Differential D25442

Use zfree() to explicitly zero IPsec keys.
ClosedPublic
Actions

Authored by jhb on Jun 25 2020, 12:42 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, Jun 15, 5:01 PM

	Unknown Object (File)
	Mon, Jun 15, 4:59 PM

	Unknown Object (File)
	May 7 2026, 1:25 AM

	Unknown Object (File)
	May 6 2026, 11:01 AM

	Unknown Object (File)
	May 3 2026, 7:11 AM

	Unknown Object (File)
	Apr 28 2026, 10:06 PM

	Unknown Object (File)
	Apr 28 2026, 5:44 PM

	Unknown Object (File)
	Apr 25 2026, 5:23 AM

Subscribers

Details

Reviewers

delphij
cem

Commits

rS362632: Use zfree() to explicitly zero IPsec keys.

Test Plan

tested with IPsec tunnels over IPv4 (AES-CBC + SHA1 and AES-GCM) and IPv6 (AES-GCM) and using setkey -F to clear state after

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb created this revision.Jun 25 2020, 12:42 AM

Herald added subscribers: melifaro, ae. · View Herald TranscriptJun 25 2020, 12:42 AM

jhb requested review of this revision.Jun 25 2020, 12:42 AM

Harbormaster completed remote builds in B31945: Diff 73614.Jun 25 2020, 12:42 AM

jhb added a child revision: D25443: Simplify IPsec transform-specific teardown..Jun 25 2020, 12:43 AM

No interest in ipsec.

I think setting tdb_xform to NULL is no longer needed (as they are about to be done by the caller anyway).

sys/netipsec/xform_ah.c
256 ↗	(On Diff #73614)	Looks like this is redundant too? (Already done by caller, key_cleansav).
sys/netipsec/xform_esp.c
250 ↗	(On Diff #73614)	Looks like this is redundant too? (Already done by caller, key_cleansav).
sys/netipsec/xform_tcp.c
368 ↗	(On Diff #73614)	Looks like this is redundant too? (Already done by caller, key_cleansav).

This revision is now accepted and ready to land.Jun 25 2020, 4:36 AM

In D25442#561674, @delphij wrote:

I think setting tdb_xform to NULL is no longer needed (as they are about to be done by the caller anyway).

Yes, I removed those in the followup change. Here I was trying to just focus on the key zeroing via zfree separate from the other change.

Closed by commit rS362632: Use zfree() to explicitly zero IPsec keys. (authored by jhb). · Explain WhyJun 25 2020, 8:31 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rS362632: Use zfree() to explicitly zero IPsec keys..

Herald added a subscriber: imp. · View Herald TranscriptJun 25 2020, 8:31 PM

Revision Contents
Changeset List

Path

Size

head/

sys/

netipsec/

14 lines

3 lines

4 lines

2 lines

Diff 73665

head/sys/netipsec/key.c

Loading...

head/sys/netipsec/xform_ah.c

Loading...

head/sys/netipsec/xform_esp.c

Loading...

head/sys/netipsec/xform_tcp.c

Loading...