Use explicit_memset to surely zero-clear key_auth and key_enc
This commit is contained in:
parent
106425b701
commit
27c8ae80b9
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform_ah.c,v 1.57 2017/07/07 01:37:34 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform_ah.c,v 1.58 2017/07/10 07:17:12 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
|
||||
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
|
||||
/*
|
||||
@ -39,7 +39,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.57 2017/07/07 01:37:34 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.58 2017/07/10 07:17:12 ozaki-r Exp $");
|
||||
|
||||
#if defined(_KERNEL_OPT)
|
||||
#include "opt_inet.h"
|
||||
@ -249,8 +249,10 @@ ah_zeroize(struct secasvar *sav)
|
||||
{
|
||||
int err;
|
||||
|
||||
if (sav->key_auth)
|
||||
memset(_KEYBUF(sav->key_auth), 0, _KEYLEN(sav->key_auth));
|
||||
if (sav->key_auth) {
|
||||
explicit_memset(_KEYBUF(sav->key_auth), 0,
|
||||
_KEYLEN(sav->key_auth));
|
||||
}
|
||||
|
||||
err = crypto_freesession(sav->tdb_cryptoid);
|
||||
sav->tdb_cryptoid = 0;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform_esp.c,v 1.58 2017/07/07 01:37:34 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform_esp.c,v 1.59 2017/07/10 07:17:12 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
|
||||
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
|
||||
|
||||
@ -39,7 +39,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.58 2017/07/07 01:37:34 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.59 2017/07/10 07:17:12 ozaki-r Exp $");
|
||||
|
||||
#if defined(_KERNEL_OPT)
|
||||
#include "opt_inet.h"
|
||||
@ -283,8 +283,10 @@ esp_zeroize(struct secasvar *sav)
|
||||
/* NB: ah_zerorize free's the crypto session state */
|
||||
int error = ah_zeroize(sav);
|
||||
|
||||
if (sav->key_enc)
|
||||
memset(_KEYBUF(sav->key_enc), 0, _KEYLEN(sav->key_enc));
|
||||
if (sav->key_enc) {
|
||||
explicit_memset(_KEYBUF(sav->key_enc), 0,
|
||||
_KEYLEN(sav->key_enc));
|
||||
}
|
||||
sav->tdb_encalgxform = NULL;
|
||||
sav->tdb_xform = NULL;
|
||||
return error;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform_tcp.c,v 1.12 2017/06/29 07:13:41 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform_tcp.c,v 1.13 2017/07/10 07:17:12 ozaki-r Exp $ */
|
||||
/* $FreeBSD: sys/netipsec/xform_tcp.c,v 1.1.2.1 2004/02/14 22:24:09 bms Exp $ */
|
||||
|
||||
/*
|
||||
@ -31,7 +31,7 @@
|
||||
/* TCP MD5 Signature Option (RFC2385) */
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.12 2017/06/29 07:13:41 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.13 2017/07/10 07:17:12 ozaki-r Exp $");
|
||||
|
||||
#if defined(_KERNEL_OPT)
|
||||
#include "opt_inet.h"
|
||||
@ -123,8 +123,10 @@ static int
|
||||
tcpsignature_zeroize(struct secasvar *sav)
|
||||
{
|
||||
|
||||
if (sav->key_auth)
|
||||
memset(_KEYBUF(sav->key_auth), 0, _KEYLEN(sav->key_auth));
|
||||
if (sav->key_auth) {
|
||||
explicit_memset(_KEYBUF(sav->key_auth), 0,
|
||||
_KEYLEN(sav->key_auth));
|
||||
}
|
||||
|
||||
sav->tdb_cryptoid = 0;
|
||||
sav->tdb_authalgxform = NULL;
|
||||
|
Loading…
Reference in New Issue
Block a user