Project

General

Profile

Actions

Bug #2973

closed

Use safe_memclear in all appropriate places

Added by stbuehler over 5 years ago. Updated over 5 years ago.

Status:
Invalid
Priority:
Normal
Category:
-
Target version:
-
ASK QUESTIONS IN Forums:

Description

auth and crypto should probably always use safe_memclear apart from initial clear before use.

#2971 suggested this change, but there are probably more:

diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c
index 1e16075e..cb6c9381 100644
--- a/src/mod_authn_file.c
+++ b/src/mod_authn_file.c
@@ -565,7 +565,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_
     /*
      * Don't leave anything around in vm they could use.
      */
-    memset(final, 0, sizeof(final));
+    safe_memclear(final, sizeof(final));

     /*
      * Then something really weird...

Related issues 1 (0 open1 closed)

Copied from Feature #2971: Update slightly safe_memclear supportFixed2019-08-22Actions
Actions #1

Updated by stbuehler over 5 years ago

  • Copied from Feature #2971: Update slightly safe_memclear support added
Actions #2

Updated by gstrauss over 5 years ago

  • Status changed from New to Invalid
  • Target version deleted (1.4.x)

safe_memclear() is already used on final[] at the end of the routine (and the function does not return in between the memset() and the safe_memclear() at the end of the routine.

The original code, including comments, is documented as coming from Apache 1.3 in a comment a bit about the start of the function. Also, using MD5 as the digest algorithm is insecure and decprecated by RFCs.

Actions

Also available in: Atom