Zero all copies of pre-shared key.

ok markus@

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 56287e5..815e329 100644 (file)
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ikev2.c,v 1.331 2021/11/15 22:37:35 tobhe Exp $       */
+/*     $OpenBSD: ikev2.c,v 1.332 2021/11/16 21:43:36 tobhe Exp $       */
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -806,6 +806,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
                    print_map(ikeauth.auth_method,
                    ikev2_auth_map));
                ikev2_send_auth_failed(env, sa);
+               explicit_bzero(&ikeauth, sizeof(ikeauth));
                return (-1);
        }
        ikeauth.auth_method = sa->sa_peerauth.id_type;
@@ -815,6 +816,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
                log_debug("%s: failed to get auth data",
                    __func__);
                ikev2_send_auth_failed(env, sa);
+               explicit_bzero(&ikeauth, sizeof(ikeauth));
                return (-1);
        }
 
@@ -827,6 +829,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
                log_info("%s: ikev2_msg_authverify failed",
                    SPI_SA(sa, __func__));
                ikev2_send_auth_failed(env, sa);
+               explicit_bzero(&ikeauth, sizeof(ikeauth));
                return (-1);
        }
        if (sa->sa_eapmsk != NULL) {
@@ -834,6 +837,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
                    !sa->sa_hdr.sh_initiator)) == NULL) {
                        log_debug("%s: failed to get auth data",
                            __func__);
+                       explicit_bzero(&ikeauth, sizeof(ikeauth));
                        return (-1);
                }
 
@@ -842,6 +846,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
                ibuf_release(authmsg);
                if (ret != 0) {
                        ikev2_send_auth_failed(env, sa);
+                       explicit_bzero(&ikeauth, sizeof(ikeauth));
                        return (-1);
                }
 
@@ -851,6 +856,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
                sa_state(env, sa, IKEV2_STATE_EAP_SUCCESS);
        }
 
+       explicit_bzero(&ikeauth, sizeof(ikeauth));
        return (0);
 }
 

diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 8eac036..6267acb 100644 (file)
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.135 2021/10/26 17:31:22 tobhe Exp $       */
+/*     $OpenBSD: parse.y,v 1.136 2021/11/16 21:43:36 tobhe Exp $       */
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1043,6 +1043,7 @@ ikeauth           : /* empty */                   {
                        memcpy(&$$, &$2, sizeof($$));
                        $$.auth_method = IKEV2_AUTH_SHARED_KEY_MIC;
                        $$.auth_eap = 0;
+                       explicit_bzero(&$2, sizeof($2));
                }
                | EAP STRING                    {
                        unsigned int i;
@@ -1178,7 +1179,7 @@ keyspec           : STRING                        {
                                    sizeof($$.auth_data));
                                $$.auth_length = strlen($1);
                        }
-                       free($1);
+                       freezero($1, strlen($1));
                }
                | FILENAME STRING               {
                        if (parsekeyfile($2, &$$) != 0) {
@@ -2507,6 +2508,7 @@ create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto,
        pol.pol_flags = flags;
        pol.pol_rdomain = rdomain;
        memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth));
+       explicit_bzero(authtype, sizeof(*authtype));
 
        if (name != NULL) {
                if (strlcpy(pol.pol_name, name,