From 85d4e994fb2d7a79a137508db85120226fc9922a Mon Sep 17 00:00:00 2001 From: Tobias Heider Date: Tue, 12 Oct 2021 09:27:22 +0000 Subject: Make sure all copies of MSCHAPv2 passphrase are zeroed after use. ok patrick@ --- sbin/iked/config.c | 14 ++++++++------ sbin/iked/ikev2.c | 8 ++++---- sbin/iked/parse.y | 6 ++++-- 3 files changed, 16 insertions(+), 12 deletions(-) (limited to 'sbin/iked') diff --git a/sbin/iked/config.c b/sbin/iked/config.c index 87047a1f326..50b73b67c1a 100644 --- a/sbin/iked/config.c +++ b/sbin/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.81 2021/09/18 16:45:07 deraadt Exp $ */ +/* $OpenBSD: config.c,v 1.82 2021/10/12 09:27:21 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -670,16 +670,18 @@ int config_getuser(struct iked *env, struct imsg *imsg) { struct iked_user usr; + int ret = -1; IMSG_SIZE_CHECK(imsg, &usr); memcpy(&usr, imsg->data, sizeof(usr)); - if (config_new_user(env, &usr) == NULL) - return (-1); - - print_user(&usr); + if (config_new_user(env, &usr) != NULL) { + print_user(&usr); + ret = 0; + } - return (0); + explicit_bzero(&usr, sizeof(usr)); + return (ret); } int diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 833c2875825..f319919168d 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.327 2021/09/07 14:09:04 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.328 2021/10/12 09:27:21 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -3611,7 +3611,7 @@ ikev2_resp_ike_eap_mschap(struct iked *env, struct iked_sa *sa, sizeof(ntresponse)) != 0) { log_info("%s: '%s' authentication failed", SPI_SA(sa, __func__), usr->usr_name); - free(pass); + freezero(pass, passlen); /* XXX should we send an EAP failure packet? */ return (-1); @@ -3625,12 +3625,12 @@ ikev2_resp_ike_eap_mschap(struct iked *env, struct iked_sa *sa, successmsg); if ((sa->sa_eapmsk = ibuf_new(NULL, MSCHAP_MSK_SZ)) == NULL) { log_info("%s: failed to get MSK", SPI_SA(sa, __func__)); - free(pass); + freezero(pass, passlen); return (-1); } mschap_msk(pass, passlen, ntresponse, ibuf_data(sa->sa_eapmsk)); - free(pass); + freezero(pass, passlen); log_info("%s: '%s' authenticated", __func__, usr->usr_name); diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index fc47c89c3aa..0dbdb5a5e85 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.132 2021/09/18 16:45:52 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.133 2021/10/12 09:27:21 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -551,7 +551,7 @@ user : USER STRING STRING { if (create_user($2, $3) == -1) YYERROR; free($2); - free($3); + freezero($3, strlen($3)); } ; @@ -3078,6 +3078,8 @@ create_user(const char *user, const char *pass) config_setuser(env, &usr, PROC_IKEV2); rules++; + + explicit_bzero(&usr, sizeof usr); return (0); } -- cgit v1.2.3