From a0c9b6ffc020944f03f57e7de66ad4363d52125d Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Sat, 26 May 2018 00:10:49 +0200 Subject: [PATCH 3/3] fixed wiping secrets with OpenSSL_cleanse() Thanks to Eric Sesterhenn from X41 D-SEC GmbH for reporting the problems. --- src/common/pkcs11_lib.c | 15 ++++++++++++--- src/common/pkcs11_lib.h | 1 + src/pam_pkcs11/pam_pkcs11.c | 10 +++++----- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c index d4433f2..912de05 100644 --- a/src/common/pkcs11_lib.c +++ b/src/common/pkcs11_lib.c @@ -63,7 +63,7 @@ int pkcs11_pass_login(pkcs11_handle_t *h, int nullok) /* perform pkcs #11 login */ rv = pkcs11_login(h, pin); - memset(pin, 0, strlen(pin)); + cleanse(pin, strlen(pin)); if (rv != 0) { set_error("pkcs11_login() failed: %s", get_error()); return -1; @@ -159,6 +159,15 @@ int get_random_value(unsigned char *data, int length) return 0; } +void cleanse(void *ptr, size_t len) +{ +#ifdef HAVE_OPENSSL + OPENSSL_cleanse(ptr, len); +#else + memset(ptr, 0, len); +#endif +} + #ifdef HAVE_NSS /* @@ -637,7 +646,7 @@ void release_pkcs11_module(pkcs11_handle_t *h) if (h->module) { SECMOD_DestroyModule(h->module); } - memset(h, 0, sizeof(pkcs11_handle_t)); + cleanse(h, sizeof(pkcs11_handle_t)); free(h); /* if we initialized NSS, then we need to shut it down */ @@ -1199,7 +1208,7 @@ void release_pkcs11_module(pkcs11_handle_t *h) /* release all allocated memory */ if (h->slots != NULL) free(h->slots); - memset(h, 0, sizeof(pkcs11_handle_t)); + cleanse(h, 0, sizeof(pkcs11_handle_t)); free(h); } diff --git a/src/common/pkcs11_lib.h b/src/common/pkcs11_lib.h index 27ed910..637a0c1 100644 --- a/src/common/pkcs11_lib.h +++ b/src/common/pkcs11_lib.h @@ -67,6 +67,7 @@ PKCS11_EXTERN int sign_value(pkcs11_handle_t *h, cert_object_t *, unsigned char *data, unsigned long length, unsigned char **signature, unsigned long *signature_length); PKCS11_EXTERN int get_random_value(unsigned char *data, int length); +PKCS11_EXTERN void cleanse(void *ptr, size_t len); #undef PKCS11_EXTERN diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c index d6ca475..3f2b6ab 100644 --- a/src/pam_pkcs11/pam_pkcs11.c +++ b/src/pam_pkcs11/pam_pkcs11.c @@ -108,7 +108,7 @@ static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt, *response = strdup(resp[0].resp); } /* overwrite memory and release it */ - memset(resp[0].resp, 0, strlen(resp[0].resp)); + cleanse(resp[0].resp, strlen(resp[0].resp)); free(&resp[0]); return PAM_SUCCESS; } @@ -191,7 +191,7 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in return PAM_CRED_INSUFFICIENT; *pwd = strdup(resp[0].resp); /* overwrite memory and release it */ - memset(resp[0].resp, 0, strlen(resp[0].resp)); + cleanse(resp[0].resp, strlen(resp[0].resp)); free(&resp[0]); /* save password if variable nitem is set */ if ((nitem == PAM_AUTHTOK) || (nitem == PAM_OLDAUTHTOK)) { @@ -517,7 +517,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* check password length */ if (!configuration->nullok && strlen(password) == 0) { release_pkcs11_module(ph); - memset(password, 0, strlen(password)); + cleanse(password, strlen(password)); free(password); pam_syslog(pamh, LOG_ERR, "password length is zero but the 'nullok' argument was not defined."); @@ -543,7 +543,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons /* erase and free in-memory password data asap */ if (password) { - memset(password, 0, strlen(password)); + cleanse(password, strlen(password)); free(password); } if (rv != 0) { @@ -831,7 +831,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons return PAM_SUCCESS; /* quick and dirty fail exit point */ - memset(password, 0, strlen(password)); + cleanse(password, strlen(password)); free(password); /* erase and free in-memory password data */ auth_failed_nopw: -- 2.18.0