Add explicit_bzero() to libstand, and switch GELIBoot to using it

Make sure sensitive memory is properly cleared when finished with it Reviewed by: Eric McCorkle <eric@metricspace.net> Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D9798
svn path=/head/; revision=316311
2024-12-15 10:17:20 +00:00 · 2017-03-31 00:04:32 +00:00 · 2017-03-31 00:04:32 +00:00 · 9f67bd210a · 2020-12-20 02:59:44 +00:00
commit 9f67bd210a
parent 24d089f6cf
8 changed files with 17 additions and 16 deletions
--- a/lib/libstand/Makefile
+++ b/lib/libstand/Makefile
@ -155,5 +155,9 @@ SRCS+=	pkgfs.c
 SRCS+=	nandfs.c
 .endif

+# explicit_bzero
+.PATH: ${SRCTOP}/sys/libkern
+SRCS+=  explicit_bzero.c
+
 .include <bsd.stand.mk>
 .include <bsd.lib.mk>
--- a/sys/boot/geli/Makefile
+++ b/sys/boot/geli/Makefile
@ -24,10 +24,6 @@ WARNS?=		0
 .PATH: ${.CURDIR}/../../../lib/libc/string
 SRCS+=  bcmp.c bcopy.c bzero.c

-# need explicit_bzero for crypto
-.PATH: ${.CURDIR}/../../../sys/libkern
-SRCS+=  explicit_bzero.c
-
 # Our password input method
 SRCS+=  pwgets.c

--- a/sys/boot/geli/geliboot.c
+++ b/sys/boot/geli/geliboot.c
@ -173,19 +173,19 @@ geli_attach(struct dsk *dskp, const char *passphrase)
 			    sizeof(geli_e->md.md_salt), passphrase,
 			    geli_e->md.md_iterations);
 			g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey));
-			bzero(&dkey, sizeof(dkey));
+			explicit_bzero(dkey, sizeof(dkey));
 		}

 		g_eli_crypto_hmac_final(&ctx, key, 0);

 		error = g_eli_mkey_decrypt(&geli_e->md, key, mkey, &keynum);
-		bzero(&key, sizeof(key));
+		explicit_bzero(key, sizeof(key));
 		if (error == -1) {
-			bzero(&mkey, sizeof(mkey));
+			explicit_bzero(mkey, sizeof(mkey));
 			printf("Bad GELI key: %d\n", error);
 			return (error);
 		} else if (error != 0) {
-			bzero(&mkey, sizeof(mkey));
+			explicit_bzero(mkey, sizeof(mkey));
 			printf("Failed to decrypt GELI master key: %d\n", error);
 			return (error);
 		}
@ -203,7 +203,7 @@ geli_attach(struct dsk *dskp, const char *passphrase)
 			g_eli_crypto_hmac(mkp, G_ELI_MAXKEYLEN, "\x10", 1,
 			    geli_e->sc.sc_ekey, 0);
 		}
-		bzero(&mkey, sizeof(mkey));
+		explicit_bzero(mkey, sizeof(mkey));

 		/* Initialize the per-sector IV. */
 		switch (geli_e->sc.sc_ealgo) {
@ -279,13 +279,13 @@ geli_read(struct dsk *dskp, off_t offset, u_char *buf, size_t bytes)
 			    geli_e->sc.sc_ekeylen, iv);

 			if (error != 0) {
-				bzero(&gkey, sizeof(gkey));
+				explicit_bzero(&gkey, sizeof(gkey));
 				printf("Failed to decrypt in geli_read()!");
 				return (error);
 			}
 			pbuf += secsize;
 		}
-		bzero(&gkey, sizeof(gkey));
+		explicit_bzero(&gkey, sizeof(gkey));
 		return (0);
 	}

--- a/sys/boot/geli/geliboot.h
+++ b/sys/boot/geli/geliboot.h
@ -36,6 +36,7 @@
 #define _STRING_H_
 #define _STRINGS_H_
 #define _STDIO_H_
+
 #include <geom/eli/g_eli.h>
 #include <geom/eli/pkcs5v2.h>

--- a/sys/boot/geli/geliboot_crypto.c
+++ b/sys/boot/geli/geliboot_crypto.c
@ -110,7 +110,7 @@ g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize,
 {
 	u_char iv[keysize];

-	bzero(iv, sizeof(iv));
+	explicit_bzero(iv, sizeof(iv));
 	return (geliboot_crypt(algo, enc, data, datasize, key, keysize, iv));
 }

--- a/sys/boot/i386/gptboot/gptboot.c
+++ b/sys/boot/i386/gptboot/gptboot.c
@ -481,7 +481,7 @@ load(void)
 #ifdef LOADER_GELI_SUPPORT
    geliargs.size = sizeof(geliargs);
    bcopy(gelipw, geliargs.gelipw, sizeof(geliargs.gelipw));
-    bzero(gelipw, sizeof(gelipw));
+    explicit_bzero(gelipw, sizeof(gelipw));
 #endif
    __exec((caddr_t)addr, RB_BOOTINFO | (opts & RBX_MASK),
 	   MAKEBOOTDEV(dev_maj[dsk.type], dsk.part + 1, dsk.unit, 0xff),
--- a/sys/boot/i386/loader/main.c
+++ b/sys/boot/i386/loader/main.c
@ -175,7 +175,7 @@ main(void)
 	if (zargs != NULL && zargs->size >= offsetof(struct zfs_boot_args, gelipw)) {
 	    if (zargs->gelipw[0] != '\0') {
 		setenv("kern.geom.eli.passphrase", zargs->gelipw, 1);
-		bzero(zargs->gelipw, sizeof(zargs->gelipw));
+		explicit_bzero(zargs->gelipw, sizeof(zargs->gelipw));
 	    }
 	}
    }
@ -187,7 +187,7 @@ main(void)
 	if (gargs != NULL && gargs->size >= offsetof(struct geli_boot_args, gelipw)) {
 	    if (gargs->gelipw[0] != '\0') {
 		setenv("kern.geom.eli.passphrase", gargs->gelipw, 1);
-		bzero(gargs->gelipw, sizeof(gargs->gelipw));
+		explicit_bzero(gargs->gelipw, sizeof(gargs->gelipw));
 	    }
 	}
    }
--- a/sys/boot/i386/zfsboot/zfsboot.c
+++ b/sys/boot/i386/zfsboot/zfsboot.c
@ -926,7 +926,7 @@ load(void)
    zfsargs.primary_pool = primary_spa->spa_guid;
 #ifdef LOADER_GELI_SUPPORT
    bcopy(gelipw, zfsargs.gelipw, sizeof(zfsargs.gelipw));
-    bzero(gelipw, sizeof(gelipw));
+    explicit_bzero(gelipw, sizeof(gelipw));
 #else
    zfsargs.gelipw[0] = '\0';
 #endif