oemcommands: Clear security sensitive data
As password is sensitive data Clear after use.
Tested:
Verified using cmdtool utility command
//Set special UserPassword
Command: cmdtool.efi 20 c0 5f 0 30 70 65 6e 42 6d 63 31
Response: 00 //Success
Signed-off-by: Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: Iad64f7baf176b2ecfd34ecf5e1d4012ffa9db396
diff --git a/src/oemcommands.cpp b/src/oemcommands.cpp
index bf23241..dee6255 100644
--- a/src/oemcommands.cpp
+++ b/src/oemcommands.cpp
@@ -18,6 +18,7 @@
#include "xyz/openbmc_project/Common/error.hpp"
#include "xyz/openbmc_project/Led/Physical/server.hpp"
+#include <openssl/crypto.h>
#include <systemd/sd-journal.h>
#include <appcommands.hpp>
@@ -1116,6 +1117,8 @@
{
phosphor::logging::log<phosphor::logging::level::INFO>(
"ipmiOEMSetUser2Activation: user created successfully ");
+ OPENSSL_cleanse(userPassword.data(), userPassword.size());
+
return ipmi::responseSuccess();
}
}
@@ -1124,6 +1127,7 @@
ipmiUserSetUserName(ipmiDefaultUserId, static_cast<std::string>(""));
phosphor::logging::log<phosphor::logging::level::ERR>(
"ipmiOEMSetUser2Activation: password / priv setting is failed.");
+ OPENSSL_cleanse(userPassword.data(), userPassword.size());
}
else
{
@@ -1213,10 +1217,13 @@
if (userPassword.size() < minPasswordSizeRequired ||
userPassword.size() > ipmi::maxIpmi20PasswordSize)
{
+ OPENSSL_cleanse(userPassword.data(), userPassword.size());
return ipmi::responseReqDataLenInvalid();
}
passwd.assign(reinterpret_cast<const char*>(userPassword.data()),
userPassword.size());
+ // Clear sensitive data
+ OPENSSL_cleanse(userPassword.data(), userPassword.size());
if (specialUserIndex ==
static_cast<uint8_t>(SpecialUserIndex::atScaleDebugUser))
{
@@ -1228,6 +1235,9 @@
{
status = ipmiSetSpecialUserPassword("root", passwd);
}
+ // Clear sensitive data
+ OPENSSL_cleanse(&passwd, passwd.length());
+
return ipmi::response(status);
}
else