Browse Source

[mod_auth] clear crypt() output if len >= 13

crypt() static output buffer is cleared upon next call to crypt(),
but clear output buffer anyway since next call to crypt() might be
much later.  Only clear crypt() output if length >= 13, since if
there is an error in crypt(), 'man crypt' warns:

"Some implementations of crypt, upon error, return an invalid hash that
is stored in a read-only location or only initialized once, which means
that it is only safe to erase the buffer pointed to by the crypt return
value if an error did not occur."
master
Glenn Strauss 3 months ago
parent
commit
7edb1956f3
  1. 4
      src/mod_authn_dbi.c
  2. 10
      src/mod_authn_file.c
  3. 2
      src/mod_authn_mysql.c

4
src/mod_authn_dbi.c

@ -335,7 +335,7 @@ mod_authn_crypt_cmp (const char *reqpw, const char *userpw, unsigned long userpw
char *crypted = crypt(reqpw, userpw);
size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0;
int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1;
if (crypwlen) ck_memzero(crypted, crypwlen);
if (crypwlen >= 13) ck_memzero(crypted, crypwlen);
return rc;
#else
@ -363,7 +363,7 @@ mod_authn_crypt_cmp (const char *reqpw, const char *userpw, unsigned long userpw
size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0;
int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1;
ck_memzero(crypted, crypwlen);
if (crypwlen >= 13) ck_memzero(crypted, crypwlen);
#if defined(HAVE_CRYPT_R)
#if 1 /* (must free() if allocated above) */
free(crypt_tmp_data);

10
src/mod_authn_file.c

@ -575,8 +575,7 @@ static size_t apr_md5_encode(const char *pw, const char *salt, char *result, siz
#if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT)
static int mod_authn_file_crypt_cmp(const buffer * const password, const char * const pw) {
int rc = -1;
char *crypted;
char sample[256];
char *crypted = NULL;
#if 0 && defined(HAVE_CRYPT_R)
struct crypt_data crypt_tmp_data;
#ifdef _AIX
@ -597,6 +596,7 @@ static int mod_authn_file_crypt_cmp(const buffer * const password, const char *
* NTLM passwords limited to 127 chars, and encoding to UCS-2LE
* requires double that, so sample[256] buf is large enough.
* Prior sample[120] size likely taken from apr_md5_encode(). */
char sample[256];
char *b = password->ptr+sizeof("$1+ntlm$")-1;
char *e = strchr(b, '$');
size_t slen = (NULL != e) ? (size_t)(e - b) : sizeof(sample);
@ -632,6 +632,7 @@ static int mod_authn_file_crypt_cmp(const buffer * const password, const char *
&& 0 == strncmp(crypted, "$1$", sizeof("$1$")-1)) {
rc = strcmp(b, crypted+3); /*skip crypted "$1$" prefix*/
}
ck_memzero(sample, sizeof(sample));
}
}
else
@ -646,7 +647,10 @@ static int mod_authn_file_crypt_cmp(const buffer * const password, const char *
rc = strcmp(password->ptr, crypted);
}
}
ck_memzero(sample, sizeof(sample));
if (NULL != crypted) {
size_t crypwlen = strlen(crypted);
if (crypwlen >= 13) ck_memzero(crypted, crypwlen);
}
return rc;
}
#endif

2
src/mod_authn_mysql.c

@ -305,7 +305,7 @@ static int mod_authn_mysql_password_cmp(const char *userpw, unsigned long userpw
char *crypted = crypt(reqpw, userpw);
size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0;
int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1;
if (crypwlen) ck_memzero(crypted, crypwlen);
if (crypwlen >= 13) ck_memzero(crypted, crypwlen);
return rc;
}
else

Loading…
Cancel
Save