Page MenuHomeFreeBSD

Use zfree() to explicitly zero IPsec keys.
ClosedPublic

Authored by jhb on Jun 25 2020, 12:42 AM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 10 2024, 6:11 AM
Unknown Object (File)
Dec 20 2023, 8:13 AM
Unknown Object (File)
Sep 18 2023, 10:36 AM
Unknown Object (File)
Aug 4 2023, 9:46 AM
Unknown Object (File)
Aug 4 2023, 9:46 AM
Unknown Object (File)
Aug 4 2023, 9:45 AM
Unknown Object (File)
Aug 4 2023, 9:21 AM
Unknown Object (File)
Jul 11 2023, 9:58 AM
Subscribers

Details

Test Plan
  • tested with IPsec tunnels over IPv4 (AES-CBC + SHA1 and AES-GCM) and IPv6 (AES-GCM) and using setkey -F to clear state after

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Jun 25 2020, 12:42 AM

No interest in ipsec.

I think setting tdb_xform to NULL is no longer needed (as they are about to be done by the caller anyway).

sys/netipsec/xform_ah.c
256 ↗(On Diff #73614)

Looks like this is redundant too? (Already done by caller, key_cleansav).

sys/netipsec/xform_esp.c
250 ↗(On Diff #73614)

Looks like this is redundant too? (Already done by caller, key_cleansav).

sys/netipsec/xform_tcp.c
368 ↗(On Diff #73614)

Looks like this is redundant too? (Already done by caller, key_cleansav).

This revision is now accepted and ready to land.Jun 25 2020, 4:36 AM

I think setting tdb_xform to NULL is no longer needed (as they are about to be done by the caller anyway).

Yes, I removed those in the followup change. Here I was trying to just focus on the key zeroing via zfree separate from the other change.

This revision was automatically updated to reflect the committed changes.