diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2011-01-11 16:04:20 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2011-01-11 16:04:20 +0000 |
commit | 73642313e41cac96e6aaf5e307b500253a0a6a9f (patch) | |
tree | bf4b3ce0755a03f1353b7227ffd9ebc1b2f1ff4e | |
parent | 6ca2eaf00dea51026bfb6f93be91c8a04b0c3a6a (diff) |
add explicit_bzero() calls before free()ing key material
ok mikeb
-rw-r--r-- | sys/crypto/cryptodev.c | 15 | ||||
-rw-r--r-- | sys/crypto/cryptosoft.c | 12 |
2 files changed, 17 insertions, 10 deletions
diff --git a/sys/crypto/cryptodev.c b/sys/crypto/cryptodev.c index ca54d1df247..ba517c267d2 100644 --- a/sys/crypto/cryptodev.c +++ b/sys/crypto/cryptodev.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cryptodev.c,v 1.75 2010/12/14 20:26:44 mikeb Exp $ */ +/* $OpenBSD: cryptodev.c,v 1.76 2011/01/11 16:04:19 deraadt Exp $ */ /* * Copyright (c) 2001 Theo de Raadt @@ -265,10 +265,14 @@ cryptof_ioctl(struct file *fp, u_long cmd, caddr_t data, struct proc *p) bail: if (error) { - if (crie.cri_key) + if (crie.cri_key) { + explicit_bzero(crie.cri_key, crie.cri_klen); free(crie.cri_key, M_XDATA); - if (cria.cri_key) + } + if (cria.cri_key) { + explicit_bzero(cria.cri_key, cria.cri_klen); free(cria.cri_key, M_XDATA); + } } break; case CIOCFSESSION: @@ -578,8 +582,11 @@ fail: if (krp) { kop->crk_status = krp->krp_status; for (i = 0; i < CRK_MAXPARAM; i++) { - if (krp->krp_param[i].crp_p) + if (krp->krp_param[i].crp_p) { + explicit_bzero(krp->krp_param[i].crp_p, + (krp->krp_param[i].crp_nbits + 7) / 8); free(krp->krp_param[i].crp_p, M_XDATA); + } } free(krp, M_XDATA); } diff --git a/sys/crypto/cryptosoft.c b/sys/crypto/cryptosoft.c index f0dfd0775cc..b59994c124e 100644 --- a/sys/crypto/cryptosoft.c +++ b/sys/crypto/cryptosoft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cryptosoft.c,v 1.61 2011/01/11 15:46:47 deraadt Exp $ */ +/* $OpenBSD: cryptosoft.c,v 1.62 2011/01/11 16:04:19 deraadt Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) @@ -984,11 +984,11 @@ swcr_freesession(u_int64_t tid) axf = swd->sw_axf; if (swd->sw_ictx) { - bzero(swd->sw_ictx, axf->ctxsize); + explicit_bzero(swd->sw_ictx, axf->ctxsize); free(swd->sw_ictx, M_CRYPTO_DATA); } if (swd->sw_octx) { - bzero(swd->sw_octx, axf->ctxsize); + explicit_bzero(swd->sw_octx, axf->ctxsize); free(swd->sw_octx, M_CRYPTO_DATA); } break; @@ -998,11 +998,11 @@ swcr_freesession(u_int64_t tid) axf = swd->sw_axf; if (swd->sw_ictx) { - bzero(swd->sw_ictx, axf->ctxsize); + explicit_bzero(swd->sw_ictx, axf->ctxsize); free(swd->sw_ictx, M_CRYPTO_DATA); } if (swd->sw_octx) { - bzero(swd->sw_octx, swd->sw_klen); + explicit_bzero(swd->sw_octx, swd->sw_klen); free(swd->sw_octx, M_CRYPTO_DATA); } break; @@ -1015,7 +1015,7 @@ swcr_freesession(u_int64_t tid) axf = swd->sw_axf; if (swd->sw_ictx) { - bzero(swd->sw_ictx, axf->ctxsize); + explicit_bzero(swd->sw_ictx, axf->ctxsize); free(swd->sw_ictx, M_CRYPTO_DATA); } break; |