EAP server: Clear keying material on deinit
Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
f534ee0804
commit
0a13e06bdb
|
|
@ -168,7 +168,7 @@ SM_STATE(EAP, INITIALIZE)
|
|||
sm->eap_if.eapSuccess = FALSE;
|
||||
sm->eap_if.eapFail = FALSE;
|
||||
sm->eap_if.eapTimeout = FALSE;
|
||||
os_free(sm->eap_if.eapKeyData);
|
||||
bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
|
||||
sm->eap_if.eapKeyData = NULL;
|
||||
sm->eap_if.eapKeyDataLen = 0;
|
||||
sm->eap_if.eapKeyAvailable = FALSE;
|
||||
|
|
@ -346,7 +346,7 @@ SM_STATE(EAP, METHOD_RESPONSE)
|
|||
sm->m->process(sm, sm->eap_method_priv, sm->eap_if.eapRespData);
|
||||
if (sm->m->isDone(sm, sm->eap_method_priv)) {
|
||||
eap_sm_Policy_update(sm, NULL, 0);
|
||||
os_free(sm->eap_if.eapKeyData);
|
||||
bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
|
||||
if (sm->m->getKey) {
|
||||
sm->eap_if.eapKeyData = sm->m->getKey(
|
||||
sm, sm->eap_method_priv,
|
||||
|
|
@ -632,7 +632,7 @@ SM_STATE(EAP, SUCCESS2)
|
|||
if (sm->eap_if.aaaEapKeyAvailable) {
|
||||
EAP_COPY(&sm->eap_if.eapKeyData, sm->eap_if.aaaEapKeyData);
|
||||
} else {
|
||||
os_free(sm->eap_if.eapKeyData);
|
||||
bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
|
||||
sm->eap_if.eapKeyData = NULL;
|
||||
sm->eap_if.eapKeyDataLen = 0;
|
||||
}
|
||||
|
|
@ -1260,7 +1260,7 @@ static void eap_user_free(struct eap_user *user)
|
|||
{
|
||||
if (user == NULL)
|
||||
return;
|
||||
os_free(user->password);
|
||||
bin_clear_free(user->password, user->password_len);
|
||||
user->password = NULL;
|
||||
os_free(user);
|
||||
}
|
||||
|
|
@ -1352,7 +1352,7 @@ void eap_server_sm_deinit(struct eap_sm *sm)
|
|||
if (sm->m && sm->eap_method_priv)
|
||||
sm->m->reset(sm, sm->eap_method_priv);
|
||||
wpabuf_free(sm->eap_if.eapReqData);
|
||||
os_free(sm->eap_if.eapKeyData);
|
||||
bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
|
||||
wpabuf_free(sm->lastReqData);
|
||||
wpabuf_free(sm->eap_if.eapRespData);
|
||||
os_free(sm->identity);
|
||||
|
|
@ -1361,7 +1361,7 @@ void eap_server_sm_deinit(struct eap_sm *sm)
|
|||
os_free(sm->eap_fast_a_id_info);
|
||||
wpabuf_free(sm->eap_if.aaaEapReqData);
|
||||
wpabuf_free(sm->eap_if.aaaEapRespData);
|
||||
os_free(sm->eap_if.aaaEapKeyData);
|
||||
bin_clear_free(sm->eap_if.aaaEapKeyData, sm->eap_if.aaaEapKeyDataLen);
|
||||
eap_user_free(sm->user);
|
||||
wpabuf_free(sm->assoc_wps_ie);
|
||||
wpabuf_free(sm->assoc_p2p_ie);
|
||||
|
|
|
|||
|
|
@ -241,7 +241,7 @@ static void eap_aka_reset(struct eap_sm *sm, void *priv)
|
|||
os_free(data->next_reauth_id);
|
||||
wpabuf_free(data->id_msgs);
|
||||
os_free(data->network_name);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ static void eap_eke_reset(struct eap_sm *sm, void *priv)
|
|||
eap_eke_session_clean(&data->sess);
|
||||
os_free(data->peerid);
|
||||
wpabuf_free(data->msgs);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -511,7 +511,7 @@ static void eap_fast_reset(struct eap_sm *sm, void *priv)
|
|||
os_free(data->key_block_p);
|
||||
wpabuf_free(data->pending_phase2_resp);
|
||||
os_free(data->identity);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ static void eap_gpsk_reset(struct eap_sm *sm, void *priv)
|
|||
{
|
||||
struct eap_gpsk_data *data = priv;
|
||||
os_free(data->id_peer);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -127,7 +127,7 @@ static void eap_ikev2_reset(struct eap_sm *sm, void *priv)
|
|||
wpabuf_free(data->in_buf);
|
||||
wpabuf_free(data->out_buf);
|
||||
ikev2_initiator_deinit(&data->ikev2);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -91,7 +91,7 @@ static void eap_mschapv2_reset(struct eap_sm *sm, void *priv)
|
|||
return;
|
||||
|
||||
os_free(data->peer_challenge);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ static void eap_pax_reset(struct eap_sm *sm, void *priv)
|
|||
{
|
||||
struct eap_pax_data *data = priv;
|
||||
os_free(data->cid);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -172,7 +172,7 @@ static void eap_peap_reset(struct eap_sm *sm, void *priv)
|
|||
wpabuf_free(data->pending_phase2_resp);
|
||||
os_free(data->phase2_key);
|
||||
wpabuf_free(data->soh_response);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ static void eap_psk_reset(struct eap_sm *sm, void *priv)
|
|||
{
|
||||
struct eap_psk_data *data = priv;
|
||||
os_free(data->id_p);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -116,7 +116,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
|
|||
data->bnctx = BN_CTX_new();
|
||||
if (data->bnctx == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
|
||||
os_free(data->password);
|
||||
bin_clear_free(data->password, data->password_len);
|
||||
os_free(data->id_server);
|
||||
os_free(data);
|
||||
return NULL;
|
||||
|
|
@ -144,7 +144,7 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
|
|||
EC_POINT_free(data->peer_element);
|
||||
os_free(data->id_peer);
|
||||
os_free(data->id_server);
|
||||
os_free(data->password);
|
||||
bin_clear_free(data->password, data->password_len);
|
||||
if (data->grp) {
|
||||
EC_GROUP_free(data->grp->group);
|
||||
EC_POINT_free(data->grp->pwe);
|
||||
|
|
@ -154,7 +154,7 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
|
|||
}
|
||||
wpabuf_free(data->inbuf);
|
||||
wpabuf_free(data->outbuf);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -83,7 +83,7 @@ static void eap_sake_reset(struct eap_sm *sm, void *priv)
|
|||
{
|
||||
struct eap_sake_data *data = priv;
|
||||
os_free(data->peerid);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ static void eap_sim_reset(struct eap_sm *sm, void *priv)
|
|||
struct eap_sim_data *data = priv;
|
||||
os_free(data->next_pseudonym);
|
||||
os_free(data->next_reauth_id);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -336,7 +336,7 @@ static void eap_ttls_reset(struct eap_sm *sm, void *priv)
|
|||
data->phase2_method->reset(sm, data->phase2_priv);
|
||||
eap_server_tls_ssl_deinit(sm, &data->ssl);
|
||||
wpabuf_free(data->pending_phase2_eap_resp);
|
||||
os_free(data);
|
||||
bin_clear_free(data, sizeof(*data));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue