From: tobhe <tobhe@openbsd.org>
Date: Tue, 16 Nov 2021 21:43:36 +0000 (+0000)
Subject: Zero all copies of pre-shared key.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=2991df65996c0af549ccd395e33445db6ae3b218;p=openbsd

Zero all copies of pre-shared key.

ok markus@
---

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 56287e57f13..815e3294475 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.331 2021/11/15 22:37:35 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.332 2021/11/16 21:43:36 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -806,6 +806,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
 		    print_map(ikeauth.auth_method,
 		    ikev2_auth_map));
 		ikev2_send_auth_failed(env, sa);
+		explicit_bzero(&ikeauth, sizeof(ikeauth));
 		return (-1);
 	}
 	ikeauth.auth_method = sa->sa_peerauth.id_type;
@@ -815,6 +816,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
 		log_debug("%s: failed to get auth data",
 		    __func__);
 		ikev2_send_auth_failed(env, sa);
+		explicit_bzero(&ikeauth, sizeof(ikeauth));
 		return (-1);
 	}
 
@@ -827,6 +829,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
 		log_info("%s: ikev2_msg_authverify failed",
 		    SPI_SA(sa, __func__));
 		ikev2_send_auth_failed(env, sa);
+		explicit_bzero(&ikeauth, sizeof(ikeauth));
 		return (-1);
 	}
 	if (sa->sa_eapmsk != NULL) {
@@ -834,6 +837,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
 		    !sa->sa_hdr.sh_initiator)) == NULL) {
 			log_debug("%s: failed to get auth data",
 			    __func__);
+			explicit_bzero(&ikeauth, sizeof(ikeauth));
 			return (-1);
 		}
 
@@ -842,6 +846,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
 		ibuf_release(authmsg);
 		if (ret != 0) {
 			ikev2_send_auth_failed(env, sa);
+			explicit_bzero(&ikeauth, sizeof(ikeauth));
 			return (-1);
 		}
 
@@ -851,6 +856,7 @@ ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
 		sa_state(env, sa, IKEV2_STATE_EAP_SUCCESS);
 	}
 
+	explicit_bzero(&ikeauth, sizeof(ikeauth));
 	return (0);
 }
 
diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 8eac03668af..6267acbefc5 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.135 2021/10/26 17:31:22 tobhe Exp $	*/
+/*	$OpenBSD: parse.y,v 1.136 2021/11/16 21:43:36 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1043,6 +1043,7 @@ ikeauth		: /* empty */			{
 			memcpy(&$$, &$2, sizeof($$));
 			$$.auth_method = IKEV2_AUTH_SHARED_KEY_MIC;
 			$$.auth_eap = 0;
+			explicit_bzero(&$2, sizeof($2));
 		}
 		| EAP STRING			{
 			unsigned int i;
@@ -1178,7 +1179,7 @@ keyspec		: STRING			{
 				    sizeof($$.auth_data));
 				$$.auth_length = strlen($1);
 			}
-			free($1);
+			freezero($1, strlen($1));
 		}
 		| FILENAME STRING		{
 			if (parsekeyfile($2, &$$) != 0) {
@@ -2507,6 +2508,7 @@ create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto,
 	pol.pol_flags = flags;
 	pol.pol_rdomain = rdomain;
 	memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth));
+	explicit_bzero(authtype, sizeof(*authtype));
 
 	if (name != NULL) {
 		if (strlcpy(pol.pol_name, name,