diff options
author | jca <jca@openbsd.org> | 2017-11-17 20:48:30 +0000 |
---|---|---|
committer | jca <jca@openbsd.org> | 2017-11-17 20:48:30 +0000 |
commit | 7c1d736fc69fa93850ad62d110e1c77ecbebb9cd (patch) | |
tree | e596060b73b67ff68eae5e2a1dbab31c61ee088a /usr.sbin/pppd | |
parent | #if -> #ifdef for consistency (diff) | |
download | wireguard-openbsd-7c1d736fc69fa93850ad62d110e1c77ecbebb9cd.tar.xz wireguard-openbsd-7c1d736fc69fa93850ad62d110e1c77ecbebb9cd.zip |
Use explicit_bzero to erase secrets
from Scott Cheloa, ok tb@
Diffstat (limited to 'usr.sbin/pppd')
-rw-r--r-- | usr.sbin/pppd/auth.c | 16 | ||||
-rw-r--r-- | usr.sbin/pppd/chap.c | 6 | ||||
-rw-r--r-- | usr.sbin/pppd/pppd.h | 3 | ||||
-rw-r--r-- | usr.sbin/pppd/upap.c | 4 |
4 files changed, 15 insertions, 14 deletions
diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c index 43773e299be..d67c0196307 100644 --- a/usr.sbin/pppd/auth.c +++ b/usr.sbin/pppd/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.38 2016/06/24 17:22:56 tedu Exp $ */ +/* $OpenBSD: auth.c,v 1.39 2017/11/17 20:48:30 jca Exp $ */ /* * auth.c - PPP authentication and phase control. @@ -399,7 +399,7 @@ auth_withpeer_fail(unit, protocol) int unit, protocol; { if (passwd_from_file) - BZERO(passwd, MAXSECRETLEN); + EXPLICIT_BZERO(passwd, MAXSECRETLEN); /* * We've failed to authenticate ourselves to our peer. * He'll probably take the link down, and there's not much @@ -422,7 +422,7 @@ auth_withpeer_success(unit, protocol) break; case PPP_PAP: if (passwd_from_file) - BZERO(passwd, MAXSECRETLEN); + EXPLICIT_BZERO(passwd, MAXSECRETLEN); bit = PAP_WITHPEER; break; default: @@ -718,8 +718,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) set_allowed_addrs(unit, addrs); } - BZERO(passwd, sizeof(passwd)); - BZERO(secret, sizeof(secret)); + EXPLICIT_BZERO(passwd, sizeof(passwd)); + EXPLICIT_BZERO(secret, sizeof(secret)); return ret; } @@ -825,7 +825,7 @@ null_login(unit) i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename); ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0; - BZERO(secret, sizeof(secret)); + EXPLICIT_BZERO(secret, sizeof(secret)); if (ret) set_allowed_addrs(unit, addrs); @@ -864,7 +864,7 @@ get_pap_passwd(passwd) return 0; if (passwd != NULL) strlcpy(passwd, secret, MAXSECRETLEN); - BZERO(secret, sizeof(secret)); + EXPLICIT_BZERO(secret, sizeof(secret)); return 1; } @@ -978,7 +978,7 @@ get_secret(unit, client, server, secret, secret_len, save_addrs) len = MAXSECRETLEN; } BCOPY(secbuf, secret, len); - BZERO(secbuf, sizeof(secbuf)); + EXPLICIT_BZERO(secbuf, sizeof(secbuf)); *secret_len = len; return 1; diff --git a/usr.sbin/pppd/chap.c b/usr.sbin/pppd/chap.c index 3acb3f9e2a3..2e1c7e02e71 100644 --- a/usr.sbin/pppd/chap.c +++ b/usr.sbin/pppd/chap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chap.c,v 1.18 2015/01/15 23:19:48 tedu Exp $ */ +/* $OpenBSD: chap.c,v 1.19 2017/11/17 20:48:30 jca Exp $ */ /* * chap.c - Challenge Handshake Authentication Protocol. @@ -470,7 +470,7 @@ ChapReceiveChallenge(cstate, inp, id, len) return; } - BZERO(secret, sizeof(secret)); + EXPLICIT_BZERO(secret, sizeof(secret)); ChapSendResponse(cstate); } @@ -576,7 +576,7 @@ ChapReceiveResponse(cstate, inp, id, len) } } - BZERO(secret, sizeof(secret)); + EXPLICIT_BZERO(secret, sizeof(secret)); ChapSendStatus(cstate, code); if (code == CHAP_SUCCESS) { diff --git a/usr.sbin/pppd/pppd.h b/usr.sbin/pppd/pppd.h index 50b00ce7773..9cd332939a3 100644 --- a/usr.sbin/pppd/pppd.h +++ b/usr.sbin/pppd/pppd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pppd.h,v 1.21 2015/12/06 12:00:16 tobias Exp $ */ +/* $OpenBSD: pppd.h,v 1.22 2017/11/17 20:48:30 jca Exp $ */ /* * pppd.h - PPP daemon global declarations. @@ -404,6 +404,7 @@ extern struct option_info devnam_info; #define BMOVE(s, d, l) memmove(d, s, l) #define BZERO(s, n) memset(s, 0, n) #define EXIT(u) quit() +#define EXPLICIT_BZERO(s, n) explicit_bzero(s, n) #define PRINTMSG(m, l) { m[l] = '\0'; syslog(LOG_INFO, "Remote message: %s", m); } diff --git a/usr.sbin/pppd/upap.c b/usr.sbin/pppd/upap.c index 4c8d32135c9..2d07cfb9f92 100644 --- a/usr.sbin/pppd/upap.c +++ b/usr.sbin/pppd/upap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: upap.c,v 1.10 2009/10/27 23:59:53 deraadt Exp $ */ +/* $OpenBSD: upap.c,v 1.11 2017/11/17 20:48:30 jca Exp $ */ /* * upap.c - User/Password Authentication Protocol. @@ -402,7 +402,7 @@ upap_rauthreq(u, inp, id, len) */ retcode = check_passwd(u->us_unit, ruser, ruserlen, rpasswd, rpasswdlen, &msg, &msglen); - BZERO(rpasswd, rpasswdlen); + EXPLICIT_BZERO(rpasswd, rpasswdlen); upap_sresp(u, retcode, id, msg, msglen); |