Page MenuHomeFreeBSD
Differential D25442

Use zfree() to explicitly zero IPsec keys.
ClosedPublic
Actions

Authored by jhb on Jun 25 2020, 12:42 AM.
Tags
None
Referenced Files
F160556794: D25442.id73614.diff
Thu, Jun 25, 3:51 PM
F160491588: D25442.diff
Thu, Jun 25, 1:55 AM
Unknown Object (File)
Mon, Jun 15, 5:01 PM
Unknown Object (File)
Mon, Jun 15, 4:59 PM
Unknown Object (File)
May 7 2026, 1:25 AM
Unknown Object (File)
May 6 2026, 11:01 AM
Unknown Object (File)
May 3 2026, 7:11 AM
Unknown Object (File)
Apr 28 2026, 10:06 PM
View All Files
Subscribers
ae
imp
melifaro

Details

Reviewers
delphij
cem
Commits
rS362632: Use zfree() to explicitly zero IPsec keys.
Test Plan
  • tested with IPsec tunnels over IPv4 (AES-CBC + SHA1 and AES-GCM) and IPv6 (AES-GCM) and using setkey -F to clear state after

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 31945
Build 29496: arc lint + arc unit

Event Timeline

jhb created this revision.Jun 25 2020, 12:42 AM
Herald added subscribers: melifaro, ae. · View Herald TranscriptJun 25 2020, 12:42 AM
jhb requested review of this revision.Jun 25 2020, 12:42 AM
Harbormaster completed remote builds in B31945: Diff 73614.Jun 25 2020, 12:42 AM
jhb added a child revision: D25443: Simplify IPsec transform-specific teardown..Jun 25 2020, 12:43 AM
cem resigned from this revision.Jun 25 2020, 12:44 AM

No interest in ipsec.

delphij accepted this revision.Jun 25 2020, 4:36 AM

I think setting tdb_xform to NULL is no longer needed (as they are about to be done by the caller anyway).

sys/netipsec/xform_ah.c
256

Looks like this is redundant too? (Already done by caller, key_cleansav).

sys/netipsec/xform_esp.c
250

Looks like this is redundant too? (Already done by caller, key_cleansav).

sys/netipsec/xform_tcp.c
368

Looks like this is redundant too? (Already done by caller, key_cleansav).

This revision is now accepted and ready to land.Jun 25 2020, 4:36 AM
jhb added a comment.Jun 25 2020, 8:27 PM
In D25442#561674, @delphij wrote:

I think setting tdb_xform to NULL is no longer needed (as they are about to be done by the caller anyway).

Yes, I removed those in the followup change. Here I was trying to just focus on the key zeroing via zfree separate from the other change.

Closed by commit rS362632: Use zfree() to explicitly zero IPsec keys. (authored by jhb). · Explain WhyJun 25 2020, 8:31 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rS362632: Use zfree() to explicitly zero IPsec keys..
Herald added a subscriber: imp. · View Herald TranscriptJun 25 2020, 8:31 PM

Revision Contents
Changeset List

PathSize
sys/
netipsec/
14 lines
3 lines
4 lines
2 lines

Diff 73614

View Options

sys/netipsec/key.c

Loading...
View Options

sys/netipsec/xform_ah.c

Loading...
View Options

sys/netipsec/xform_esp.c

Loading...
View Options

sys/netipsec/xform_tcp.c

Loading...