Index: head/lib/libstand/Makefile =================================================================== --- head/lib/libstand/Makefile +++ head/lib/libstand/Makefile @@ -155,5 +155,9 @@ SRCS+= nandfs.c .endif +# explicit_bzero +.PATH: ${SRCTOP}/sys/libkern +SRCS+= explicit_bzero.c + .include .include Index: head/sys/boot/geli/Makefile =================================================================== --- head/sys/boot/geli/Makefile +++ head/sys/boot/geli/Makefile @@ -24,10 +24,6 @@ .PATH: ${.CURDIR}/../../../lib/libc/string SRCS+= bcmp.c bcopy.c bzero.c -# need explicit_bzero for crypto -.PATH: ${.CURDIR}/../../../sys/libkern -SRCS+= explicit_bzero.c - # Our password input method SRCS+= pwgets.c Index: head/sys/boot/geli/geliboot.h =================================================================== --- head/sys/boot/geli/geliboot.h +++ head/sys/boot/geli/geliboot.h @@ -36,6 +36,7 @@ #define _STRING_H_ #define _STRINGS_H_ #define _STDIO_H_ + #include #include Index: head/sys/boot/geli/geliboot.c =================================================================== --- head/sys/boot/geli/geliboot.c +++ head/sys/boot/geli/geliboot.c @@ -173,19 +173,19 @@ sizeof(geli_e->md.md_salt), passphrase, geli_e->md.md_iterations); g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey)); - bzero(&dkey, sizeof(dkey)); + explicit_bzero(dkey, sizeof(dkey)); } g_eli_crypto_hmac_final(&ctx, key, 0); error = g_eli_mkey_decrypt(&geli_e->md, key, mkey, &keynum); - bzero(&key, sizeof(key)); + explicit_bzero(key, sizeof(key)); if (error == -1) { - bzero(&mkey, sizeof(mkey)); + explicit_bzero(mkey, sizeof(mkey)); printf("Bad GELI key: %d\n", error); return (error); } else if (error != 0) { - bzero(&mkey, sizeof(mkey)); + explicit_bzero(mkey, sizeof(mkey)); printf("Failed to decrypt GELI master key: %d\n", error); return (error); } @@ -203,7 +203,7 @@ g_eli_crypto_hmac(mkp, G_ELI_MAXKEYLEN, "\x10", 1, geli_e->sc.sc_ekey, 0); } - bzero(&mkey, sizeof(mkey)); + explicit_bzero(mkey, sizeof(mkey)); /* Initialize the per-sector IV. */ switch (geli_e->sc.sc_ealgo) { @@ -279,13 +279,13 @@ geli_e->sc.sc_ekeylen, iv); if (error != 0) { - bzero(&gkey, sizeof(gkey)); + explicit_bzero(&gkey, sizeof(gkey)); printf("Failed to decrypt in geli_read()!"); return (error); } pbuf += secsize; } - bzero(&gkey, sizeof(gkey)); + explicit_bzero(&gkey, sizeof(gkey)); return (0); } Index: head/sys/boot/geli/geliboot_crypto.c =================================================================== --- head/sys/boot/geli/geliboot_crypto.c +++ head/sys/boot/geli/geliboot_crypto.c @@ -110,7 +110,7 @@ { u_char iv[keysize]; - bzero(iv, sizeof(iv)); + explicit_bzero(iv, sizeof(iv)); return (geliboot_crypt(algo, enc, data, datasize, key, keysize, iv)); } Index: head/sys/boot/i386/gptboot/gptboot.c =================================================================== --- head/sys/boot/i386/gptboot/gptboot.c +++ head/sys/boot/i386/gptboot/gptboot.c @@ -481,7 +481,7 @@ #ifdef LOADER_GELI_SUPPORT geliargs.size = sizeof(geliargs); bcopy(gelipw, geliargs.gelipw, sizeof(geliargs.gelipw)); - bzero(gelipw, sizeof(gelipw)); + explicit_bzero(gelipw, sizeof(gelipw)); #endif __exec((caddr_t)addr, RB_BOOTINFO | (opts & RBX_MASK), MAKEBOOTDEV(dev_maj[dsk.type], dsk.part + 1, dsk.unit, 0xff), Index: head/sys/boot/i386/loader/main.c =================================================================== --- head/sys/boot/i386/loader/main.c +++ head/sys/boot/i386/loader/main.c @@ -175,7 +175,7 @@ if (zargs != NULL && zargs->size >= offsetof(struct zfs_boot_args, gelipw)) { if (zargs->gelipw[0] != '\0') { setenv("kern.geom.eli.passphrase", zargs->gelipw, 1); - bzero(zargs->gelipw, sizeof(zargs->gelipw)); + explicit_bzero(zargs->gelipw, sizeof(zargs->gelipw)); } } } @@ -187,7 +187,7 @@ if (gargs != NULL && gargs->size >= offsetof(struct geli_boot_args, gelipw)) { if (gargs->gelipw[0] != '\0') { setenv("kern.geom.eli.passphrase", gargs->gelipw, 1); - bzero(gargs->gelipw, sizeof(gargs->gelipw)); + explicit_bzero(gargs->gelipw, sizeof(gargs->gelipw)); } } } Index: head/sys/boot/i386/zfsboot/zfsboot.c =================================================================== --- head/sys/boot/i386/zfsboot/zfsboot.c +++ head/sys/boot/i386/zfsboot/zfsboot.c @@ -926,7 +926,7 @@ zfsargs.primary_pool = primary_spa->spa_guid; #ifdef LOADER_GELI_SUPPORT bcopy(gelipw, zfsargs.gelipw, sizeof(zfsargs.gelipw)); - bzero(gelipw, sizeof(gelipw)); + explicit_bzero(gelipw, sizeof(gelipw)); #else zfsargs.gelipw[0] = '\0'; #endif