Cleanse KBPK buffer in tr31-tool

leonlynch · leonlynch · commit c80d0e18a591 · 2025-09-28T14:19:28.000+02:00
This is mostly to make security scanning tools happy. Although the tr31
library is intended for actual security products and cleanses sensitive
buffers accordingly, tr31-tool is intended for debugging and development
that doesn't involve live cryptographic keys.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -1,5 +1,5 @@
 ##############################################################################
-# Copyright 2020-2023 Leon Lynch
+# Copyright 2020-2023, 2025 Leon Lynch
 #
 # This file is licensed under the terms of the LGPL v2.1 license.
 # See LICENSE file.
@@ -154,7 +154,7 @@ install(
 # TR-31 command line tool
 if(BUILD_TR31_TOOL)
 	add_executable(tr31-tool tr31-tool.c)
-	target_link_libraries(tr31-tool PRIVATE tr31)
+	target_link_libraries(tr31-tool PRIVATE crypto_mem tr31)
 	if(TARGET libargp::argp)
 		target_link_libraries(tr31-tool PRIVATE libargp::argp)
 	endif()
diff --git a/src/tr31-tool.c b/src/tr31-tool.c
@@ -21,6 +21,8 @@
 #include "tr31.h"
 #include "tr31_strings.h"
 
+#include "crypto_mem.h"
+
 #include <stddef.h>
 #include <stdbool.h>
 #include <stdint.h>
@@ -1541,6 +1543,9 @@ int main(int argc, char** argv)
 		options.export_opt_block_CT = NULL;
 		options.export_opt_block_CT_count = 0;
 	}
+	if (options.kbpk) {
+		crypto_cleanse(options.kbpk_buf, sizeof(options.kbpk_buf));
+	}
 
 	return r;
 }
