aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-06-29 22:48:41 (GMT)
committerJouni Malinen <j@w1.fi>2014-07-02 09:38:48 (GMT)
commit0a13e06bdba710cc7e6ea8da391a595b5d33aba6 (patch)
treed984c752de6a327883186e02cb33b1daa7583f18 /src/eap_server
parentf534ee0804dc8d77434d2b534a118e86bd597694 (diff)
downloadhostap-0a13e06bdba710cc7e6ea8da391a595b5d33aba6.zip
hostap-0a13e06bdba710cc7e6ea8da391a595b5d33aba6.tar.gz
hostap-0a13e06bdba710cc7e6ea8da391a595b5d33aba6.tar.bz2
EAP server: Clear keying material on deinit
Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server')
-rw-r--r--src/eap_server/eap_server.c12
-rw-r--r--src/eap_server/eap_server_aka.c2
-rw-r--r--src/eap_server/eap_server_eke.c2
-rw-r--r--src/eap_server/eap_server_fast.c2
-rw-r--r--src/eap_server/eap_server_gpsk.c2
-rw-r--r--src/eap_server/eap_server_ikev2.c2
-rw-r--r--src/eap_server/eap_server_mschapv2.c2
-rw-r--r--src/eap_server/eap_server_pax.c2
-rw-r--r--src/eap_server/eap_server_peap.c2
-rw-r--r--src/eap_server/eap_server_psk.c2
-rw-r--r--src/eap_server/eap_server_pwd.c6
-rw-r--r--src/eap_server/eap_server_sake.c2
-rw-r--r--src/eap_server/eap_server_sim.c2
-rw-r--r--src/eap_server/eap_server_ttls.c2
14 files changed, 21 insertions, 21 deletions
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 65d00dd..c1bb6b8 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -168,7 +168,7 @@ SM_STATE(EAP, INITIALIZE)
sm->eap_if.eapSuccess = FALSE;
sm->eap_if.eapFail = FALSE;
sm->eap_if.eapTimeout = FALSE;
- os_free(sm->eap_if.eapKeyData);
+ bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
sm->eap_if.eapKeyData = NULL;
sm->eap_if.eapKeyDataLen = 0;
sm->eap_if.eapKeyAvailable = FALSE;
@@ -346,7 +346,7 @@ SM_STATE(EAP, METHOD_RESPONSE)
sm->m->process(sm, sm->eap_method_priv, sm->eap_if.eapRespData);
if (sm->m->isDone(sm, sm->eap_method_priv)) {
eap_sm_Policy_update(sm, NULL, 0);
- os_free(sm->eap_if.eapKeyData);
+ bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
if (sm->m->getKey) {
sm->eap_if.eapKeyData = sm->m->getKey(
sm, sm->eap_method_priv,
@@ -632,7 +632,7 @@ SM_STATE(EAP, SUCCESS2)
if (sm->eap_if.aaaEapKeyAvailable) {
EAP_COPY(&sm->eap_if.eapKeyData, sm->eap_if.aaaEapKeyData);
} else {
- os_free(sm->eap_if.eapKeyData);
+ bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
sm->eap_if.eapKeyData = NULL;
sm->eap_if.eapKeyDataLen = 0;
}
@@ -1260,7 +1260,7 @@ static void eap_user_free(struct eap_user *user)
{
if (user == NULL)
return;
- os_free(user->password);
+ bin_clear_free(user->password, user->password_len);
user->password = NULL;
os_free(user);
}
@@ -1352,7 +1352,7 @@ void eap_server_sm_deinit(struct eap_sm *sm)
if (sm->m && sm->eap_method_priv)
sm->m->reset(sm, sm->eap_method_priv);
wpabuf_free(sm->eap_if.eapReqData);
- os_free(sm->eap_if.eapKeyData);
+ bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
wpabuf_free(sm->lastReqData);
wpabuf_free(sm->eap_if.eapRespData);
os_free(sm->identity);
@@ -1361,7 +1361,7 @@ void eap_server_sm_deinit(struct eap_sm *sm)
os_free(sm->eap_fast_a_id_info);
wpabuf_free(sm->eap_if.aaaEapReqData);
wpabuf_free(sm->eap_if.aaaEapRespData);
- os_free(sm->eap_if.aaaEapKeyData);
+ bin_clear_free(sm->eap_if.aaaEapKeyData, sm->eap_if.aaaEapKeyDataLen);
eap_user_free(sm->user);
wpabuf_free(sm->assoc_wps_ie);
wpabuf_free(sm->assoc_p2p_ie);
diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index 1907f20..09b976e 100644
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -241,7 +241,7 @@ static void eap_aka_reset(struct eap_sm *sm, void *priv)
os_free(data->next_reauth_id);
wpabuf_free(data->id_msgs);
os_free(data->network_name);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_eke.c b/src/eap_server/eap_server_eke.c
index 47ce246..966f511 100644
--- a/src/eap_server/eap_server_eke.c
+++ b/src/eap_server/eap_server_eke.c
@@ -104,7 +104,7 @@ static void eap_eke_reset(struct eap_sm *sm, void *priv)
eap_eke_session_clean(&data->sess);
os_free(data->peerid);
wpabuf_free(data->msgs);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c
index 06dcf74..1024510 100644
--- a/src/eap_server/eap_server_fast.c
+++ b/src/eap_server/eap_server_fast.c
@@ -511,7 +511,7 @@ static void eap_fast_reset(struct eap_sm *sm, void *priv)
