aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src
diff options
context:
space:
mode:
authoronefang2020-03-21 01:47:42 +1000
committeronefang2020-03-21 01:47:42 +1000
commit7985f46b941cc0a865918ce61f45f00562e4378c (patch)
treefc655a06bcc94f29b5d665b06d357ef7bf156d38 /src
parentIt's actually qLibc. (diff)
downloadopensim-SC-7985f46b941cc0a865918ce61f45f00562e4378c.zip
opensim-SC-7985f46b941cc0a865918ce61f45f00562e4378c.tar.gz
opensim-SC-7985f46b941cc0a865918ce61f45f00562e4378c.tar.bz2
opensim-SC-7985f46b941cc0a865918ce61f45f00562e4378c.tar.xz
Better sucure memory wipe.
Diffstat (limited to 'src')
-rw-r--r--src/sledjchisl/sledjchisl.c15
1 files changed, 4 insertions, 11 deletions
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index aa5c78e..da52365 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -60,6 +60,7 @@ extern char **environ;
60#include <qlibc.h> 60#include <qlibc.h>
61#include <extensions/qconfig.h> 61#include <extensions/qconfig.h>
62 62
63#include <openssl/crypto.h>
63#include <openssl/evp.h> 64#include <openssl/evp.h>
64#include "openssl/hmac.h" 65#include "openssl/hmac.h"
65#include <uuid/uuid.h> 66#include <uuid/uuid.h>
@@ -3947,17 +3948,9 @@ static int validatePassword(reqData *Rd, qhashtbl_t *data, char *name)
3947 } 3948 }
3948 } 3949 }
3949 3950
3950// TODO - try to fix this, then make it portable (Windows has some other function name), then spread it through the rest of the code where needed. 3951// TODO - try to find code for dealing with security enclaves, encrypted memory, and such.
3951// And try to find code for dealing with security enclaves, encrypted memory, and such. 3952// NOTE - these get filtered through what ever web server is being used, and might leak there.
3952// NOTE - thes get giltered through what ever web server is being used, and might leak there. 3953 OPENSSL_cleanse(password, strlen(password));
3953 // explicit_bzero() is the magic to properly wipe things, and it exists, but the damn thing manages to hide itself.
3954 // So gotta make sure it's actually used, to avoid the compiler optimizing bzero() away.
3955// explicit_bzero(password, strlen(password));
3956 bzero(password, strlen(password));
3957 if (login)
3958 D("User logged in%s.", password);
3959 else
3960 D("Account created%s.", password);
3961 3954
3962 badBoy(ret, Rd, data, "auth.passwordSalt", NULL); 3955 badBoy(ret, Rd, data, "auth.passwordSalt", NULL);
3963 3956