Add noise_local_deinit to zero private keys

3 files changed, 10 insertions, 0 deletions

diff --git a/sys/net/if_wg.c b/sys/net/if_wg.c
index 7bdf5ff36c6..877c6d41c43 100644
--- a/sys/net/if_wg.c
+++ b/sys/net/if_wg.c
@@ -2728,6 +2728,7 @@ wg_clone_destroy(struct ifnet *ifp)
 #endif
 	free(sc->sc_aip4, M_RTABLE, sizeof(*sc->sc_aip4));
 	cookie_checker_deinit(&sc->sc_cookie);
+	noise_local_deinit(&sc->sc_local);
 	free(sc, M_DEVBUF, sizeof(*sc));
 	return 0;
 }
diff --git a/sys/net/wg_noise.c b/sys/net/wg_noise.c
index 47552229b8a..06e12a302ce 100644
--- a/sys/net/wg_noise.c
+++ b/sys/net/wg_noise.c
@@ -90,6 +90,14 @@ noise_local_init(struct noise_local *l, struct noise_upcall *upcall)
 }
 
 void
+noise_local_deinit(struct noise_local *l)
+{
+	l->l_has_identity = 0;
+	explicit_bzero(&l->l_public, sizeof(l->l_public));
+	explicit_bzero(&l->l_private, sizeof(l->l_private));
+}
+
+void
 noise_local_lock_identity(struct noise_local *l)
 {
 	rw_enter_write(&l->l_identity_lock);
diff --git a/sys/net/wg_noise.h b/sys/net/wg_noise.h
index 5bcc156739c..73349c78f8b 100644
--- a/sys/net/wg_noise.h
+++ b/sys/net/wg_noise.h
@@ -125,6 +125,7 @@ struct noise_local {
 
 /* Set/Get noise parameters */
 void	noise_local_init(struct noise_local *, struct noise_upcall *);
+void	noise_local_deinit(struct noise_local *);
 void	noise_local_lock_identity(struct noise_local *);
 void	noise_local_unlock_identity(struct noise_local *);
 int	noise_local_set_private(struct noise_local *, uint8_t[NOISE_PUBLIC_KEY_LEN]);