os_free(data->key_block_p);
wpabuf_free(data->pending_phase2_resp);
os_free(data->identity);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_gpsk.c b/src/eap_server/eap_server_gpsk.c
index 7618f7c..cb369e4 100644
--- a/src/eap_server/eap_server_gpsk.c
+++ b/src/eap_server/eap_server_gpsk.c
@@ -95,7 +95,7 @@ static void eap_gpsk_reset(struct eap_sm *sm, void *priv)
{
struct eap_gpsk_data *data = priv;
os_free(data->id_peer);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_ikev2.c b/src/eap_server/eap_server_ikev2.c
index 3e32cc9..65b2ef6 100644
--- a/src/eap_server/eap_server_ikev2.c
+++ b/src/eap_server/eap_server_ikev2.c
@@ -127,7 +127,7 @@ static void eap_ikev2_reset(struct eap_sm *sm, void *priv)
wpabuf_free(data->in_buf);
wpabuf_free(data->out_buf);
ikev2_initiator_deinit(&data->ikev2);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_mschapv2.c b/src/eap_server/eap_server_mschapv2.c
index 68e6394..f7a753d 100644
--- a/src/eap_server/eap_server_mschapv2.c
+++ b/src/eap_server/eap_server_mschapv2.c
@@ -91,7 +91,7 @@ static void eap_mschapv2_reset(struct eap_sm *sm, void *priv)
return;
os_free(data->peer_challenge);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_pax.c b/src/eap_server/eap_server_pax.c
index d923cd7..c87848c 100644
--- a/src/eap_server/eap_server_pax.c
+++ b/src/eap_server/eap_server_pax.c
@@ -64,7 +64,7 @@ static void eap_pax_reset(struct eap_sm *sm, void *priv)
{
struct eap_pax_data *data = priv;
os_free(data->cid);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
index 55dee88..594e02d 100644
--- a/src/eap_server/eap_server_peap.c
+++ b/src/eap_server/eap_server_peap.c
@@ -172,7 +172,7 @@ static void eap_peap_reset(struct eap_sm *sm, void *priv)
wpabuf_free(data->pending_phase2_resp);
os_free(data->phase2_key);
wpabuf_free(data->soh_response);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_psk.c b/src/eap_server/eap_server_psk.c
index 2cff493..db394e9 100644
--- a/src/eap_server/eap_server_psk.c
+++ b/src/eap_server/eap_server_psk.c
@@ -47,7 +47,7 @@ static void eap_psk_reset(struct eap_sm *sm, void *priv)
{
struct eap_psk_data *data = priv;
os_free(data->id_p);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 846ac1f..9154ab1 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -116,7 +116,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
data->bnctx = BN_CTX_new();
if (data->bnctx == NULL) {
wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
- os_free(data->password);
+ bin_clear_free(data->password, data->password_len);
os_free(data->id_server);
os_free(data);
return NULL;
@@ -144,7 +144,7 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
EC_POINT_free(data->peer_element);
os_free(data->id_peer);
os_free(data->id_server);
- os_free(data->password);
+ bin_clear_free(data->password, data->password_len);
if (data->grp) {
EC_GROUP_free(data->grp->group);
EC_POINT_free(data->grp->pwe);
@@ -154,7 +154,7 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
}
wpabuf_free(data->inbuf);
wpabuf_free(data->outbuf);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_sake.c b/src/eap_server/eap_server_sake.c
index b363ccf..1937621 100644
--- a/src/eap_server/eap_server_sake.c
+++ b/src/eap_server/eap_server_sake.c
@@ -83,7 +83,7 @@ static void eap_sake_reset(struct eap_sm *sm, void *priv)
{
struct eap_sake_data *data = priv;
os_free(data->peerid);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c
index cd87a8b..23ee2b6 100644
--- a/src/eap_server/eap_server_sim.c
+++ b/src/eap_server/eap_server_sim.c
@@ -94,7 +94,7 @@ static void eap_sim_reset(struct eap_sm *sm, void *priv)
struct eap_sim_data *data = priv;
os_free(data->next_pseudonym);
os_free(data->next_reauth_id);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}
diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
index 401e983..31e3871 100644
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@@ -336,7 +336,7 @@ static void eap_ttls_reset(struct eap_sm *sm, void *priv)
data->phase2_method->reset(sm, data->phase2_priv);
eap_server_tls_ssl_deinit(sm, &data->ssl);
wpabuf_free(data->pending_phase2_eap_resp);
- os_free(data);
+ bin_clear_free(data, sizeof(*data));
}