09:51:39 mestre Exp $ */ /* $NetBSD: init.c,v 1.22 1996/05/15 23:29:33 jtc Exp $ */ /*- @@ -561,12 +561,13 @@ f_single_user(void) write(STDERR_FILENO, banner, sizeof banner - 1); for (;;) { int ok = 0; - clear = readpassphrase("Password:", pbuf, sizeof(pbuf), RPP_ECHO_OFF); + clear = readpassphrase("Password:", pbuf, + sizeof(pbuf), RPP_ECHO_OFF); if (clear == NULL || *clear == '\0') _exit(0); if (crypt_checkpass(clear, pp->pw_passwd) == 0) ok = 1; - memset(clear, 0, strlen(clear)); + explicit_bzero(pbuf, sizeof(pbuf)); if (ok) break; warning("single-user login failed\n"); diff --git a/usr.bin/encrypt/encrypt.c b/usr.bin/encrypt/encrypt.c index 5a80fdd081f..5670929b51d 100644 --- a/usr.bin/encrypt/encrypt.c +++ b/usr.bin/encrypt/encrypt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: encrypt.c,v 1.45 2016/09/04 15:36:13 tb Exp $ */ +/* $OpenBSD: encrypt.c,v 1.46 2017/05/03 09:51:39 mestre Exp $ */ /* * Copyright (c) 1996, Jason Downs. All rights reserved. @@ -134,6 +134,7 @@ main(int argc, char **argv) err(1, "readpassphrase"); print_passwd(string, operation, extra); (void)fputc('\n', stdout); + explicit_bzero(string, sizeof(string)); } else { size_t len; /* Encrypt stdin to stdout. */ diff --git a/usr.bin/lock/lock.c b/usr.bin/lock/lock.c index 9aeb0c5560e..b403f55459c 100644 --- a/usr.bin/lock/lock.c +++ b/usr.bin/lock/lock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lock.c,v 1.33 2016/05/28 16:11:10 tedu Exp $ */ +/* $OpenBSD: lock.c,v 1.34 2017/05/03 09:51:39 mestre Exp $ */ /* $NetBSD: lock.c,v 1.8 1996/05/07 18:32:31 jtc Exp $ */ /* @@ -162,7 +162,7 @@ main(int argc, char *argv[]) warnx("\apasswords didn't match."); exit(1); } - s[0] = '\0'; + explicit_bzero(s, sizeof(s)); } /* set signal handlers */ @@ -205,10 +205,16 @@ main(int argc, char *argv[]) p = NULL; else p = s; - if (auth_userokay(pw->pw_name, nstyle, "auth-lock", p)) + if (auth_userokay(pw->pw_name, nstyle, "auth-lock", + p)) { + explicit_bzero(s, sizeof(s)); break; - } else if (strcmp(s, s1) == 0) + } + } else if (strcmp(s, s1) == 0) { + explicit_bzero(s, sizeof(s)); + explicit_bzero(s1, sizeof(s1)); break; + } (void)putc('\a', stderr); cnt %= tries; if (++cnt > backoff) { diff --git a/usr.bin/skey/skey.c b/usr.bin/skey/skey.c index f72beee4d0c..9f5f6b5cb47 100644 --- a/usr.bin/skey/skey.c +++ b/usr.bin/skey/skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: skey.c,v 1.33 2015/12/01 00:00:19 millert Exp $ */ +/* $OpenBSD: skey.c,v 1.34 2017/05/03 09:51:39 mestre Exp $ */ /* * OpenBSD S/Key (skey.c) * @@ -122,8 +122,12 @@ main(int argc, char *argv[]) exit(1); /* Crunch seed and passphrase into starting key */ - if (keycrunch(key, seed, passwd) != 0) + if (keycrunch(key, seed, passwd) != 0) { + explicit_bzero(passwd, sizeof(passwd)); errx(1, "key crunch failed"); + } + + explicit_bzero(passwd, sizeof(passwd)); if (cnt == 1) { while (n-- != 0) diff --git a/usr.bin/x99token/x99token.c b/usr.bin/x99token/x99token.c index 0aaa0919bdc..4775f1b0882 100644 --- a/usr.bin/x99token/x99token.c +++ b/usr.bin/x99token/x99token.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x99token.c,v 1.12 2015/10/15 19:30:03 bluhm Exp $ */ +/* $OpenBSD: x99token.c,v 1.13 2017/05/03 09:51:39 mestre Exp $ */ /* * X9.9 calculator @@ -169,8 +169,8 @@ main(int argc, char **argv) predict(ks, buf, cnt); - memset(&ks, 0, sizeof(ks)); - memset(buf, 0, sizeof(buf)); + explicit_bzero(&ks, sizeof(ks)); + explicit_bzero(buf, sizeof(buf)); exit(0); } diff --git a/usr.sbin/tokeninit/tokeninit.c b/usr.sbin/tokeninit/tokeninit.c index a40ab28bb59..88993a9818b 100644 --- a/usr.sbin/tokeninit/tokeninit.c +++ b/usr.sbin/tokeninit/tokeninit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tokeninit.c,v 1.12 2016/03/22 00:06:55 bluhm Exp $ */ +/* $OpenBSD: tokeninit.c,v 1.13 2017/05/03 09:51:39 mestre Exp $ */ /*- * Copyright (c) 1995 Migration Associates Corp. All Rights Reserved @@ -149,7 +149,7 @@ main(int argc, char **argv) tt->name); exit(1); } - memset(secret, 0, sizeof(secret)); + explicit_bzero(secret, sizeof(secret)); if (parse_secret(hexformat, seed, secret)) { fprintf(stderr, "%sinit: Invalid secret entered.\n", |