Print this page
9642 PKCS#11 softtoken should use explicit_bzero
Reviewed by: Dan McDonald <danmcd@joyent.com>
Reviewed by: Alex Wilson <alex.wilson@joyent.com>

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSSL.c
          +++ new/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSSL.c
↓ open down ↓ 13 lines elided ↑ open up ↑
  14   14   * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15   15   * If applicable, add the following below this CDDL HEADER, with the
  16   16   * fields enclosed by brackets "[]" replaced with your own identifying
  17   17   * information: Portions Copyright [yyyy] [name of copyright owner]
  18   18   *
  19   19   * CDDL HEADER END
  20   20   */
  21   21  /*
  22   22   * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  23   23   * Use is subject to license terms.
       24 + * Copyright 2018, Joyent, Inc.
  24   25   */
  25   26  
  26   27  #include <fcntl.h>
  27   28  #include <strings.h>
  28   29  #include <sys/stat.h>
  29   30  #include <sys/types.h>
  30   31  #include <sys/sha1.h>
  31   32  #include <sys/md5.h>
  32   33  #include <sys/sysmacros.h>
  33   34  #include <security/cryptoki.h>
↓ open down ↓ 884 lines elided ↑ open up ↑
 918  919          /* Finally, the IVs */
 919  920          if (iv_bytes > 0) {
 920  921                  bcopy(kb, kmo->pIVClient, iv_bytes);
 921  922                  kb += iv_bytes;
 922  923                  bcopy(kb, kmo->pIVServer, iv_bytes);
 923  924          }
 924  925  
 925  926          if (new_tmpl_allocated)
 926  927                  free(new_tmpl);
 927  928  
 928      -        if (export_keys != NULL)
 929      -                free(export_keys);
      929 +        freezero(export_keys, 2 * MD5_HASH_SIZE);
 930  930  
 931  931          return (rv);
 932  932  
 933  933  out_err:
 934  934          if (kmo->hClientMacSecret != CK_INVALID_HANDLE) {
 935  935                  (void) soft_delete_derived_key(sp,
 936  936                      (soft_object_t *)(kmo->hClientMacSecret));
 937  937                  kmo->hClientMacSecret = CK_INVALID_HANDLE;
 938  938          }
 939  939          if (kmo->hServerMacSecret != CK_INVALID_HANDLE) {
↓ open down ↓ 8 lines elided ↑ open up ↑
 948  948          }
 949  949          if (kmo->hServerKey != CK_INVALID_HANDLE) {
 950  950                  (void) soft_delete_derived_key(sp,
 951  951                      (soft_object_t *)(kmo->hServerKey));
 952  952                  kmo->hServerKey = CK_INVALID_HANDLE;
 953  953          }
 954  954  
 955  955          if (new_tmpl_allocated)
 956  956                  free(new_tmpl);
 957  957  
 958      -        if (export_keys != NULL)
 959      -                free(export_keys);
      958 +        freezero(export_keys, 2 * MD5_HASH_SIZE);
 960  959  
 961  960          return (rv);
 962  961  }
 963  962  
 964  963  /*
 965  964   * Add the derived key to the session, and, if it's a token object,
 966  965   * write it to the token.
 967  966   */
 968  967  static CK_RV
 969  968  soft_add_derived_key(CK_ATTRIBUTE_PTR tmpl, CK_ULONG attrcount,
↓ open down ↓ 112 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX