diff options
-rw-r--r-- | libexec/login_chpass/login_chpass.c | 4 | ||||
-rw-r--r-- | libexec/login_lchpass/login_lchpass.c | 4 | ||||
-rw-r--r-- | libexec/login_passwd/login.c | 4 | ||||
-rw-r--r-- | libexec/login_passwd/login_passwd.c | 4 | ||||
-rw-r--r-- | libexec/login_radius/raddauth.c | 3 | ||||
-rw-r--r-- | libexec/login_tis/login_tis.c | 16 | ||||
-rw-r--r-- | libexec/login_token/token.c | 14 | ||||
-rw-r--r-- | libexec/login_token/tokendb.c | 4 |
8 files changed, 26 insertions, 27 deletions
diff --git a/libexec/login_chpass/login_chpass.c b/libexec/login_chpass/login_chpass.c index 903ca333a28..3abd7210182 100644 --- a/libexec/login_chpass/login_chpass.c +++ b/libexec/login_chpass/login_chpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_chpass.c,v 1.16 2012/12/04 02:24:47 deraadt Exp $ */ +/* $OpenBSD: login_chpass.c,v 1.17 2015/10/05 17:31:17 millert Exp $ */ /*- * Copyright (c) 1995,1996 Berkeley Software Design, Inc. All rights reserved. @@ -208,7 +208,7 @@ yp_chpass(char *username) pwd_gensalt(salt, sizeof(salt), lc, 'y') == 0) strlcpy(salt, "xx", sizeof(salt)); crypt(p, salt); - memset(p, 0, strlen(p)); + explicit_bzero(p, strlen(p)); } warnx("YP passwd database unchanged."); exit(1); diff --git a/libexec/login_lchpass/login_lchpass.c b/libexec/login_lchpass/login_lchpass.c index 6696067d38a..0882f7038d7 100644 --- a/libexec/login_lchpass/login_lchpass.c +++ b/libexec/login_lchpass/login_lchpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_lchpass.c,v 1.14 2012/12/04 02:24:47 deraadt Exp $ */ +/* $OpenBSD: login_lchpass.c,v 1.15 2015/10/05 17:31:17 millert Exp $ */ /*- * Copyright (c) 1995,1996 Berkeley Software Design, Inc. All rights reserved. @@ -136,7 +136,7 @@ main(int argc, char *argv[]) exit(1); salt = crypt(p, salt); - memset(p, 0, strlen(p)); + explicit_bzero(p, strlen(p)); if (!pwd || strcmp(salt, pwd->pw_passwd) != 0) exit(1); diff --git a/libexec/login_passwd/login.c b/libexec/login_passwd/login.c index 6548178e001..8d208e03381 100644 --- a/libexec/login_passwd/login.c +++ b/libexec/login_passwd/login.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login.c,v 1.11 2015/01/16 06:39:50 deraadt Exp $ */ +/* $OpenBSD: login.c,v 1.12 2015/10/05 17:31:17 millert Exp $ */ /*- * Copyright (c) 1995 Berkeley Software Design, Inc. All rights reserved. @@ -158,7 +158,7 @@ main(int argc, char **argv) #endif if (password != NULL) - memset(password, 0, strlen(password)); + explicit_bzero(password, strlen(password)); if (ret != AUTH_OK) fprintf(back, BI_REJECT "\n"); diff --git a/libexec/login_passwd/login_passwd.c b/libexec/login_passwd/login_passwd.c index f646d891043..d769bdc0735 100644 --- a/libexec/login_passwd/login_passwd.c +++ b/libexec/login_passwd/login_passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_passwd.c,v 1.10 2014/09/16 22:07:02 tedu Exp $ */ +/* $OpenBSD: login_passwd.c,v 1.11 2015/10/05 17:31:17 millert Exp $ */ /*- * Copyright (c) 2001 Hans Insulander <hin@openbsd.org>. @@ -54,7 +54,7 @@ pwd_login(char *username, char *password, char *wheel, int lastchance, if (crypt_checkpass(password, goodhash) == 0) passok = 1; plen = strlen(password); - memset(password, 0, plen); + explicit_bzero(password, plen); if (!passok) return (AUTH_FAILED); diff --git a/libexec/login_radius/raddauth.c b/libexec/login_radius/raddauth.c index 71089908058..5261e377f49 100644 --- a/libexec/login_radius/raddauth.c +++ b/libexec/login_radius/raddauth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raddauth.c,v 1.27 2015/01/16 06:39:50 deraadt Exp $ */ +/* $OpenBSD: raddauth.c,v 1.28 2015/10/05 17:31:17 millert Exp $ */ /*- * Copyright (c) 1996, 1997 Berkeley Software Design, Inc. All rights reserved. @@ -397,6 +397,7 @@ rad_request(u_char id, char *name, char *password, int port, char *vector, } total_length += AUTH_VECTOR_LEN; } + explicit_bzero(pass_buf, strlen(pass_buf)); /* Client id */ *ptr++ = PW_CLIENT_ID; diff --git a/libexec/login_tis/login_tis.c b/libexec/login_tis/login_tis.c index 3ac22aaa3f1..cbfa0a74c49 100644 --- a/libexec/login_tis/login_tis.c +++ b/libexec/login_tis/login_tis.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_tis.c,v 1.12 2015/01/16 06:39:50 deraadt Exp $ */ +/* $OpenBSD: login_tis.c,v 1.13 2015/10/05 17:31:17 millert Exp $ */ /* * Copyright (c) 2004 Todd C. Miller <Todd.Miller@courtesan.com> @@ -395,8 +395,8 @@ tis_getkey(struct tis_connection *tc) } DES_string_to_key(key, &cblock); error = DES_set_key(&cblock, &tc->keysched); - memset(key, 0, len); - memset(&cblock, 0, sizeof(cblock)); + explicit_bzero(key, len); + explicit_bzero(&cblock, sizeof(cblock)); free(tbuf); return (error); } @@ -508,10 +508,10 @@ tis_recv(struct tis_connection *tc, u_char *buf, size_t bufsiz) len, &ks, &iv, DES_DECRYPT); if (strlcpy(buf, tbuf, bufsiz) >= bufsiz) { syslog(LOG_ERR, "unencrypted data too large to store"); - memset(tbuf, 0, sizeof(tbuf)); + explicit_bzero(tbuf, sizeof(tbuf)); return (-1); } - memset(tbuf, 0, sizeof(tbuf)); + explicit_bzero(tbuf, sizeof(tbuf)); } return (len); } @@ -657,7 +657,7 @@ tis_authorize(struct tis_connection *tc, const char *user, syslog(LOG_ERR, "unexpected response from authsrv: %s", obuf); resp = error; } - memset(buf, 0, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); return (resp); } @@ -685,10 +685,10 @@ tis_verify(struct tis_connection *tc, const char *response, char *ebuf) if (strncmp(buf, "ok", 2) == 0) { if (buf[2] != '\0') strlcpy(ebuf, buf + 3, TIS_BUFSIZ); - memset(buf, 0, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); return (0); } strlcpy(ebuf, buf, TIS_BUFSIZ); - memset(buf, 0, sizeof(buf)); + explicit_bzero(buf, sizeof(buf)); return (-1); } diff --git a/libexec/login_token/token.c b/libexec/login_token/token.c index 7c6f4569c8d..0bf5352e324 100644 --- a/libexec/login_token/token.c +++ b/libexec/login_token/token.c @@ -1,4 +1,4 @@ -/* $OpenBSD: token.c,v 1.18 2013/12/03 01:29:00 deraadt Exp $ */ +/* $OpenBSD: token.c,v 1.19 2015/10/05 17:31:17 millert Exp $ */ /*- * Copyright (c) 1995 Migration Associates Corp. All Rights Reserved @@ -189,7 +189,7 @@ tokenverify(char *username, char *challenge, char *response) return (-1); h2cb(tokenrec.secret, &user_seed); - memset(&tokenrec.secret, 0, sizeof(tokenrec.secret)); + explicit_bzero(&tokenrec.secret, sizeof(tokenrec.secret)); if (!(tokenrec.flags & TOKEN_ENABLED)) return (-1); @@ -201,10 +201,10 @@ tokenverify(char *username, char *challenge, char *response) DES_fixup_key_parity(&user_seed.cb); DES_key_sched(&user_seed.cb, &key_schedule); - memset(user_seed.ct, 0, sizeof(user_seed.ct)); + explicit_bzero(user_seed.ct, sizeof(user_seed.ct)); DES_ecb_encrypt(&tokennumber.cb, &cipher_text.cb, &key_schedule, DES_ENCRYPT); - memset(&key_schedule, 0, sizeof(key_schedule)); + explicit_bzero(&key_schedule, sizeof(key_schedule)); /* * The token thinks it's descended from VAXen. Deal with i386 @@ -304,7 +304,7 @@ tokenuserinit(int flags, char *username, unsigned char *usecret, unsigned mode) */ if (!(flags & TOKEN_GENSECRET)) { - memset(&secret, 0, sizeof(secret)); + explicit_bzero(&secret, sizeof(secret)); return (0); } @@ -314,10 +314,10 @@ tokenuserinit(int flags, char *username, unsigned char *usecret, unsigned mode) secret.cb[4], secret.cb[5], secret.cb[6], secret.cb[7]); DES_key_sched(&secret.cb, &key_schedule); - memset(&secret, 0, sizeof(secret)); + explicit_bzero(&secret, sizeof(secret)); memset(&nulls, 0, sizeof(nulls)); DES_ecb_encrypt(&nulls.cb, &checksum.cb, &key_schedule, DES_ENCRYPT); - memset(&key_schedule, 0, sizeof(key_schedule)); + explicit_bzero(&key_schedule, sizeof(key_schedule)); HTONL(checksum.ul[0]); snprintf(checktxt.ct, sizeof(checktxt.ct), "%8.8x", checksum.ul[0]); printf("Hex Checksum: \"%s\"", checktxt.ct); diff --git a/libexec/login_token/tokendb.c b/libexec/login_token/tokendb.c index 23a82c28a19..d52539ef192 100644 --- a/libexec/login_token/tokendb.c +++ b/libexec/login_token/tokendb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tokendb.c,v 1.9 2012/12/04 02:24:47 deraadt Exp $ */ +/* $OpenBSD: tokendb.c,v 1.10 2015/10/05 17:31:17 millert Exp $ */ /*- * Copyright (c) 1995 Migration Associates Corp. All Rights Reserved @@ -135,12 +135,10 @@ int tokendb_delrec(char *username) { DBT key; - DBT data; int status = 0; key.data = username; key.size = strlen(username) + 1; - memset(&data, 0, sizeof(data)); if (!tokendb_open()) { if (flock((tokendb->fd)(tokendb), LOCK_EX)) { |