aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/sha256_generic.c
diff options
context:
space:
mode:
authorDaniel Borkmann <dborkman@redhat.com>2014-09-07 17:23:38 -0400
committerTheodore Ts'o <tytso@mit.edu>2014-10-17 11:44:07 -0400
commit7185ad2672a7d50bc384de0e38d90b75d99f3d82 (patch)
treebfad2f926347d9f23bc1e014ab347192e7592661 /crypto/sha256_generic.c
parentd4c5efdb97773f59a2b711754ca0953f24516739 (diff)
crypto: memzero_explicit - make sure to clear out sensitive data
Recently, in commit 13aa93c70e71 ("random: add and use memzero_explicit() for clearing data"), we have found that GCC may optimize some memset() cases away when it detects a stack variable is not being used anymore and going out of scope. This can happen, for example, in cases when we are clearing out sensitive information such as keying material or any e.g. intermediate results from crypto computations, etc. With the help of Coccinelle, we can figure out and fix such occurences in the crypto subsytem as well. Julia Lawall provided the following Coccinelle program: @@ type T; identifier x; @@ T x; ... when exists when any -memset +memzero_explicit (&x, -0, ...) ... when != x when strict @@ type T; identifier x; @@ T x[...]; ... when exists when any -memset +memzero_explicit (x, -0, ...) ... when != x when strict Therefore, make use of the drop-in replacement memzero_explicit() for exactly such cases instead of using memset(). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Julia Lawall <julia.lawall@lip6.fr> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Theodore Ts'o <tytso@mit.edu> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'crypto/sha256_generic.c')
-rw-r--r--crypto/sha256_generic.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
index 543366779524..32c5e5ea205a 100644
--- a/crypto/sha256_generic.c
+++ b/crypto/sha256_generic.c
@@ -210,10 +210,9 @@ static void sha256_transform(u32 *state, const u8 *input)
210 210
211 /* clear any sensitive info... */ 211 /* clear any sensitive info... */
212 a = b = c = d = e = f = g = h = t1 = t2 = 0; 212 a = b = c = d = e = f = g = h = t1 = t2 = 0;
213 memset(W, 0, 64 * sizeof(u32)); 213 memzero_explicit(W, 64 * sizeof(u32));
214} 214}
215 215
216
217static int sha224_init(struct shash_desc *desc) 216static int sha224_init(struct shash_desc *desc)
218{ 217{
219 struct sha256_state *sctx = shash_desc_ctx(desc); 218 struct sha256_state *sctx = shash_desc_ctx(desc);
@@ -316,7 +315,7 @@ static int sha224_final(struct shash_desc *desc, u8 *hash)
316 sha256_final(desc, D); 315 sha256_final(desc, D);
317 316
318 memcpy(hash, D, SHA224_DIGEST_SIZE); 317 memcpy(hash, D, SHA224_DIGEST_SIZE);
319 memset(D, 0, SHA256_DIGEST_SIZE); 318 memzero_explicit(D, SHA256_DIGEST_SIZE);
320 319
321 return 0; 320 return 0;
322} 321}