pam_pkcs11/0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch

From a0c9b6ffc020944f03f57e7de66ad4363d52125d Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Sat, 26 May 2018 00:10:49 +0200
Subject: [PATCH 3/3] fixed wiping secrets with OpenSSL_cleanse()

Thanks to Eric Sesterhenn from X41 D-SEC GmbH
for reporting the problems.
---
 src/common/pkcs11_lib.c     | 15 ++++++++++++---
 src/common/pkcs11_lib.h     |  1 +
 src/pam_pkcs11/pam_pkcs11.c | 10 +++++-----
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c
index d4433f2..912de05 100644
--- a/src/common/pkcs11_lib.c
+++ b/src/common/pkcs11_lib.c
@@ -63,7 +63,7 @@ int pkcs11_pass_login(pkcs11_handle_t *h, int nullok)
 
   /* perform pkcs #11 login */
   rv = pkcs11_login(h, pin);
-  memset(pin, 0, strlen(pin));
+  cleanse(pin, strlen(pin));
   if (rv != 0) {
     set_error("pkcs11_login() failed: %s", get_error());
     return -1;
@@ -159,6 +159,15 @@ int get_random_value(unsigned char *data, int length)
   return 0;
 }
 
+void cleanse(void *ptr, size_t len)
+{
+#ifdef HAVE_OPENSSL
+  OPENSSL_cleanse(ptr, len);
+#else
+  memset(ptr, 0, len);
+#endif
+}
+
 
 #ifdef HAVE_NSS
 /*
@@ -637,7 +646,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)
   if (h->module) {
     SECMOD_DestroyModule(h->module);
   }
-  memset(h, 0, sizeof(pkcs11_handle_t));
+  cleanse(h, sizeof(pkcs11_handle_t));
   free(h);
 
   /* if we initialized NSS, then we need to shut it down */
@@ -1199,7 +1208,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)
   /* release all allocated memory */
   if (h->slots != NULL)
     free(h->slots);
-  memset(h, 0, sizeof(pkcs11_handle_t));
+  cleanse(h, 0, sizeof(pkcs11_handle_t));
   free(h);
 }
 
diff --git a/src/common/pkcs11_lib.h b/src/common/pkcs11_lib.h
index 27ed910..637a0c1 100644
--- a/src/common/pkcs11_lib.h
+++ b/src/common/pkcs11_lib.h
@@ -67,6 +67,7 @@ PKCS11_EXTERN int sign_value(pkcs11_handle_t *h, cert_object_t *,
                unsigned char *data, unsigned long length,
                unsigned char **signature, unsigned long *signature_length);
 PKCS11_EXTERN int get_random_value(unsigned char *data, int length);
+PKCS11_EXTERN void cleanse(void *ptr, size_t len);
 
 #undef PKCS11_EXTERN
 
diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c
index d6ca475..3f2b6ab 100644
--- a/src/pam_pkcs11/pam_pkcs11.c
+++ b/src/pam_pkcs11/pam_pkcs11.c
@@ -108,7 +108,7 @@ static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt,
      *response = strdup(resp[0].resp);
   }
   /* overwrite memory and release it */
-  memset(resp[0].resp, 0, strlen(resp[0].resp));
+  cleanse(resp[0].resp, strlen(resp[0].resp));
   free(&resp[0]);
   return PAM_SUCCESS;
 }
@@ -191,7 +191,7 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in
       return PAM_CRED_INSUFFICIENT;
     *pwd = strdup(resp[0].resp);
     /* overwrite memory and release it */
-    memset(resp[0].resp, 0, strlen(resp[0].resp));
+    cleanse(resp[0].resp, strlen(resp[0].resp));
     free(&resp[0]);
     /* save password if variable nitem is set */
     if ((nitem == PAM_AUTHTOK) || (nitem == PAM_OLDAUTHTOK)) {
@@ -517,7 +517,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
 		/* check password length */
 		if (!configuration->nullok && strlen(password) == 0) {
 			release_pkcs11_module(ph);
-			memset(password, 0, strlen(password));
+			cleanse(password, strlen(password));
 			free(password);
 			pam_syslog(pamh, LOG_ERR,
 					"password length is zero but the 'nullok' argument was not defined.");
@@ -543,7 +543,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
     /* erase and free in-memory password data asap */
 	if (password)
 	{
-		memset(password, 0, strlen(password));
+		cleanse(password, strlen(password));
 		free(password);
 	}
     if (rv != 0) {
@@ -831,7 +831,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
   return PAM_SUCCESS;
 
     /* quick and dirty fail exit point */
-    memset(password, 0, strlen(password));
+    cleanse(password, strlen(password));
     free(password); /* erase and free in-memory password data */
 
 auth_failed_nopw:
-- 
2.18.0
Accepting request 629902 from home:vitezslav_cizek:branches:security:chipcard - Address security issues found by X41 D-Sec audit (bsc#1105012) * Authentication Replay * Buffer Overflow * Memory not cleaned properly before free() - add patches: * 0001-verify-using-a-nonce-from-the-system-not-the-card.patch * 0002-fixed-buffer-overflow-with-long-home-directory.patch * 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch OBS-URL: https://build.opensuse.org/request/show/629902 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/pam_pkcs11?expand=0&rev=24 2018-09-10 17:04:41 +02:00			`From a0c9b6ffc020944f03f57e7de66ad4363d52125d Mon Sep 17 00:00:00 2001`
			`From: Frank Morgner <frankmorgner@gmail.com>`
			`Date: Sat, 26 May 2018 00:10:49 +0200`
			`Subject: [PATCH 3/3] fixed wiping secrets with OpenSSL_cleanse()`

