changeset 804:bf38c8f30a4c HEAD

Added safe_memset() which guarantees that compiler optimizations don't optimize it away. Not that we really need to clear the passwords from memory, but won't hurt much either :)
author Timo Sirainen <tss@iki.fi>
date Wed, 18 Dec 2002 12:40:43 +0200
parents 960b35117c39
children 5ac361acb316
files src/auth/auth-plain.c src/auth/login-connection.c src/auth/userinfo-pam.c src/auth/userinfo-passwd.c src/auth/userinfo-passwd.h src/auth/userinfo-shadow.c src/auth/userinfo-vpopmail.c src/lib/Makefile.am src/lib/safe-memset.c src/lib/safe-memset.h src/login/client-authenticate.c src/login/client.c
diffstat 12 files changed, 62 insertions(+), 14 deletions(-) [+]
line wrap: on
line diff
--- a/src/auth/auth-plain.c	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/auth/auth-plain.c	Wed Dec 18 12:40:43 2002 +0200
@@ -1,6 +1,7 @@
 /* Copyright (C) 2002 Timo Sirainen */
 
 #include "common.h"
+#include "safe-memset.h"
 #include "auth.h"
 #include "cookie.h"
 #include "userinfo.h"
@@ -49,7 +50,7 @@
 
 		if (*pass != '\0') {
 			/* make sure it's cleared */
-			memset(pass, 0, strlen(pass));
+			safe_memset(pass, 0, strlen(pass));
 		}
 	}
 
--- a/src/auth/login-connection.c	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/auth/login-connection.c	Wed Dec 18 12:40:43 2002 +0200
@@ -5,6 +5,7 @@
 #include "istream.h"
 #include "ostream.h"
 #include "network.h"
+#include "safe-memset.h"
 #include "login-connection.h"
 
 #include <stdlib.h>
@@ -106,7 +107,7 @@
 		conn->type = AUTH_REQUEST_NONE;
 
 		/* clear any sensitive data from memory */
-		memset(data + sizeof(request), 0, request.data_size);
+		safe_memset(data + sizeof(request), 0, request.data_size);
 	} else {
 		/* unknown request */
 		i_error("BUG: imap-login sent us unknown request %u",
--- a/src/auth/userinfo-pam.c	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/auth/userinfo-pam.c	Wed Dec 18 12:40:43 2002 +0200
@@ -125,8 +125,8 @@
 			while (--i >= 0) {
 				if ((*resp)[i].resp == NULL)
 					continue;
-				memset((*resp)[i].resp, 0,
-				       strlen((*resp)[i].resp));
+				safe_memset((*resp)[i].resp, 0,
+					    strlen((*resp)[i].resp));
 				free((*resp)[i].resp);
 				(*resp)[i].resp = NULL;
 			}
@@ -201,7 +201,7 @@
 	if (pw == NULL)
 		return FALSE;
 
-	memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
+	safe_memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
 	passwd_fill_cookie_reply(pw, reply);
 	return TRUE;
 }
--- a/src/auth/userinfo-passwd.c	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/auth/userinfo-passwd.c	Wed Dec 18 12:40:43 2002 +0200
@@ -43,8 +43,8 @@
 	result = strcmp(mycrypt(passdup, pw->pw_passwd), pw->pw_passwd) == 0;
 
 	/* clear the passwords from memory */
-	memset(passdup, 0, strlen(passdup));
-	memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
+	safe_memset(passdup, 0, strlen(passdup));
+	safe_memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
 
 	if (!result)
 		return FALSE;
--- a/src/auth/userinfo-passwd.h	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/auth/userinfo-passwd.h	Wed Dec 18 12:40:43 2002 +0200
@@ -2,6 +2,7 @@
 #define __USERINFO_PASSWD_H
 
 #include "common.h"
+#include "safe-memset.h"
 #include "userinfo.h"
 
 #include <pwd.h>
--- a/src/auth/userinfo-shadow.c	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/auth/userinfo-shadow.c	Wed Dec 18 12:40:43 2002 +0200
@@ -32,8 +32,8 @@
 	result = strcmp(mycrypt(passdup, spw->sp_pwdp), spw->sp_pwdp) == 0;
 
