From 72fba84d430ad089a553e19fc3102874d2695f05 Mon Sep 17 00:00:00 2001 From: jsing Date: Sun, 30 Apr 2017 02:10:22 +0000 Subject: [PATCH] Add a tls_keypair_clear_key() function that uses freezero() to make key material inaccessible, then call it from the appropriate places. ok beck@ --- lib/libtls/tls_config.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index f5e0bf55e4c..65063117e2b 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.37 2017/04/05 03:13:53 beck Exp $ */ +/* $OpenBSD: tls_config.c,v 1.38 2017/04/30 02:10:22 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -67,6 +67,14 @@ tls_keypair_new(void) return calloc(1, sizeof(struct tls_keypair)); } +static void +tls_keypair_clear_key(struct tls_keypair *keypair) +{ + freezero(keypair->key_mem, keypair->key_len); + keypair->key_mem = NULL; + keypair->key_len = 0; +} + static int tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error, const char *cert_file) @@ -86,8 +94,7 @@ static int tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error, const char *key_file) { - if (keypair->key_mem != NULL) - explicit_bzero(keypair->key_mem, keypair->key_len); + tls_keypair_clear_key(keypair); return tls_config_load_file(error, "key", key_file, &keypair->key_mem, &keypair->key_len); } @@ -96,8 +103,7 @@ static int tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key, size_t len) { - if (keypair->key_mem != NULL) - explicit_bzero(keypair->key_mem, keypair->key_len); + tls_keypair_clear_key(keypair); return set_mem(&keypair->key_mem, &keypair->key_len, key, len); } -- 2.20.1