Actions
Bug #2973
closedUse safe_memclear in all appropriate places
Status:
Invalid
Priority:
Normal
Category:
-
Target version:
-
ASK QUESTIONS IN Forums:
Description
auth and crypto should probably always use safe_memclear apart from initial clear before use.
#2971 suggested this change, but there are probably more:
diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c
index 1e16075e..cb6c9381 100644
--- a/src/mod_authn_file.c
+++ b/src/mod_authn_file.c
@@ -565,7 +565,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_
/*
* Don't leave anything around in vm they could use.
*/
- memset(final, 0, sizeof(final));
+ safe_memclear(final, sizeof(final));
/*
* Then something really weird...
Updated by stbuehler over 5 years ago
- Copied from Feature #2971: Update slightly safe_memclear support added
Updated by gstrauss about 5 years ago
- Status changed from New to Invalid
- Target version deleted (
1.4.x)
safe_memclear() is already used on final[] at the end of the routine (and the function does not return in between the memset() and the safe_memclear() at the end of the routine.
The original code, including comments, is documented as coming from Apache 1.3 in a comment a bit about the start of the function. Also, using MD5 as the digest algorithm is insecure and decprecated by RFCs.
Actions
Also available in: Atom