 	/* clear the passwords from memory */
-	memset(passdup, 0, strlen(passdup));
-	memset(spw->sp_pwdp, 0, strlen(spw->sp_pwdp));
+	safe_memset(passdup, 0, strlen(passdup));
+	safe_memset(spw->sp_pwdp, 0, strlen(spw->sp_pwdp));
 
 	if (!result)
 		return FALSE;
--- a/src/auth/userinfo-vpopmail.c	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/auth/userinfo-vpopmail.c	Wed Dec 18 12:40:43 2002 +0200
@@ -80,8 +80,8 @@
         passdup = t_strdup_noconst(password);
 	result = strcmp(crypt(passdup, vpw->pw_passwd), vpw->pw_passwd) == 0;
 
-	memset(passdup, 0, strlen(passdup));
-	memset(vpw->pw_passwd, 0, strlen(vpw->pw_passwd));
+	safe_memset(passdup, 0, strlen(passdup));
+	safe_memset(vpw->pw_passwd, 0, strlen(vpw->pw_passwd));
 
 	if (!result) {
 		I_DEBUG(("vpopmail: password mismatch for user %s@%s",
--- a/src/lib/Makefile.am	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/lib/Makefile.am	Wed Dec 18 12:40:43 2002 +0200
@@ -41,6 +41,7 @@
 	randgen.c \
 	restrict-access.c \
 	restrict-process-size.c \
+	safe-memset.c \
 	sendfile-util.c \
 	strfuncs.c \
 	temp-string.c \
@@ -85,6 +86,7 @@
 	randgen.h \
 	restrict-access.h \
 	restrict-process-size.h \
+	safe-memset.h \
 	sendfile-util.h \
 	strfuncs.h \
 	temp-string.h \
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/lib/safe-memset.c	Wed Dec 18 12:40:43 2002 +0200
@@ -0,0 +1,33 @@
+/*
+   Copyright (c) 2002 Timo Sirainen
+
+    Permission is hereby granted, free of charge, to any person obtaining
+    a copy of this software and associated documentation files (the
+    "Software"), to deal in the Software without restriction, including
+    without limitation the rights to use, copy, modify, merge, publish,
+    distribute, sublicense, and/or sell copies of the Software, and to
+    permit persons to whom the Software is furnished to do so, subject to
+    the following conditions:
+
+    The above copyright notice and this permission notice shall be
+    included in all copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+    MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+    IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+    CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+    TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+    SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+
+#include "lib.h"
+#include "safe-memset.h"
+
+void safe_memset(void *data, int c, size_t size)
+{
+	volatile unsigned char *p = data;
+
+	for (; size > 0; size--)
+		*p++ = (unsigned char)c;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/lib/safe-memset.h	Wed Dec 18 12:40:43 2002 +0200
@@ -0,0 +1,8 @@
+#ifndef __SAFE_MEMSET_H
+#define __SAFE_MEMSET_H
+
+/* memset() guaranteed not to get optimized away by compiler.
+   Should be used instead of memset() when clearing any sensitive data. */
+void safe_memset(void *data, int c, size_t size);
+
+#endif
--- a/src/login/client-authenticate.c	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/login/client-authenticate.c	Wed Dec 18 12:40:43 2002 +0200
@@ -6,6 +6,7 @@
 #include "ioloop.h"
 #include "istream.h"
 #include "ostream.h"
+#include "safe-memset.h"
 #include "temp-string.h"
 #include "auth-connection.h"
 #include "client.h"
@@ -267,10 +268,10 @@
 	}
 
 	/* clear sensitive data */
-	memset(line, 0, linelen);
+	safe_memset(line, 0, linelen);
 
 	bufsize = buffer_get_used_size(buf);
-	memset(buffer_free_without_data(buf), 0, bufsize);
+	safe_memset(buffer_free_without_data(buf), 0, bufsize);
 
 	t_pop();
 }
--- a/src/login/client.c	Wed Dec 18 07:42:12 2002 +0200
+++ b/src/login/client.c	Wed Dec 18 12:40:43 2002 +0200
@@ -7,6 +7,7 @@
 #include "istream.h"
 #include "ostream.h"
 #include "process-title.h"
+#include "safe-memset.h"
 #include "client.h"
 #include "client-authenticate.h"
 #include "ssl-proxy.h"
@@ -180,7 +181,7 @@
 		pass = get_next_arg(&line);
 		ret = cmd_login(client, user, pass);
 
-		memset(pass, 0, strlen(pass));
+		safe_memset(pass, 0, strlen(pass));
 		return ret;
 	}
 	if (strcmp(cmd, "AUTHENTICATE") == 0)