			`Thanks to Eric Sesterhenn from X41 D-SEC GmbH`
			`for reporting the problems.`
			`---`
			`src/common/pkcs11_lib.c \| 15 ++++++++++++---`
			`src/common/pkcs11_lib.h \| 1 +`
			`src/pam_pkcs11/pam_pkcs11.c \| 10 +++++-----`
			`3 files changed, 18 insertions(+), 8 deletions(-)`

			`diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c`
			`index d4433f2..912de05 100644`
			`--- a/src/common/pkcs11_lib.c`
			`+++ b/src/common/pkcs11_lib.c`
			`@@ -63,7 +63,7 @@ int pkcs11_pass_login(pkcs11_handle_t *h, int nullok)`

			`/* perform pkcs #11 login */`
			`rv = pkcs11_login(h, pin);`
			`- memset(pin, 0, strlen(pin));`
			`+ cleanse(pin, strlen(pin));`
			`if (rv != 0) {`
			`set_error("pkcs11_login() failed: %s", get_error());`
			`return -1;`
			`@@ -159,6 +159,15 @@ int get_random_value(unsigned char *data, int length)`
			`return 0;`
			`}`

			`+void cleanse(void *ptr, size_t len)`
			`+{`
			`+#ifdef HAVE_OPENSSL`
			`+ OPENSSL_cleanse(ptr, len);`
			`+#else`
			`+ memset(ptr, 0, len);`
			`+#endif`
			`+}`
			`+`

			`#ifdef HAVE_NSS`
			`/*`
			`@@ -637,7 +646,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)`
			`if (h->module) {`
			`SECMOD_DestroyModule(h->module);`
			`}`
			`- memset(h, 0, sizeof(pkcs11_handle_t));`
			`+ cleanse(h, sizeof(pkcs11_handle_t));`
			`free(h);`

			`/* if we initialized NSS, then we need to shut it down */`
			`@@ -1199,7 +1208,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)`
			`/* release all allocated memory */`
			`if (h->slots != NULL)`
			`free(h->slots);`
			`- memset(h, 0, sizeof(pkcs11_handle_t));`
			`+ cleanse(h, 0, sizeof(pkcs11_handle_t));`
			`free(h);`
			`}`

			`diff --git a/src/common/pkcs11_lib.h b/src/common/pkcs11_lib.h`
			`index 27ed910..637a0c1 100644`
			`--- a/src/common/pkcs11_lib.h`
			`+++ b/src/common/pkcs11_lib.h`
			`@@ -67,6 +67,7 @@ PKCS11_EXTERN int sign_value(pkcs11_handle_t h, cert_object_t ,`
			`unsigned char *data, unsigned long length,`
			`unsigned char *signature, unsigned long signature_length);`
			`PKCS11_EXTERN int get_random_value(unsigned char *data, int length);`
			`+PKCS11_EXTERN void cleanse(void *ptr, size_t len);`

			`#undef PKCS11_EXTERN`

			`diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c`
			`index d6ca475..3f2b6ab 100644`
			`--- a/src/pam_pkcs11/pam_pkcs11.c`
			`+++ b/src/pam_pkcs11/pam_pkcs11.c`
			`@@ -108,7 +108,7 @@ static int pam_prompt(pam_handle_t pamh, int style, char response, char fmt,`
			`*response = strdup(resp[0].resp);`
			`}`
			`/* overwrite memory and release it */`
			`- memset(resp[0].resp, 0, strlen(resp[0].resp));`
			`+ cleanse(resp[0].resp, strlen(resp[0].resp));`
			`free(&resp[0]);`
			`return PAM_SUCCESS;`
			`}`
			`@@ -191,7 +191,7 @@ static int pam_get_pwd(pam_handle_t pamh, char pwd, char text, int oitem, in`
			`return PAM_CRED_INSUFFICIENT;`
			`*pwd = strdup(resp[0].resp);`
			`/* overwrite memory and release it */`
			`- memset(resp[0].resp, 0, strlen(resp[0].resp));`
			`+ cleanse(resp[0].resp, strlen(resp[0].resp));`
			`free(&resp[0]);`
			`/* save password if variable nitem is set */`
			`if ((nitem == PAM_AUTHTOK) \|\| (nitem == PAM_OLDAUTHTOK)) {`
			`@@ -517,7 +517,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons`
			`/* check password length */`
			`if (!configuration->nullok && strlen(password) == 0) {`
			`release_pkcs11_module(ph);`
			`- memset(password, 0, strlen(password));`
			`+ cleanse(password, strlen(password));`
			`free(password);`
			`pam_syslog(pamh, LOG_ERR,`
			`"password length is zero but the 'nullok' argument was not defined.");`
			`@@ -543,7 +543,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons`
			`/* erase and free in-memory password data asap */`
			`if (password)`
			`{`
			`- memset(password, 0, strlen(password));`
			`+ cleanse(password, strlen(password));`
			`free(password);`
			`}`
			`if (rv != 0) {`
			`@@ -831,7 +831,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons`
			`return PAM_SUCCESS;`

			`/* quick and dirty fail exit point */`
			`- memset(password, 0, strlen(password));`
			`+ cleanse(password, strlen(password));`
			`free(password); /* erase and free in-memory password data */`

			`auth_failed_nopw:`
			`--`
			`2.18.0`