Project

General

Profile

Bug #2973

Use safe_memclear in all appropriate places

Added by stbuehler 25 days ago. Updated 12 days ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2019-08-22
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

auth and crypto should probably always use safe_memclear apart from initial clear before use.

#2971 suggested this change, but there are probably more:

diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c
index 1e16075e..cb6c9381 100644
--- a/src/mod_authn_file.c
+++ b/src/mod_authn_file.c
@@ -565,7 +565,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_
     /*
      * Don't leave anything around in vm they could use.
      */
-    memset(final, 0, sizeof(final));
+    safe_memclear(final, sizeof(final));

     /*
      * Then something really weird...

Related issues

Copied from Feature #2971: Update slightly safe_memclear supportFixed2019-08-22

Actions

History

#1

Updated by stbuehler 25 days ago

  • Copied from Feature #2971: Update slightly safe_memclear support added
#2

Updated by gstrauss 12 days ago

  • Status changed from New to Invalid
  • Target version deleted (1.4.x)

safe_memclear() is already used on final[] at the end of the routine (and the function does not return in between the memset() and the safe_memclear() at the end of the routine.

The original code, including comments, is documented as coming from Apache 1.3 in a comment a bit about the start of the function. Also, using MD5 as the digest algorithm is insecure and decprecated by RFCs.

Also available in: Atom