From: Luca Boccassi Date: Fri, 27 Mar 2026 23:45:20 +0000 (+0000) Subject: cryptenroll: harden some variables with erasure on cleanup X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07167cefd6fdd11af58c5f2f6a760e0153cebcbf;p=thirdparty%2Fsystemd.git cryptenroll: harden some variables with erasure on cleanup This doesn't really matter as it runs in user contexts, but follow good practice and mark all variables containing secrets for erasure on cleanup Reported on yeswehack.com as YWH-PGM9780-170 --- diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index fbf87d8d5a0..dc062117b41 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -4928,7 +4928,7 @@ static int tpm2_kdfa( if (!hash_alg_name) return -EOPNOTSUPP; - _cleanup_free_ void *buf = NULL; + _cleanup_(erase_and_freep) void *buf = NULL; r = kdf_kb_hmac_derive( "COUNTER", hash_alg_name, @@ -5006,7 +5006,7 @@ static int tpm2_kdfe( /* assert we copied exactly the right amount that we allocated */ assert(end > info && (uintptr_t) end - (uintptr_t) info == info_len); - _cleanup_free_ void *buf = NULL; + _cleanup_(erase_and_freep) void *buf = NULL; r = kdf_ss_derive( hash_alg_name, shared_secret, @@ -5093,7 +5093,7 @@ static int tpm2_calculate_seal_private( log_debug("Calculating private part of sealed object."); - _cleanup_free_ void *storage_key = NULL; + _cleanup_(erase_and_freep) void *storage_key = NULL; size_t storage_key_size; r = tpm2_kdfa(parent->publicArea.nameAlg, seed->buffer, @@ -5113,7 +5113,7 @@ static int tpm2_calculate_seal_private( size_t bits = (size_t) r * 8; - _cleanup_free_ void *integrity_key = NULL; + _cleanup_(erase_and_freep) void *integrity_key = NULL; size_t integrity_key_size; r = tpm2_kdfa(parent->publicArea.nameAlg, seed->buffer, @@ -5128,6 +5128,7 @@ static int tpm2_calculate_seal_private( return log_debug_errno(r, "Could not calculate integrity key KDFa: %m"); TPM2B_AUTH auth = {}; + CLEANUP_ERASE(auth); if (pin) { r = tpm2_auth_value_from_pin(parent->publicArea.nameAlg, pin, &auth); if (r < 0) @@ -5143,8 +5144,9 @@ static int tpm2_calculate_seal_private( .sensitive.bits = TPM2B_SENSITIVE_DATA_MAKE(secret, secret_size), }, }; + CLEANUP_ERASE(sensitive); - _cleanup_free_ void *marshalled_sensitive = malloc(sizeof(sensitive)); + _cleanup_(erase_and_freep) void *marshalled_sensitive = malloc(sizeof(sensitive)); if (!marshalled_sensitive) return log_oom_debug(); @@ -5251,7 +5253,7 @@ static int tpm2_calculate_seal_rsa_seed( size_t seed_size = (size_t) r; - _cleanup_free_ void *seed = malloc(seed_size); + _cleanup_(erase_and_freep) void *seed = malloc(seed_size); if (!seed) return log_oom_debug(); @@ -5321,7 +5323,7 @@ static int tpm2_calculate_seal_ecc_seed( if (r < 0) return r; - _cleanup_free_ void *shared_secret = NULL; + _cleanup_(erase_and_freep) void *shared_secret = NULL; size_t shared_secret_size; r = ecc_ecdh(pkey, parent_pkey, &shared_secret, &shared_secret_size); if (r < 0) @@ -5362,7 +5364,7 @@ static int tpm2_calculate_seal_ecc_seed( size_t bits = (size_t) r * 8; - _cleanup_free_ void *seed = NULL; + _cleanup_(erase_and_freep) void *seed = NULL; size_t seed_size = 0; /* Explicit initialization to appease gcc */ r = tpm2_kdfe(parent->publicArea.nameAlg, shared_secret, @@ -5399,7 +5401,8 @@ static int tpm2_calculate_seal_seed( log_debug("Calculating encrypted seed for sealed object."); - _cleanup_free_ void *seed = NULL, *encrypted_seed = NULL; + _cleanup_(erase_and_freep) void *seed = NULL; + _cleanup_free_ void *encrypted_seed = NULL; size_t seed_size = 0, encrypted_seed_size = 0; /* Explicit initialization to appease gcc */ if (parent->publicArea.type == TPM2_ALG_RSA) r = tpm2_calculate_seal_rsa_seed(parent, &seed, &seed_size, &encrypted_seed, &encrypted_seed_size);