Author: jhb Date: Thu Jun 25 20:31:06 2020 New Revision: 362632 URL: https://svnweb.freebsd.org/changeset/base/362632
Log: Use zfree() to explicitly zero IPsec keys. Reviewed by: delphij Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25442 Modified: head/sys/netipsec/key.c head/sys/netipsec/xform_ah.c head/sys/netipsec/xform_esp.c head/sys/netipsec/xform_tcp.c Modified: head/sys/netipsec/key.c ============================================================================== --- head/sys/netipsec/key.c Thu Jun 25 20:30:30 2020 (r362631) +++ head/sys/netipsec/key.c Thu Jun 25 20:31:06 2020 (r362632) @@ -3060,27 +3060,19 @@ key_cleansav(struct secasvar *sav) if (sav->flags & SADB_X_EXT_F_CLONED) return; /* - * Cleanup xform state. Note that zeroize'ing causes the - * keys to be cleared; otherwise we must do it ourself. + * Cleanup xform state. */ if (sav->tdb_xform != NULL) { sav->tdb_xform->xf_zeroize(sav); sav->tdb_xform = NULL; - } else { - if (sav->key_auth != NULL) - bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); - if (sav->key_enc != NULL) - bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc)); } if (sav->key_auth != NULL) { - if (sav->key_auth->key_data != NULL) - free(sav->key_auth->key_data, M_IPSEC_MISC); + zfree(sav->key_auth->key_data, M_IPSEC_MISC); free(sav->key_auth, M_IPSEC_MISC); sav->key_auth = NULL; } if (sav->key_enc != NULL) { - if (sav->key_enc->key_data != NULL) - free(sav->key_enc->key_data, M_IPSEC_MISC); + zfree(sav->key_enc->key_data, M_IPSEC_MISC); free(sav->key_enc, M_IPSEC_MISC); sav->key_enc = NULL; } Modified: head/sys/netipsec/xform_ah.c ============================================================================== --- head/sys/netipsec/xform_ah.c Thu Jun 25 20:30:30 2020 (r362631) +++ head/sys/netipsec/xform_ah.c Thu Jun 25 20:31:06 2020 (r362632) @@ -250,9 +250,6 @@ int ah_zeroize(struct secasvar *sav) { - if (sav->key_auth) - bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); - crypto_freesession(sav->tdb_cryptoid); sav->tdb_cryptoid = NULL; sav->tdb_authalgxform = NULL; Modified: head/sys/netipsec/xform_esp.c ============================================================================== --- head/sys/netipsec/xform_esp.c Thu Jun 25 20:30:30 2020 (r362631) +++ head/sys/netipsec/xform_esp.c Thu Jun 25 20:31:06 2020 (r362632) @@ -243,11 +243,9 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) static int esp_zeroize(struct secasvar *sav) { - /* NB: ah_zerorize free's the crypto session state */ + /* NB: ah_zeroize free's the crypto session state */ int error = ah_zeroize(sav); - if (sav->key_enc) - bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc)); sav->tdb_encalgxform = NULL; sav->tdb_xform = NULL; return error; Modified: head/sys/netipsec/xform_tcp.c ============================================================================== --- head/sys/netipsec/xform_tcp.c Thu Jun 25 20:30:30 2020 (r362631) +++ head/sys/netipsec/xform_tcp.c Thu Jun 25 20:31:06 2020 (r362632) @@ -365,8 +365,6 @@ static int tcpsignature_zeroize(struct secasvar *sav) { - if (sav->key_auth != NULL) - bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); sav->tdb_xform = NULL; return (0); } _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "[email protected]"
