diff --git a/iked/config.c b/iked/config.c index f52a1bfc..c06232a7 100644 --- a/iked/config.c +++ b/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.81 2021/09/18 16:45:07 deraadt Exp $ */ +/* $OpenBSD: config.c,v 1.82 2021/10/12 09:27:21 tobhe Exp $ */ /* * Copyright (c) 2019-2021 Tobias Heider @@ -692,16 +692,18 @@ int config_getuser(struct iked *env, struct imsg *imsg) { struct iked_user usr; + int ret = -1; IMSG_SIZE_CHECK(imsg, &usr); memcpy(&usr, imsg->data, sizeof(usr)); - if (config_new_user(env, &usr) == NULL) - return (-1); - - print_user(&usr); + if (config_new_user(env, &usr) != NULL) { + print_user(&usr); + ret = 0; + } - return (0); + explicit_bzero(&usr, sizeof(usr)); + return (ret); } int diff --git a/iked/ikev2.c b/iked/ikev2.c index bfafc877..ec6c6e22 100644 --- a/iked/ikev2.c +++ b/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.327 2021/09/07 14:09:04 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.328 2021/10/12 09:27:21 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -3626,7 +3626,7 @@ ikev2_resp_ike_eap_mschap(struct iked *env, struct iked_sa *sa, sizeof(ntresponse)) != 0) { log_info("%s: '%s' authentication failed", SPI_SA(sa, __func__), usr->usr_name); - free(pass); + freezero(pass, passlen); /* XXX should we send an EAP failure packet? */ return (-1); @@ -3640,12 +3640,12 @@ ikev2_resp_ike_eap_mschap(struct iked *env, struct iked_sa *sa, successmsg); if ((sa->sa_eapmsk = ibuf_new(NULL, MSCHAP_MSK_SZ)) == NULL) { log_info("%s: failed to get MSK", SPI_SA(sa, __func__)); - free(pass); + freezero(pass, passlen); return (-1); } mschap_msk(pass, passlen, ntresponse, ibuf_data(sa->sa_eapmsk)); - free(pass); + freezero(pass, passlen); log_info("%s: '%s' authenticated", __func__, usr->usr_name); diff --git a/iked/parse.y b/iked/parse.y index 26b39006..1e368de3 100644 --- a/iked/parse.y +++ b/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.132 2021/09/18 16:45:52 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.133 2021/10/12 09:27:21 tobhe Exp $ */ /* * Copyright (c) 2019-2021 Tobias Heider @@ -560,7 +560,7 @@ user : USER STRING STRING { if (create_user($2, $3) == -1) YYERROR; free($2); - free($3); + freezero($3, strlen($3)); } ; @@ -3108,6 +3108,8 @@ create_user(const char *user, const char *pass) config_setuser(env, &usr, PROC_IKEV2); rules++; + + explicit_bzero(&usr, sizeof usr); return (0); }