Zero out the password/response argument in the simplified BSD auth

interafces.  Otherwise, we end up with an extra copy in memory when
auth_call() forks that is not possible to clear.

3 files changed, 34 insertions, 7 deletions

diff --git a/lib/libc/gen/auth_subr.3 b/lib/libc/gen/auth_subr.3
index 66190873667..fcac4dbfc0e 100644
--- a/lib/libc/gen/auth_subr.3
+++ b/lib/libc/gen/auth_subr.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: auth_subr.3,v 1.17 2007/05/31 19:19:28 jmc Exp $
+.\"	$OpenBSD: auth_subr.3,v 1.18 2008/04/04 17:42:39 millert Exp $
 .\"
 .\" Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved.
 .\"
@@ -31,7 +31,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"	BSDI $From: auth_subr.3,v 2.5 2000/03/30 19:11:27 polk Exp $
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: April 4 2008 $
 .Dt BSD_AUTH 3
 .Os
 .Sh NAME
@@ -242,6 +242,21 @@ on the back channel, the state prior to the call to
 .Fn auth_call
 is retained.
 .Pp
+Note that while
+.Fn auth_call
+will zero out the copies it makes of sensitive information, such as plain text
+passwords, after it is sent, it is the responsibility of the
+caller to zero out the original copies of this sensitive information.
+Due to the mechanics of the
+.Fn auth_call
+function, this data must be zeroed
+.Em before
+.Fn auth_call
+is called.
+The safest place to zero out sensitive information is immediately
+after it has been passed to
+.Fn auth_setdata .
+.Pp
 The back channel data may also contain a file descriptor passed back
 from the login script.
 If this is the case, the login script will first send back the string
diff --git a/lib/libc/gen/authenticate.3 b/lib/libc/gen/authenticate.3
index 1580f844698..57e0bc39a46 100644
--- a/lib/libc/gen/authenticate.3
+++ b/lib/libc/gen/authenticate.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: authenticate.3,v 1.10 2007/05/31 19:19:28 jmc Exp $
+.\"	$OpenBSD: authenticate.3,v 1.11 2008/04/04 17:42:39 millert Exp $
 .\"
 .\" Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved.
 .\"
@@ -31,7 +31,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"	BSDI $From: authenticate.3,v 2.7 1998/09/03 20:27:20 prb Exp $
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: April 4 2008 $
 .Dt AUTHENTICATE 3
 .Os
 .Sh NAME
@@ -119,6 +119,11 @@ is specified,
 operates in a non-interactive mode and only tests the specified passwords.
 This non-interactive method does not work with challenge-response
 authentication styles.
+For security reasons, when a
+.Ar password
+is specified,
+.Fn auth_userokay
+will zero out its value before it returns.
 .Pp
 The
 .Fn auth_usercheck
@@ -164,6 +169,11 @@ The
 function closes the BSD Authentication session and has the same
 return value as
 .Fn auth_userokay .
+For security reasons, when a
+.Ar response
+is specified,
+.Fn auth_userresponse
+will zero out its value before it returns.
 .Pp
 The
 .Fn auth_approval
diff --git a/lib/libc/gen/authenticate.c b/lib/libc/gen/authenticate.c
index 1ef26b683b9..b9cd63a0928 100644
--- a/lib/libc/gen/authenticate.c
+++ b/lib/libc/gen/authenticate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authenticate.c,v 1.16 2007/09/17 07:07:23 moritz Exp $	*/
+/*	$OpenBSD: authenticate.c,v 1.17 2008/04/04 17:42:39 millert Exp $	*/
 
 /*-
  * Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved.
@@ -348,6 +348,7 @@ auth_usercheck(char *name, char *style, char *type, char *password)
 		auth_setitem(as, AUTHV_SERVICE, "response");
 		auth_setdata(as, "", 1);
 		auth_setdata(as, password, strlen(password) + 1);
+		memset(password, 0, strlen(password));
 	} else
 		as = NULL;
 	as = auth_verify(as, style, name, lc->lc_class, (char *)NULL);
@@ -451,9 +452,10 @@ auth_userresponse(auth_session_t *as, char *response, int more)
 		auth_setdata(as, challenge, strlen(challenge) + 1);
 	else
 		auth_setdata(as, "", 1);
-	if (response)
+	if (response) {
 		auth_setdata(as, response, strlen(response) + 1);
-	else
+		memset(response, 0, strlen(response));
+	} else
 		auth_setdata(as, "", 1);
 
 	auth_call(as, path, style, "-s", "response", name, class, (char *)NULL);