forked from pool/pam_pkcs11
Stanislav Brabec
d1602a056e
- Address security issues found by X41 D-Sec audit (bsc#1105012) * Authentication Replay * Buffer Overflow * Memory not cleaned properly before free() - add patches: * 0001-verify-using-a-nonce-from-the-system-not-the-card.patch * 0002-fixed-buffer-overflow-with-long-home-directory.patch * 0003-fixed-wiping-secrets-with-OpenSSL_cleanse.patch OBS-URL: https://build.opensuse.org/request/show/629902 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/pam_pkcs11?expand=0&rev=24
125 lines
4.2 KiB
Diff
125 lines
4.2 KiB
Diff
From a0c9b6ffc020944f03f57e7de66ad4363d52125d Mon Sep 17 00:00:00 2001
|
|
From: Frank Morgner <frankmorgner@gmail.com>
|
|
Date: Sat, 26 May 2018 00:10:49 +0200
|
|
Subject: [PATCH 3/3] fixed wiping secrets with OpenSSL_cleanse()
|
|
|
|
Thanks to Eric Sesterhenn from X41 D-SEC GmbH
|
|
for reporting the problems.
|
|
---
|
|
src/common/pkcs11_lib.c | 15 ++++++++++++---
|
|
src/common/pkcs11_lib.h | 1 +
|
|
src/pam_pkcs11/pam_pkcs11.c | 10 +++++-----
|
|
3 files changed, 18 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/common/pkcs11_lib.c b/src/common/pkcs11_lib.c
|
|
index d4433f2..912de05 100644
|
|
--- a/src/common/pkcs11_lib.c
|
|
+++ b/src/common/pkcs11_lib.c
|
|
@@ -63,7 +63,7 @@ int pkcs11_pass_login(pkcs11_handle_t *h, int nullok)
|
|
|
|
/* perform pkcs #11 login */
|
|
rv = pkcs11_login(h, pin);
|
|
- memset(pin, 0, strlen(pin));
|
|
+ cleanse(pin, strlen(pin));
|
|
if (rv != 0) {
|
|
set_error("pkcs11_login() failed: %s", get_error());
|
|
return -1;
|
|
@@ -159,6 +159,15 @@ int get_random_value(unsigned char *data, int length)
|
|
return 0;
|
|
}
|
|
|
|
+void cleanse(void *ptr, size_t len)
|
|
+{
|
|
+#ifdef HAVE_OPENSSL
|
|
+ OPENSSL_cleanse(ptr, len);
|
|
+#else
|
|
+ memset(ptr, 0, len);
|
|
+#endif
|
|
+}
|
|
+
|
|
|
|
#ifdef HAVE_NSS
|
|
/*
|
|
@@ -637,7 +646,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)
|
|
if (h->module) {
|
|
SECMOD_DestroyModule(h->module);
|
|
}
|
|
- memset(h, 0, sizeof(pkcs11_handle_t));
|
|
+ cleanse(h, sizeof(pkcs11_handle_t));
|
|
free(h);
|
|
|
|
/* if we initialized NSS, then we need to shut it down */
|
|
@@ -1199,7 +1208,7 @@ void release_pkcs11_module(pkcs11_handle_t *h)
|
|
/* release all allocated memory */
|
|
if (h->slots != NULL)
|
|
free(h->slots);
|
|
- memset(h, 0, sizeof(pkcs11_handle_t));
|
|
+ cleanse(h, 0, sizeof(pkcs11_handle_t));
|
|
free(h);
|
|
}
|
|
|
|
diff --git a/src/common/pkcs11_lib.h b/src/common/pkcs11_lib.h
|
|
index 27ed910..637a0c1 100644
|
|
--- a/src/common/pkcs11_lib.h
|
|
+++ b/src/common/pkcs11_lib.h
|
|
@@ -67,6 +67,7 @@ PKCS11_EXTERN int sign_value(pkcs11_handle_t *h, cert_object_t *,
|
|
unsigned char *data, unsigned long length,
|
|
unsigned char **signature, unsigned long *signature_length);
|
|
PKCS11_EXTERN int get_random_value(unsigned char *data, int length);
|
|
+PKCS11_EXTERN void cleanse(void *ptr, size_t len);
|
|
|
|
#undef PKCS11_EXTERN
|
|
|
|
diff --git a/src/pam_pkcs11/pam_pkcs11.c b/src/pam_pkcs11/pam_pkcs11.c
|
|
index d6ca475..3f2b6ab 100644
|
|
--- a/src/pam_pkcs11/pam_pkcs11.c
|
|
+++ b/src/pam_pkcs11/pam_pkcs11.c
|
|
@@ -108,7 +108,7 @@ static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt,
|
|
*response = strdup(resp[0].resp);
|
|
}
|
|
/* overwrite memory and release it */
|
|
- memset(resp[0].resp, 0, strlen(resp[0].resp));
|
|
+ cleanse(resp[0].resp, strlen(resp[0].resp));
|
|
free(&resp[0]);
|
|
return PAM_SUCCESS;
|
|
}
|
|
@@ -191,7 +191,7 @@ static int pam_get_pwd(pam_handle_t *pamh, char **pwd, char *text, int oitem, in
|
|
return PAM_CRED_INSUFFICIENT;
|
|
*pwd = strdup(resp[0].resp);
|
|
/* overwrite memory and release it */
|
|
- memset(resp[0].resp, 0, strlen(resp[0].resp));
|
|
+ cleanse(resp[0].resp, strlen(resp[0].resp));
|
|
free(&resp[0]);
|
|
/* save password if variable nitem is set */
|
|
if ((nitem == PAM_AUTHTOK) || (nitem == PAM_OLDAUTHTOK)) {
|
|
@@ -517,7 +517,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
/* check password length */
|
|
if (!configuration->nullok && strlen(password) == 0) {
|
|
release_pkcs11_module(ph);
|
|
- memset(password, 0, strlen(password));
|
|
+ cleanse(password, strlen(password));
|
|
free(password);
|
|
pam_syslog(pamh, LOG_ERR,
|
|
"password length is zero but the 'nullok' argument was not defined.");
|
|
@@ -543,7 +543,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
/* erase and free in-memory password data asap */
|
|
if (password)
|
|
{
|
|
- memset(password, 0, strlen(password));
|
|
+ cleanse(password, strlen(password));
|
|
free(password);
|
|
}
|
|
if (rv != 0) {
|
|
@@ -831,7 +831,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
return PAM_SUCCESS;
|
|
|
|
/* quick and dirty fail exit point */
|
|
- memset(password, 0, strlen(password));
|
|
+ cleanse(password, strlen(password));
|
|
free(password); /* erase and free in-memory password data */
|
|
|
|
auth_failed_nopw:
|
|
--
|
|
2.18.0
|
|
|