From: Yu Watanabe Date: Wed, 10 Apr 2019 08:53:30 +0000 (+0900) Subject: network: explicitly clear security key for macsec X-Git-Tag: v243-rc1~561^2~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e48201867299b02c5c62d103f1831121999e0e3f;p=thirdparty%2Fsystemd.git network: explicitly clear security key for macsec --- diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c index 89371142514..01c9beaa07f 100644 --- a/src/network/netdev/macsec.c +++ b/src/network/netdev/macsec.c @@ -21,6 +21,14 @@ #include "string-util.h" #include "util.h" +static void security_association_clear(SecurityAssociation *sa) { + if (!sa) + return; + + explicit_bzero_safe(sa->key, sa->key_len); + free(sa->key); +} + static void macsec_receive_association_free(ReceiveAssociation *c) { if (!c) return; @@ -29,7 +37,7 @@ static void macsec_receive_association_free(ReceiveAssociation *c) { ordered_hashmap_remove(c->macsec->receive_associations_by_section, c->section); network_config_section_free(c->section); - free(c->sa.key); + security_association_clear(&c->sa); free(c); } @@ -162,7 +170,7 @@ static void macsec_transmit_association_free(TransmitAssociation *a) { ordered_hashmap_remove(a->macsec->transmit_associations_by_section, a->section); network_config_section_free(a->section); - free(a->sa.key); + security_association_clear(&a->sa); free(a); } @@ -707,7 +715,7 @@ int config_parse_macsec_key( dest = a ? &a->sa : &b->sa; - r = unhexmem(rvalue, strlen(rvalue), &p, &l); + r = unhexmem_full(rvalue, strlen(rvalue), true, &p, &l); if (r < 0) { log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse key. Ignoring assignment: %m"); @@ -715,6 +723,7 @@ int config_parse_macsec_key( } if (l != 16) { /* See DEFAULT_SAK_LEN in drivers/net/macsec.c */ + explicit_bzero_safe(p, l); log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid key length (%zu). Ignoring assignment", l); return 0;