commit 70bd0635acd98d409577e6faee774970118053f2
author Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com> Fri Oct 23 06:24:55 2020 +0000
committer Vernon Mauery <vernon.mauery@linux.intel.com> Fri Jan 15 23:53:06 2021 +0000
tree 298c66f30bc81e3e3d9b3a323388951c56b3c5fa
parent 0213f901e3845c3b8a8e17c5d0402646b1f43cc8

Clear security sensitive data

As password is sensitive data Clear after use.

Tested:
Verified using ipmitool commands
Command: ipmitool user set password 5 asdf1234 //Set user password
Response: Set User Password command successful (user 5)
Command: ipmitool raw 6 0x47 5 2 0x30 0x70 0x65 0x6e 0x42 0x6d 0x63
         0x31 0 0 0 0 0 0 0 0   //set user password - set password
Response:                //Success
Command: ipmitool raw 6 0x47 5 3 0x30 0x70 0x65 0x6e 0x42 0x6d 0x63
         0x31 0 0 0 0 0 0 0 0  //set user password - test password
Response:                //Success

Signed-off-by: Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: I06196233ac5468534bd10fd34f99f7d35fd7b971

user_channel/channel_layer.hpp

diff --git a/user_channel/channel_layer.hpp b/user_channel/channel_layer.hpp
index bddd6b5..42e5b5e 100644
--- a/user_channel/channel_layer.hpp
+++ b/user_channel/channel_layer.hpp
@@ -14,6 +14,8 @@
 // limitations under the License.
 */
 #pragma once
+#include <openssl/crypto.h>
+
 #include <array>
 #include <ipmid/api.hpp>
 #include <string>

user_channel/passwd_mgr.cpp

diff --git a/user_channel/passwd_mgr.cpp b/user_channel/passwd_mgr.cpp
index b2d32e8..63a226e 100644
--- a/user_channel/passwd_mgr.cpp
+++ b/user_channel/passwd_mgr.cpp
@@ -260,6 +260,8 @@
 
     // Update the timestamp
     fileLastUpdatedTime = getUpdatedFileTime();
+    // Clear sensitive data
+    OPENSSL_cleanse(dataBuf.data(), dataBuf.size());
     return;
 }
 

user_channel/user_mgmt.cpp

diff --git a/user_channel/user_mgmt.cpp b/user_channel/user_mgmt.cpp
index e1e21c9..04eb2f9 100644
--- a/user_channel/user_mgmt.cpp
+++ b/user_channel/user_mgmt.cpp
@@ -737,6 +737,8 @@
                   maxIpmi20PasswordSize);
 
     int retval = pamUpdatePasswd(userName.c_str(), passwd.c_str());
+    // Clear sensitive data
+    OPENSSL_cleanse(&passwd, passwd.length());
 
     switch (retval)
     {

user_channel/usercommands.cpp

diff --git a/user_channel/usercommands.cpp b/user_channel/usercommands.cpp
index bda4027..622857c 100644
--- a/user_channel/usercommands.cpp
+++ b/user_channel/usercommands.cpp
@@ -413,9 +413,17 @@
         {
             log<level::DEBUG>("Test password failed",
                               entry("USER-ID=%d", (uint8_t)req->userId));
+            // Clear sensitive data
+            OPENSSL_cleanse(&testPassword, testPassword.length());
+            OPENSSL_cleanse(&password, password.length());
+
             return static_cast<Cc>(
                 IPMISetPasswordReturnCodes::ipmiCCPasswdFailMismatch);
         }
+        // Clear sensitive data
+        OPENSSL_cleanse(&testPassword, testPassword.length());
+        OPENSSL_cleanse(&password, password.length());
+
         return ccSuccess;
     }
     return ccInvalidFieldRequest;