From 3f2ff6bc5287cb81e0a08420e0a605f681b8b121 Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 10 Apr 2017 06:09:32 +0000 Subject: [PATCH] Convert various client key exchange functions to freezero(3). The memory contents needs to be made inaccessible - this is simpler and less error prone than the current "if not NULL, explicit_bzero(); free()" dance. --- lib/libssl/ssl_clnt.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 1cdbf86c504..6fb5eca4b3c 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.11 2017/03/10 16:03:27 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.12 2017/04/10 06:09:32 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1999,9 +1999,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) err: DH_free(dh_clnt); - if (key != NULL) - explicit_bzero(key, key_size); - free(key); + freezero(key, key_size); return (ret); } @@ -2086,9 +2084,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) ret = 1; err: - if (key != NULL) - explicit_bzero(key, key_size); - free(key); + freezero(key, key_size); BN_CTX_free(bn_ctx); EC_KEY_free(ecdh); @@ -2130,14 +2126,9 @@ ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb) ret = 1; err: - if (private_key != NULL) - explicit_bzero(private_key, X25519_KEY_LENGTH); - if (shared_key != NULL) - explicit_bzero(shared_key, X25519_KEY_LENGTH); - free(public_key); - free(private_key); - free(shared_key); + freezero(private_key, X25519_KEY_LENGTH); + freezero(shared_key, X25519_KEY_LENGTH); return (ret); } -- 2.20.1