On Wed, Aug 30, 2017 at 08:49:20PM -0500, Scott Cheloha wrote:
> Hi,
>
> In the one-time password case we want to wipe the hash itself
> before exit, right?
Yes, clearing s1 there makes no sense anymore, it was already zeroed out
further up.
ok tb
>
> This must have slipped through when tedu@ patiently rewrote
> and committed my botched patch a little while back.
>
> --
> Scott Cheloha
>
> P.S. I didn't botch it this time, right?
>
> Index: usr.bin/lock/lock.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/lock/lock.c,v
> retrieving revision 1.40
> diff -u -p -r1.40 lock.c
> --- usr.bin/lock/lock.c 8 Jul 2017 22:27:17 -0000 1.40
> +++ usr.bin/lock/lock.c 31 Aug 2017 01:41:09 -0000
> @@ -211,7 +211,7 @@ main(int argc, char *argv[])
> }
> } else if (crypt_checkpass(s, hash) == 0) {
> explicit_bzero(s, sizeof(s));
> - explicit_bzero(s1, sizeof(s1));
> + explicit_bzero(hash, sizeof(hash));
> break;
> }
> putc('\a', stderr);
>
