This covers more of the CVE-2018-20319 "passwords found in memory" issue.
Reported-by: Tom Wilson <twilson@nettitude.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
return 0;
}
+void free_pass(char **p)
+{
+ if (!*p)
+ return;
+
+#if defined(HAVE_MEMSET_S)
+ memset_s(*p, 0x5a, strlen(*p));
+#elif defined(HAVE_EXPLICIT_MEMSET)
+ explicit_memset(*p, 0x5a, strlen(*p));
+#elif defined(HAVE_EXPLICIT_BZERO)
+ explicit_bzero(*p, strlen(*p));
+#elif defined(_WIN32)
+ SecureZeroMemory(*p, strlen(*p));
+#else
+ {
+ volatile char *pp = (volatile char *)*p;
+ while (*pp)
+ *(pp++) = 0x5a;
+ }
+#endif
+ free(*p);
+ *p = NULL;
+}
+
void free_opt(struct oc_form_opt *opt)
{
/* for SELECT options, opt->value is a pointer to oc_choice->name */
- if (opt->type != OC_FORM_OPT_SELECT)
- free(opt->_value);
- else {
+ if (opt->type != OC_FORM_OPT_SELECT) {
+ free_pass(&opt->_value);
+ } else {
struct oc_form_opt_select *sel = (void *)opt;
int i;
AC_DEFINE_UNQUOTED(DEFAULT_VPNCSCRIPT, "${with_vpnc_script}", [Default vpnc-script locatin])
AC_SUBST(DEFAULT_VPNCSCRIPT, "${with_vpnc_script}")
+AC_CHECK_FUNC(memset_s,
+ [AC_DEFINE(HAVE_MEMSET_S, 1, [Have memset_s() function])],
+ [AC_CHECK_FUNC(explicit_memset,
+ [AC_DEFINE(HAVE_EXPLICIT_MEMSET, 1, [Have explicit_memset() function])],
+ [AC_CHECK_FUNC(explicit_bzero,
+ [AC_DEFINE(HAVE_EXPLICIT_BZERO, 1, [Have explicit_bzero() function])],
+ [])
+ ])
+ ])
+
AC_CHECK_FUNC(fdevname_r, [AC_DEFINE(HAVE_FDEVNAME_R, 1, [Have fdevname_r() function])], [])
AC_CHECK_FUNC(statfs, [AC_DEFINE(HAVE_STATFS, 1, [Have statfs() function])], [])
AC_CHECK_FUNC(getline, [AC_DEFINE(HAVE_GETLINE, 1, [Have getline() function])],
unsigned int parent;
};
-static void free_pass(char **p)
-{
- if (!*p)
- return;
-
- memset(*p, 0x5a, strlen(*p));
- free(*p);
-}
-
static void tpm2_error(struct openconnect_info *vpninfo, TPM_RC rc, const char *reason)
{
const char *msg = NULL, *submsg = NULL, *num = NULL;
int append_opt(struct oc_text_buf *body, const char *opt, const char *name);
int append_form_opts(struct openconnect_info *vpninfo,
struct oc_auth_form *form, struct oc_text_buf *body);
+void free_pass(char **p);
void free_opt(struct oc_form_opt *opt);
void free_auth_form(struct oc_auth_form *form);
int do_gen_tokencode(struct openconnect_info *vpninfo,
<ul>
<li><b>OpenConnect HEAD</b>
<ul>
+ <li>Clear form submissions (which may include passwords) before freeing (CVE-2018-20319).</li>
<li>Allow form responses to be provided on command line.</li>
<li>Add support for SSL keys stored in <a href="tpm.html">TPM2</a>.</li>
<li>Fix ESP rekey when replay protection is disabled.</li>
projects / users / dwmw2 / openconnect.git / commitdiff