diff --git a/lib/libstand/Makefile b/lib/libstand/Makefile index d14189ed48d..853db97aa4b 100644 --- a/lib/libstand/Makefile +++ b/lib/libstand/Makefile @@ -155,5 +155,9 @@ SRCS+= pkgfs.c SRCS+= nandfs.c .endif +# explicit_bzero +.PATH: ${SRCTOP}/sys/libkern +SRCS+= explicit_bzero.c + .include .include diff --git a/sys/boot/geli/Makefile b/sys/boot/geli/Makefile index 7f7ad355c86..f5ab2432903 100644 --- a/sys/boot/geli/Makefile +++ b/sys/boot/geli/Makefile @@ -24,10 +24,6 @@ WARNS?= 0 .PATH: ${.CURDIR}/../../../lib/libc/string SRCS+= bcmp.c bcopy.c bzero.c -# need explicit_bzero for crypto -.PATH: ${.CURDIR}/../../../sys/libkern -SRCS+= explicit_bzero.c - # Our password input method SRCS+= pwgets.c diff --git a/sys/boot/geli/geliboot.c b/sys/boot/geli/geliboot.c index f9a128cb667..5e920fcc708 100644 --- a/sys/boot/geli/geliboot.c +++ b/sys/boot/geli/geliboot.c @@ -173,19 +173,19 @@ geli_attach(struct dsk *dskp, const char *passphrase) sizeof(geli_e->md.md_salt), passphrase, geli_e->md.md_iterations); g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey)); - bzero(&dkey, sizeof(dkey)); + explicit_bzero(dkey, sizeof(dkey)); } g_eli_crypto_hmac_final(&ctx, key, 0); error = g_eli_mkey_decrypt(&geli_e->md, key, mkey, &keynum); - bzero(&key, sizeof(key)); + explicit_bzero(key, sizeof(key)); if (error == -1) { - bzero(&mkey, sizeof(mkey)); + explicit_bzero(mkey, sizeof(mkey)); printf("Bad GELI key: %d\n", error); return (error); } else if (error != 0) { - bzero(&mkey, sizeof(mkey)); + explicit_bzero(mkey, sizeof(mkey)); printf("Failed to decrypt GELI master key: %d\n", error); return (error); } @@ -203,7 +203,7 @@ geli_attach(struct dsk *dskp, const char *passphrase) g_eli_crypto_hmac(mkp, G_ELI_MAXKEYLEN, "\x10", 1, geli_e->sc.sc_ekey, 0); } - bzero(&mkey, sizeof(mkey)); + explicit_bzero(mkey, sizeof(mkey)); /* Initialize the per-sector IV. */ switch (geli_e->sc.sc_ealgo) { @@ -279,13 +279,13 @@ geli_read(struct dsk *dskp, off_t offset, u_char *buf, size_t bytes) geli_e->sc.sc_ekeylen, iv); if (error != 0) { - bzero(&gkey, sizeof(gkey)); + explicit_bzero(&gkey, sizeof(gkey)); printf("Failed to decrypt in geli_read()!"); return (error); } pbuf += secsize; } - bzero(&gkey, sizeof(gkey)); + explicit_bzero(&gkey, sizeof(gkey)); return (0); } diff --git a/sys/boot/geli/geliboot.h b/sys/boot/geli/geliboot.h index 83df1529571..7802719a76b 100644 --- a/sys/boot/geli/geliboot.h +++ b/sys/boot/geli/geliboot.h @@ -36,6 +36,7 @@ #define _STRING_H_ #define _STRINGS_H_ #define _STDIO_H_ + #include #include diff --git a/sys/boot/geli/geliboot_crypto.c b/sys/boot/geli/geliboot_crypto.c index 23d58ffebd1..83765823d9c 100644 --- a/sys/boot/geli/geliboot_crypto.c +++ b/sys/boot/geli/geliboot_crypto.c @@ -110,7 +110,7 @@ g_eli_crypto_cipher(u_int algo, int enc, u_char *data, size_t datasize, { u_char iv[keysize]; - bzero(iv, sizeof(iv)); + explicit_bzero(iv, sizeof(iv)); return (geliboot_crypt(algo, enc, data, datasize, key, keysize, iv)); } diff --git a/sys/boot/i386/gptboot/gptboot.c b/sys/boot/i386/gptboot/gptboot.c index a8a99e8bb46..714f4558b24 100644 --- a/sys/boot/i386/gptboot/gptboot.c +++ b/sys/boot/i386/gptboot/gptboot.c @@ -481,7 +481,7 @@ load(void) #ifdef LOADER_GELI_SUPPORT geliargs.size = sizeof(geliargs); bcopy(gelipw, geliargs.gelipw, sizeof(geliargs.gelipw)); - bzero(gelipw, sizeof(gelipw)); + explicit_bzero(gelipw, sizeof(gelipw)); #endif __exec((caddr_t)addr, RB_BOOTINFO | (opts & RBX_MASK), MAKEBOOTDEV(dev_maj[dsk.type], dsk.part + 1, dsk.unit, 0xff), diff --git a/sys/boot/i386/loader/main.c b/sys/boot/i386/loader/main.c index 9b034ab96b8..4ff1a299443 100644 --- a/sys/boot/i386/loader/main.c +++ b/sys/boot/i386/loader/main.c @@ -175,7 +175,7 @@ main(void) if (zargs != NULL && zargs->size >= offsetof(struct zfs_boot_args, gelipw)) { if (zargs->gelipw[0] != '\0') { setenv("kern.geom.eli.passphrase", zargs->gelipw, 1); - bzero(zargs->gelipw, sizeof(zargs->gelipw)); + explicit_bzero(zargs->gelipw, sizeof(zargs->gelipw)); } } } @@ -187,7 +187,7 @@ main(void) if (gargs != NULL && gargs->size >= offsetof(struct geli_boot_args, gelipw)) { if (gargs->gelipw[0] != '\0') { setenv("kern.geom.eli.passphrase", gargs->gelipw, 1); - bzero(gargs->gelipw, sizeof(gargs->gelipw)); + explicit_bzero(gargs->gelipw, sizeof(gargs->gelipw)); } } } diff --git a/sys/boot/i386/zfsboot/zfsboot.c b/sys/boot/i386/zfsboot/zfsboot.c index bb64384fadc..cc19e004cb2 100644 --- a/sys/boot/i386/zfsboot/zfsboot.c +++ b/sys/boot/i386/zfsboot/zfsboot.c @@ -926,7 +926,7 @@ load(void) zfsargs.primary_pool = primary_spa->spa_guid; #ifdef LOADER_GELI_SUPPORT bcopy(gelipw, zfsargs.gelipw, sizeof(zfsargs.gelipw)); - bzero(gelipw, sizeof(gelipw)); + explicit_bzero(gelipw, sizeof(gelipw)); #else zfsargs.gelipw[0] = '\0'; #endif