aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server
diff options
context:
space:
mode:
authorFlorent Daigniere <nextgens@freenetproject.org>2014-06-27 09:58:10 (GMT)
committerJouni Malinen <j@w1.fi>2014-07-24 16:28:39 (GMT)
commit3248071dc3165719a087b401f12fef732b0c4e64 (patch)
tree91551b58654cff3af642ac821e01e362bcd52db6 /src/eap_server
parenta5257a7a27102babec81b31b07941ec60b41af72 (diff)
downloadhostap-3248071dc3165719a087b401f12fef732b0c4e64.zip
hostap-3248071dc3165719a087b401f12fef732b0c4e64.tar.gz
hostap-3248071dc3165719a087b401f12fef732b0c4e64.tar.bz2
OpenSSL: Use BN_clear_free instead of BN_free
This changes OpenSSL calls to explicitly clear the bignum memory allocations when freeing them. This adds an extra layer of security by avoiding leaving potentially private keys into local memory after they are not needed anymore. While some of these variables are not really private (e.g., they are sent in clear anyway), the extra cost of clearing them is not significant and it is simpler to just clear these explicitly rather than review each possible code path to confirm where this does not help. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
Diffstat (limited to 'src/eap_server')
-rw-r--r--src/eap_server/eap_server_pwd.c32
1 files changed, 16 insertions, 16 deletions
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 9154ab1..e86d3b1 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -135,10 +135,10 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
{
struct eap_pwd_data *data = priv;
- BN_free(data->private_value);
- BN_free(data->peer_scalar);
- BN_free(data->my_scalar);
- BN_free(data->k);
+ BN_clear_free(data->private_value);
+ BN_clear_free(data->peer_scalar);
+ BN_clear_free(data->my_scalar);
+ BN_clear_free(data->k);
BN_CTX_free(data->bnctx);
EC_POINT_free(data->my_element);
EC_POINT_free(data->peer_element);
@@ -148,8 +148,8 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
if (data->grp) {
EC_GROUP_free(data->grp->group);
EC_POINT_free(data->grp->pwe);
- BN_free(data->grp->order);
- BN_free(data->grp->prime);
+ BN_clear_free(data->grp->order);
+ BN_clear_free(data->grp->prime);
os_free(data->grp);
}
wpabuf_free(data->inbuf);
@@ -230,7 +230,7 @@ static void eap_pwd_build_commit_req(struct eap_sm *sm,
"fail");
goto fin;
}
- BN_free(mask);
+ BN_clear_free(mask);
if (((x = BN_new()) == NULL) ||
((y = BN_new()) == NULL)) {
@@ -282,8 +282,8 @@ static void eap_pwd_build_commit_req(struct eap_sm *sm,
fin:
os_free(scalar);
os_free(element);
- BN_free(x);
- BN_free(y);
+ BN_clear_free(x);
+ BN_clear_free(y);
if (data->outbuf == NULL)
eap_pwd_state(data, FAILURE);
}
@@ -407,8 +407,8 @@ static void eap_pwd_build_confirm_req(struct eap_sm *sm,
fin:
os_free(cruft);
- BN_free(x);
- BN_free(y);
+ BN_clear_free(x);
+ BN_clear_free(y);
if (data->outbuf == NULL)
eap_pwd_state(data, FAILURE);
}
@@ -726,9 +726,9 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
fin:
EC_POINT_free(K);
EC_POINT_free(point);
- BN_free(cofactor);
- BN_free(x);
- BN_free(y);
+ BN_clear_free(cofactor);
+ BN_clear_free(x);
+ BN_clear_free(y);
if (res)
eap_pwd_state(data, PWD_Confirm_Req);
@@ -852,8 +852,8 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
fin:
os_free(cruft);
- BN_free(x);
- BN_free(y);
+ BN_clear_free(x);
+ BN_clear_free(y);
}