Use explicit_bzero to erase secrets

from Scott Cheloa, ok tb@

4 files changed, 15 insertions, 14 deletions

diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c
index 43773e299be..d67c0196307 100644
--- a/usr.sbin/pppd/auth.c
+++ b/usr.sbin/pppd/auth.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: auth.c,v 1.38 2016/06/24 17:22:56 tedu Exp $	*/
+/*	$OpenBSD: auth.c,v 1.39 2017/11/17 20:48:30 jca Exp $	*/
 
 /*
  * auth.c - PPP authentication and phase control.
@@ -399,7 +399,7 @@ auth_withpeer_fail(unit, protocol)
     int unit, protocol;
 {
     if (passwd_from_file)
-	BZERO(passwd, MAXSECRETLEN);
+	EXPLICIT_BZERO(passwd, MAXSECRETLEN);
     /*
      * We've failed to authenticate ourselves to our peer.
      * He'll probably take the link down, and there's not much
@@ -422,7 +422,7 @@ auth_withpeer_success(unit, protocol)
 	break;
     case PPP_PAP:
 	if (passwd_from_file)
-	    BZERO(passwd, MAXSECRETLEN);
+	    EXPLICIT_BZERO(passwd, MAXSECRETLEN);
 	bit = PAP_WITHPEER;
 	break;
     default:
@@ -718,8 +718,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen)
 	set_allowed_addrs(unit, addrs);
     }
 
-    BZERO(passwd, sizeof(passwd));
-    BZERO(secret, sizeof(secret));
+    EXPLICIT_BZERO(passwd, sizeof(passwd));
+    EXPLICIT_BZERO(secret, sizeof(secret));
 
     return ret;
 }
@@ -825,7 +825,7 @@ null_login(unit)
 
     i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename);
     ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0;
-    BZERO(secret, sizeof(secret));
+    EXPLICIT_BZERO(secret, sizeof(secret));
 
     if (ret)
 	set_allowed_addrs(unit, addrs);
@@ -864,7 +864,7 @@ get_pap_passwd(passwd)
 	return 0;
     if (passwd != NULL)
 	strlcpy(passwd, secret, MAXSECRETLEN);
-    BZERO(secret, sizeof(secret));
+    EXPLICIT_BZERO(secret, sizeof(secret));
     return 1;
 }
 
@@ -978,7 +978,7 @@ get_secret(unit, client, server, secret, secret_len, save_addrs)
 	len = MAXSECRETLEN;
     }
     BCOPY(secbuf, secret, len);
-    BZERO(secbuf, sizeof(secbuf));
+    EXPLICIT_BZERO(secbuf, sizeof(secbuf));
     *secret_len = len;
 
     return 1;
diff --git a/usr.sbin/pppd/chap.c b/usr.sbin/pppd/chap.c
index 3acb3f9e2a3..2e1c7e02e71 100644
--- a/usr.sbin/pppd/chap.c
+++ b/usr.sbin/pppd/chap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: chap.c,v 1.18 2015/01/15 23:19:48 tedu Exp $	*/
+/*	$OpenBSD: chap.c,v 1.19 2017/11/17 20:48:30 jca Exp $	*/
 
 /*
  * chap.c - Challenge Handshake Authentication Protocol.
@@ -470,7 +470,7 @@ ChapReceiveChallenge(cstate, inp, id, len)
 	return;
     }
 
-    BZERO(secret, sizeof(secret));
+    EXPLICIT_BZERO(secret, sizeof(secret));
     ChapSendResponse(cstate);
 }
 
@@ -576,7 +576,7 @@ ChapReceiveResponse(cstate, inp, id, len)
 	}
     }
 
-    BZERO(secret, sizeof(secret));
+    EXPLICIT_BZERO(secret, sizeof(secret));
     ChapSendStatus(cstate, code);
 
     if (code == CHAP_SUCCESS) {
diff --git a/usr.sbin/pppd/pppd.h b/usr.sbin/pppd/pppd.h
index 50b00ce7773..9cd332939a3 100644
--- a/usr.sbin/pppd/pppd.h
+++ b/usr.sbin/pppd/pppd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pppd.h,v 1.21 2015/12/06 12:00:16 tobias Exp $	*/
+/*	$OpenBSD: pppd.h,v 1.22 2017/11/17 20:48:30 jca Exp $	*/
 
 /*
  * pppd.h - PPP daemon global declarations.
@@ -404,6 +404,7 @@ extern struct option_info devnam_info;
 #define BMOVE(s, d, l)		memmove(d, s, l)
 #define BZERO(s, n)		memset(s, 0, n)
 #define EXIT(u)			quit()
+#define EXPLICIT_BZERO(s, n)	explicit_bzero(s, n)
 
 #define PRINTMSG(m, l)	{ m[l] = '\0'; syslog(LOG_INFO, "Remote message: %s", m); }
 
diff --git a/usr.sbin/pppd/upap.c b/usr.sbin/pppd/upap.c
index 4c8d32135c9..2d07cfb9f92 100644
--- a/usr.sbin/pppd/upap.c
+++ b/usr.sbin/pppd/upap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: upap.c,v 1.10 2009/10/27 23:59:53 deraadt Exp $	*/
+/*	$OpenBSD: upap.c,v 1.11 2017/11/17 20:48:30 jca Exp $	*/
 
 /*
  * upap.c - User/Password Authentication Protocol.
@@ -402,7 +402,7 @@ upap_rauthreq(u, inp, id, len)
      */
     retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd,
 			   rpasswdlen, &msg, &msglen);
-    BZERO(rpasswd, rpasswdlen);
+    EXPLICIT_BZERO(rpasswd, rpasswdlen);
 
     upap_sresp(u, retcode, id, msg, msglen);