Use explicit_bzero to overwrite passwords

Use explicit_bzero instead of memset, where available, to overwrite
copies of passwords before freeing memory.  This reduces the lifetime
of passwords in memory.

diff --git a/NEWS b/NEWS
index 286f7c4f4c41829d6dfb289137823a6586967f3a..1f78aa3446002aaa756dd91815469e7022511583 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,10 @@ krb5-strength 3.2 (unreleased)
     --without-cracklib to configure.  This makes the code a bit simpler
     and lighter if you don't intend to ever use the CrackLib support.
 
+    Use explicit_bzero instead of memset, where available, to overwrite
+    copies of passwords before freeing memory.  This reduces the lifetime
+    of passwords in memory.
+
     Update to rra-c-util 8.2:
 
     * Implement explicit_bzero with memset if it is not available.

diff --git a/plugin/principal.c b/plugin/principal.c
index fd19cd489ffa466cc1474e8c47db40b090d5c4c5..67d8be5858923b9098ef18d2ac7d0d729edec95e 100644 (file)
--- a/plugin/principal.c
+++ b/plugin/principal.c
@@ -8,7 +8,8 @@
  * Developed by Derrick Brashear and Ken Hornstein of Sine Nomine Associates,
  *     on behalf of Stanford University
  * Extensive modifications by Russ Allbery <eagle@eyrie.org>
- * Copyright 2006, 2007, 2009, 2012, 2013, 2014
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2006-2007, 2009, 2012-2014
  *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
@@ -56,7 +57,7 @@ check_component(krb5_context ctx, const char *component, const char *password)
             copy[j] = c;
         }
         if (strcasecmp(copy, password) == 0) {
-            memset(copy, 0, strlen(copy));
+            explicit_bzero(copy, strlen(copy));
             free(copy);
             return strength_error_generic(ctx, ERROR_USERNAME);
         }
@@ -159,7 +160,7 @@ strength_check_principal(krb5_context ctx, krb5_pwqual_moddata data UNUSED,
         if (i != 0) {
             code = check_component(ctx, copy + i, password);
             if (code != 0) {
-                memset(copy, 0, strlen(copy));
+                explicit_bzero(copy, strlen(copy));
                 free(copy);
                 return code;
             }
@@ -176,7 +177,7 @@ strength_check_principal(krb5_context ctx, krb5_pwqual_moddata data UNUSED,
         /* Check the current component. */
         code = check_component(ctx, start, password);
         if (code != 0) {
-            memset(copy, 0, strlen(copy));
+            explicit_bzero(copy, strlen(copy));
             free(copy);
             return code;
         }
@@ -187,7 +188,7 @@ strength_check_principal(krb5_context ctx, krb5_pwqual_moddata data UNUSED,
     } while (i < length);
 
     /* Password does not appear to be based on the principal. */
-    memset(copy, 0, strlen(copy));
+    explicit_bzero(copy, strlen(copy));
     free(copy);
     return 0;
 }

diff --git a/plugin/sqlite.c b/plugin/sqlite.c
index 34a5b0cd239eeba286a32067f2390d63b5b12c62..8d4fc2c335875bb38a0ddd8262f1eef7bd79fc68 100644 (file)
--- a/plugin/sqlite.c
+++ b/plugin/sqlite.c
@@ -368,8 +368,8 @@ strength_check_sqlite(krb5_context ctx, krb5_pwqual_moddata data,
         goto found;
 
     /* No match.  Clean up and return success. */
-    memset(prefix, 0, length);
-    memset(drowssap, 0, length);
+    explicit_bzero(prefix, length);
+    explicit_bzero(drowssap, length);
     free(prefix);
     free(drowssap);
     return 0;
@@ -380,8 +380,8 @@ found:
 
 fail:
     if (prefix != NULL)
-        memset(prefix, 0, length);
-    memset(drowssap, 0, length);
+        explicit_bzero(prefix, length);
+    explicit_bzero(drowssap, length);
     free(prefix);
     free(drowssap);
     return code;