Page MenuHomeFreeBSD

Use zfree() to explicitly zero IPsec keys.
ClosedPublic

Authored by jhb on Jun 25 2020, 12:42 AM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 4 2024, 1:54 PM
Unknown Object (File)
Sep 27 2024, 6:39 PM
Unknown Object (File)
Sep 23 2024, 3:41 PM
Unknown Object (File)
Sep 23 2024, 11:57 AM
Unknown Object (File)
Sep 21 2024, 1:32 AM
Unknown Object (File)
Sep 21 2024, 1:32 AM
Unknown Object (File)
Sep 21 2024, 1:31 AM
Unknown Object (File)
Sep 20 2024, 6:33 PM
Subscribers

Details

Test Plan
  • tested with IPsec tunnels over IPv4 (AES-CBC + SHA1 and AES-GCM) and IPv6 (AES-GCM) and using setkey -F to clear state after

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Jun 25 2020, 12:42 AM

No interest in ipsec.

I think setting tdb_xform to NULL is no longer needed (as they are about to be done by the caller anyway).

sys/netipsec/xform_ah.c
256 ↗(On Diff #73614)

Looks like this is redundant too? (Already done by caller, key_cleansav).

sys/netipsec/xform_esp.c
250 ↗(On Diff #73614)

Looks like this is redundant too? (Already done by caller, key_cleansav).

sys/netipsec/xform_tcp.c
368 ↗(On Diff #73614)

Looks like this is redundant too? (Already done by caller, key_cleansav).

This revision is now accepted and ready to land.Jun 25 2020, 4:36 AM

I think setting tdb_xform to NULL is no longer needed (as they are about to be done by the caller anyway).

Yes, I removed those in the followup change. Here I was trying to just focus on the key zeroing via zfree separate from the other change.

This revision was automatically updated to reflect the committed changes.