You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "Claudius Heine (JIRA)" <ji...@apache.org> on 2015/07/07 11:48:06 UTC

[jira] [Comment Edited] (THRIFT-1844) Password string not cleared

    [ https://issues.apache.org/jira/browse/THRIFT-1844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14616438#comment-14616438 ] 

Claudius Heine edited comment on THRIFT-1844 at 7/7/15 9:47 AM:
----------------------------------------------------------------

I added a patch using {{std::string::assign}} to clear the string after it was passed to openssl.


was (Author: cmhe):
A patch using {{std::string::assign}} to clear the string after it was passed to openssl.

> Password string not cleared
> ---------------------------
>
>                 Key: THRIFT-1844
>                 URL: https://issues.apache.org/jira/browse/THRIFT-1844
>             Project: Thrift
>          Issue Type: Bug
>          Components: C++ - Library
>    Affects Versions: 0.9
>         Environment: SSL connection with authentication
>            Reporter: Alexis Wilke
>         Attachments: 0001-THRIFT-1844-Overwrite-password-string-after-passing-.patch
>
>
> The function handling the SSL password receives a memory copy of the password which is then passed down to the OpenSSL library. The intermediate buffer used to get the password is not cleared one used up.
> This is a (rather low) security issue in case a memory scraper was used. The buffer should be cleared once not necessary anymore.
> The current function (in 0.9.0) looks like this:
> {noformat}
> int TSSLSocketFactory::passwordCallback(char* password,
>                                         int size,
>                                         int,
>                                         void* data) {
>   TSSLSocketFactory* factory = (TSSLSocketFactory*)data;
>   string userPassword;
>   factory->getPassword(userPassword, size);
>   int length = userPassword.size();
>   if (length > size) {
>     length = size;
>   }
>   strncpy(password, userPassword.c_str(), length);
>   return length;
> }
> {noformat}
> After the strncpy() I would suggest something like this:
> {noformat}
> for(int i(userPassword.size()); i >= 0; --i) {
>   userPassword[i] = '*';
> }
> {noformat}
> Note that we cannot use the variable size because it gets modified and thus does not represent the whole password size at that point.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)