Use safe_memclear in all appropriate places
auth and crypto should probably always use
safe_memclear apart from initial clear before use.
#2971 suggested this change, but there are probably more:
diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c index 1e16075e..cb6c9381 100644 --- a/src/mod_authn_file.c +++ b/src/mod_authn_file.c @@ -565,7 +565,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ /* * Don't leave anything around in vm they could use. */ - memset(final, 0, sizeof(final)); + safe_memclear(final, sizeof(final)); /* * Then something really weird...
- Status changed from New to Invalid
- Target version deleted (
safe_memclear() is already used on final at the end of the routine (and the function does not return in between the memset() and the safe_memclear() at the end of the routine.
The original code, including comments, is documented as coming from Apache 1.3 in a comment a bit about the start of the function. Also, using MD5 as the digest algorithm is insecure and decprecated by RFCs.
Also available in: Atom