Index: head/sys/netipsec/key.c =================================================================== --- head/sys/netipsec/key.c +++ head/sys/netipsec/key.c @@ -3059,11 +3059,8 @@ } if (sav->flags & SADB_X_EXT_F_CLONED) return; - /* - * Cleanup xform state. - */ if (sav->tdb_xform != NULL) { - sav->tdb_xform->xf_zeroize(sav); + sav->tdb_xform->xf_cleanup(sav); sav->tdb_xform = NULL; } if (sav->key_auth != NULL) { Index: head/sys/netipsec/xform.h =================================================================== --- head/sys/netipsec/xform.h +++ head/sys/netipsec/xform.h @@ -89,7 +89,7 @@ u_short xf_type; /* xform ID */ const char *xf_name; /* human-readable name */ int (*xf_init)(struct secasvar*, struct xformsw*); /* setup */ - int (*xf_zeroize)(struct secasvar*); /* cleanup */ + void (*xf_cleanup)(struct secasvar*); /* cleanup */ int (*xf_input)(struct mbuf*, struct secasvar*, /* input */ int, int); int (*xf_output)(struct mbuf*, /* output */ @@ -112,7 +112,6 @@ int xform_ah_authsize(const struct auth_hash *); int ah_init0(struct secasvar *, struct xformsw *, struct crypto_session_params *); -extern int ah_zeroize(struct secasvar *sav); extern size_t ah_hdrsiz(struct secasvar *); /* XF_ESP */ Index: head/sys/netipsec/xform_ah.c =================================================================== --- head/sys/netipsec/xform_ah.c +++ head/sys/netipsec/xform_ah.c @@ -241,20 +241,13 @@ crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support); } -/* - * Paranoia. - * - * NB: public for use by esp_zeroize (XXX). - */ -int -ah_zeroize(struct secasvar *sav) +static void +ah_cleanup(struct secasvar *sav) { crypto_freesession(sav->tdb_cryptoid); sav->tdb_cryptoid = NULL; sav->tdb_authalgxform = NULL; - sav->tdb_xform = NULL; - return 0; } /* @@ -1141,7 +1134,7 @@ .xf_type = XF_AH, .xf_name = "IPsec AH", .xf_init = ah_init, - .xf_zeroize = ah_zeroize, + .xf_cleanup = ah_cleanup, .xf_input = ah_input, .xf_output = ah_output, }; Index: head/sys/netipsec/xform_esp.c =================================================================== --- head/sys/netipsec/xform_esp.c +++ head/sys/netipsec/xform_esp.c @@ -237,18 +237,14 @@ return error; } -/* - * Paranoia. - */ -static int -esp_zeroize(struct secasvar *sav) +static void +esp_cleanup(struct secasvar *sav) { - /* NB: ah_zeroize free's the crypto session state */ - int error = ah_zeroize(sav); + crypto_freesession(sav->tdb_cryptoid); + sav->tdb_cryptoid = NULL; + sav->tdb_authalgxform = NULL; sav->tdb_encalgxform = NULL; - sav->tdb_xform = NULL; - return error; } /* @@ -964,7 +960,7 @@ .xf_type = XF_ESP, .xf_name = "IPsec ESP", .xf_init = esp_init, - .xf_zeroize = esp_zeroize, + .xf_cleanup = esp_cleanup, .xf_input = esp_input, .xf_output = esp_output, }; Index: head/sys/netipsec/xform_ipcomp.c =================================================================== --- head/sys/netipsec/xform_ipcomp.c +++ head/sys/netipsec/xform_ipcomp.c @@ -179,15 +179,14 @@ } /* - * ipcomp_zeroize() used when IPCA is deleted + * ipcomp_cleanup() used when IPCA is deleted */ -static int -ipcomp_zeroize(struct secasvar *sav) +static void +ipcomp_cleanup(struct secasvar *sav) { crypto_freesession(sav->tdb_cryptoid); sav->tdb_cryptoid = NULL; - return 0; } /* @@ -739,7 +738,7 @@ .xf_type = XF_IPCOMP, .xf_name = "IPcomp", .xf_init = ipcomp_init, - .xf_zeroize = ipcomp_zeroize, + .xf_cleanup = ipcomp_cleanup, .xf_input = ipcomp_input, .xf_output = ipcomp_output, }; Index: head/sys/netipsec/xform_tcp.c =================================================================== --- head/sys/netipsec/xform_tcp.c +++ head/sys/netipsec/xform_tcp.c @@ -361,19 +361,16 @@ /* * Called when the SA is deleted. */ -static int -tcpsignature_zeroize(struct secasvar *sav) +static void +tcpsignature_cleanup(struct secasvar *sav) { - - sav->tdb_xform = NULL; - return (0); } static struct xformsw tcpsignature_xformsw = { .xf_type = XF_TCPSIGNATURE, .xf_name = "TCP-MD5", .xf_init = tcpsignature_init, - .xf_zeroize = tcpsignature_zeroize, + .xf_cleanup = tcpsignature_cleanup, }; static const struct tcpmd5_methods tcpmd5_methods = {