On Sat, Feb 22, 2014 at 12:30:33AM +0000, Xin LI wrote: > Author: delphij > Date: Sat Feb 22 00:30:33 2014 > New Revision: 262318 > URL: http://svnweb.freebsd.org/changeset/base/262318 > > Log: > MFC r261618: > > In g_eli_crypto_hmac_init(), zero out after using the ipad buffer, > k_ipad. > > Note that the two consumers in geli(4) are not affected by this > issue because the way the code is constructed and as such, we > believe there is no security impact with or without this change > with geli(4)'s usage. > > Reported by: Serge van den Boom <serge vdboom.org> > Reviewed by: pjd > > Modified: > stable/10/sys/geom/eli/g_eli_crypto.c > Directory Properties: > stable/10/ (props changed) > > Modified: stable/10/sys/geom/eli/g_eli_crypto.c > ============================================================================== > --- stable/10/sys/geom/eli/g_eli_crypto.c Sat Feb 22 00:16:27 2014 > (r262317) > +++ stable/10/sys/geom/eli/g_eli_crypto.c Sat Feb 22 00:30:33 2014 > (r262318) > @@ -265,6 +265,7 @@ g_eli_crypto_hmac_init(struct hmac_ctx * > /* Perform inner SHA512. */ > SHA512_Init(&ctx->shactx); > SHA512_Update(&ctx->shactx, k_ipad, sizeof(k_ipad)); > + bzero(k_ipad, sizeof(k_ipad)); > } > > void >
Unless k_ipad is declared volatile there is some risk an overly smart compiler will optimize this bzero() away. It might make sense for us to use a non-standard function for such zeroing operations. -- Brooks
pgpMO0SrXfiqa.pgp
Description: PGP signature
