diff options
| author | jsing <> | 2017-04-30 02:10:22 +0000 |
|---|---|---|
| committer | jsing <> | 2017-04-30 02:10:22 +0000 |
| commit | 49f90df7d5b318f186ce8133dae1e24a47469554 (patch) | |
| tree | b2a98d26632721cd7dcc50af3f5b4c30d4d54476 | |
| parent | 15ac8a5d2905750a0c5228fc567414ccce869de6 (diff) | |
| download | openbsd-49f90df7d5b318f186ce8133dae1e24a47469554.tar.gz openbsd-49f90df7d5b318f186ce8133dae1e24a47469554.tar.bz2 openbsd-49f90df7d5b318f186ce8133dae1e24a47469554.zip | |
Add a tls_keypair_clear_key() function that uses freezero() to make key
material inaccessible, then call it from the appropriate places.
ok beck@
| -rw-r--r-- | src/lib/libtls/tls_config.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index f5e0bf55e4..65063117e2 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.37 2017/04/05 03:13:53 beck Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.38 2017/04/30 02:10:22 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -67,6 +67,14 @@ tls_keypair_new(void) | |||
| 67 | return calloc(1, sizeof(struct tls_keypair)); | 67 | return calloc(1, sizeof(struct tls_keypair)); |
| 68 | } | 68 | } |
| 69 | 69 | ||
| 70 | static void | ||
| 71 | tls_keypair_clear_key(struct tls_keypair *keypair) | ||
| 72 | { | ||
| 73 | freezero(keypair->key_mem, keypair->key_len); | ||
| 74 | keypair->key_mem = NULL; | ||
| 75 | keypair->key_len = 0; | ||
| 76 | } | ||
| 77 | |||
| 70 | static int | 78 | static int |
| 71 | tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error, | 79 | tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error, |
| 72 | const char *cert_file) | 80 | const char *cert_file) |
| @@ -86,8 +94,7 @@ static int | |||
| 86 | tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error, | 94 | tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error, |
| 87 | const char *key_file) | 95 | const char *key_file) |
| 88 | { | 96 | { |
| 89 | if (keypair->key_mem != NULL) | 97 | tls_keypair_clear_key(keypair); |
| 90 | explicit_bzero(keypair->key_mem, keypair->key_len); | ||
| 91 | return tls_config_load_file(error, "key", key_file, | 98 | return tls_config_load_file(error, "key", key_file, |
| 92 | &keypair->key_mem, &keypair->key_len); | 99 | &keypair->key_mem, &keypair->key_len); |
| 93 | } | 100 | } |
| @@ -96,8 +103,7 @@ static int | |||
| 96 | tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key, | 103 | tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key, |
| 97 | size_t len) | 104 | size_t len) |
| 98 | { | 105 | { |
| 99 | if (keypair->key_mem != NULL) | 106 | tls_keypair_clear_key(keypair); |
| 100 | explicit_bzero(keypair->key_mem, keypair->key_len); | ||
| 101 | return set_mem(&keypair->key_mem, &keypair->key_len, key, len); | 107 | return set_mem(&keypair->key_mem, &keypair->key_len, key, len); |
| 102 | } | 108 | } |
| 103 | 109 | ||