HS 2.0 R2: Clear hs20-osu-client configuration keys explicitly

Use an explicit memset call to clear any hs20-osu-client configuration
parameter that contains private information like keys or identity. This
brings in an additional layer of protection by reducing the length of
time this type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c
index ea269ab9fadb62d9aaaf41ed250d0260225bdc77..a439bdeb125a4467b993773cd40087153c918de0 100644 (file)
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c
@@ -2495,7 +2495,7 @@ static void cmd_sub_rem(struct hs20_osu_client *ctx, const char *address,
 
        xml_node_get_text_free(ctx->xml, sub_rem_uri);
        xml_node_get_text_free(ctx->xml, cred_username);
-       os_free(cred_password);
+       str_clear_free(cred_password);
        xml_node_free(ctx->xml, pps);
 }
 
@@ -2642,7 +2642,7 @@ static int cmd_pol_upd(struct hs20_osu_client *ctx, const char *address,
 
        xml_node_get_text_free(ctx->xml, uri);
        xml_node_get_text_free(ctx->xml, cred_username);
-       os_free(cred_password);
+       str_clear_free(cred_password);
        xml_node_free(ctx->xml, pps);
 
        return 0;

diff --git a/src/utils/http_curl.c b/src/utils/http_curl.c
index 07d9af087d2743aaa2e432d186049be0b40ea29d..eb79b862d06b40a2cb52f56bf13a450a9a0bef18 100644 (file)
--- a/src/utils/http_curl.c
+++ b/src/utils/http_curl.c
@@ -1368,8 +1368,8 @@ int soap_reinit_client(struct http_ctx *ctx)
                               client_cert, client_key);
        os_free(address);
        os_free(ca_fname);
-       os_free(username);
-       os_free(password);
+       str_clear_free(username);
+       str_clear_free(password);
        os_free(client_cert);
        os_free(client_key);
        return ret;
@@ -1487,8 +1487,8 @@ void http_deinit_ctx(struct http_ctx *ctx)
 
        os_free(ctx->svc_address);
        os_free(ctx->svc_ca_fname);
-       os_free(ctx->svc_username);
-       os_free(ctx->svc_password);
+       str_clear_free(ctx->svc_username);
+       str_clear_free(ctx->svc_password);
        os_free(ctx->svc_client_cert);
        os_free(ctx->svc_client_key);