Use explicit_bzero() instead of bzero() for sensitive data.

Reviewed by:	delphij
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D25441

1 files changed, 5 insertions, 5 deletions

diff --git a/sys/geom/eli/g_eli.c b/sys/geom/eli/g_eli.c
index dbfb16c27d04..5a2acd2b60c3 100644
--- a/sys/geom/eli/g_eli.c
+++ b/sys/geom/eli/g_eli.c
@@ -1126,7 +1126,7 @@ g_eli_keyfiles_clear(const char *provider)
 		data = preload_fetch_addr(keyfile);
 		size = preload_fetch_size(keyfile);
 		if (data != NULL && size != 0)
-			bzero(data, size);
+			explicit_bzero(data, size);
 	}
 }
 
@@ -1261,7 +1261,7 @@ g_eli_taste(struct g_class *mp, struct g_provider *pp, int flags __unused)
 
                         pkcs5v2_genkey(dkey, sizeof(dkey), md.md_salt,
                             sizeof(md.md_salt), passphrase, md.md_iterations);
-                        bzero(passphrase, sizeof(passphrase));
+                        explicit_bzero(passphrase, sizeof(passphrase));
                         g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey));
                         explicit_bzero(dkey, sizeof(dkey));
                 }
@@ -1272,7 +1272,7 @@ g_eli_taste(struct g_class *mp, struct g_provider *pp, int flags __unused)
                  * Decrypt Master-Key.
                  */
                 error = g_eli_mkey_decrypt_any(&md, key, mkey, &nkey);
-                bzero(key, sizeof(key));
+                explicit_bzero(key, sizeof(key));
                 if (error == -1) {
                         if (i == tries) {
                                 G_ELI_DEBUG(0,
@@ -1305,8 +1305,8 @@ have_key:
 	 * We have correct key, let's attach provider.
 	 */
 	gp = g_eli_create(NULL, mp, pp, &md, mkey, nkey);
-	bzero(mkey, sizeof(mkey));
-	bzero(&md, sizeof(md));
+	explicit_bzero(mkey, sizeof(mkey));
+	explicit_bzero(&md, sizeof(md));
 	if (gp == NULL) {
 		G_ELI_DEBUG(0, "Cannot create device %s%s.", pp->name,
 		    G_ELI_SUFFIX);