memset->explicit_bzero in libskey

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

memset->explicit_bzero in libskey

Ricardo Mestre-2
Hi,

Within function skey_fakeprompt() from libskey it calculates an hash between a
secret (seed) and the username. Then it hashes the resulting hash, but in the
middle it clears the seed with memset(3), shouldn't we clear it with
explicit_bzero(3) instead?

Best regards,
mestre

Index: skeylogin.c
===================================================================
RCS file: /cvs/src/lib/libskey/skeylogin.c,v
retrieving revision 1.58
diff -u -p -u -r1.58 skeylogin.c
--- skeylogin.c 17 Mar 2016 21:36:48 -0000 1.58
+++ skeylogin.c 20 Mar 2017 16:23:31 -0000
@@ -482,7 +482,7 @@ skey_fakeprompt(char *username, char *sk
  SHA1End(&ctx, up);
 
  /* Zero out */
- memset(secret, 0, secretlen);
+ explicit_bzero(secret, secretlen);
 
  /* Now hash the hash */
  SHA1Init(&ctx);

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: memset->explicit_bzero in libskey

Todd C. Miller
On Mon, 20 Mar 2017 16:27:07 -0000, Ricardo Mestre wrote:

> Within function skey_fakeprompt() from libskey it calculates an
> hash between a secret (seed) and the username. Then it hashes the
> resulting hash, but in the middle it clears the seed with memset(3),
> shouldn't we clear it with explicit_bzero(3) instead?

Makes sense.  OK millert@

 - todd

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: memset->explicit_bzero in libskey

Ted Unangst-6
In reply to this post by Ricardo Mestre-2
Ricardo Mestre wrote:
> Hi,
>
> Within function skey_fakeprompt() from libskey it calculates an hash between a
> secret (seed) and the username. Then it hashes the resulting hash, but in the
> middle it clears the seed with memset(3), shouldn't we clear it with
> explicit_bzero(3) instead?

yes, plus two other memset that otherwise look like dead stores.

Loading...