crypto: memzero_explicit - make sure to clear out sensitive data

Recently, in commit 13aa93c70e71 ("random: add and use memzero_explicit() for clearing data"), we have found that GCC may optimize some memset() cases away when it detects a stack variable is not being used anymore and going out of scope. This can happen, for example, in cases when we are clearing out sensitive information such as keying material or any e.g. intermediate results from crypto computations, etc. With the help of Coccinelle, we can figure out and fix such occurences in the crypto subsytem as well. Julia Lawall provided the following Coccinelle program: @@ type T; identifier x; @@ T x; ... when exists when any -memset +memzero_explicit (&x, -0, ...) ... when != x when strict @@ type T; identifier x; @@ T x[...]; ... when exists when any -memset +memzero_explicit (x, -0, ...) ... when != x when strict Therefore, make use of the drop-in replacement memzero_explicit() for exactly such cases instead of using memset(). Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Julia Lawall <julia.lawall@lip6.fr> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Theodore Ts'o <tytso@mit.edu> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Daniel Borkmann <dborkman@redhat.com> 2014-09-07 17:23:38 -0400
committer: Theodore Ts'o <tytso@mit.edu> 2014-10-17 11:44:07 -0400
commit: 7185ad2672a7d50bc384de0e38d90b75d99f3d82 (patch)
tree: bfad2f926347d9f23bc1e014ab347192e7592661 /crypto
parent: d4c5efdb97773f59a2b711754ca0953f24516739 (diff)
7 files changed, 13 insertions, 13 deletions
diff --git a/crypto/cts.c b/crypto/cts.c
index 042223f8e733..133f0874c95e 100644
--- a/crypto/cts.c
+++ b/crypto/cts.c
@@ -202,7 +202,8 @@ static int cts_cbc_decrypt(struct crypto_cts_ctx *ctx,
        /* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */
        memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);
        /* 6. Decrypt En to create Pn-1 */
-        memset(iv, 0, sizeof(iv));
+        memzero_explicit(iv, sizeof(iv));
        sg_set_buf(&sgsrc[0], s + bsize, bsize);
        sg_set_buf(&sgdst[0], d, bsize);
        err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
diff --git a/crypto/sha1_generic.c b/crypto/sha1_generic.c
index 42794803c480..7bb047432782 100644
--- a/crypto/sha1_generic.c
+++ b/crypto/sha1_generic.c
@@ -64,7 +64,7 @@ int crypto_sha1_update(struct shash_desc *desc, const u8 *data,
                        src = data + done;
                } while (done + SHA1_BLOCK_SIZE <= len);
-                memset(temp, 0, sizeof(temp));
+                memzero_explicit(temp, sizeof(temp));
                partial = 0;
        }
        memcpy(sctx->buffer + partial, src, len - done);
diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
index 543366779524..32c5e5ea205a 100644
--- a/crypto/sha256_generic.c
+++ b/crypto/sha256_generic.c
@@ -210,10 +210,9 @@ static void sha256_transform(u32 *state, const u8 *input)
        /* clear any sensitive info... */
        a = b = c = d = e = f = g = h = t1 = t2 = 0;
-        memset(W, 0, 64 * sizeof(u32));
+        memzero_explicit(W, 64 * sizeof(u32));
 }
 static int sha224_init(struct shash_desc *desc)
 {
        struct sha256_state *sctx = shash_desc_ctx(desc);
@@ -316,7 +315,7 @@ static int sha224_final(struct shash_desc *desc, u8 *hash)
        sha256_final(desc, D);
        memcpy(hash, D, SHA224_DIGEST_SIZE);
-        memset(D, 0, SHA256_DIGEST_SIZE);
+        memzero_explicit(D, SHA256_DIGEST_SIZE);
        return 0;
 }
diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
index 6ed124f3ea0f..04d295a8bc08 100644
--- a/crypto/sha512_generic.c
+++ b/crypto/sha512_generic.c
@@ -238,7 +238,7 @@ static int sha384_final(struct shash_desc *desc, u8 *hash)
        sha512_final(desc, D);
        memcpy(hash, D, 48);
-        memset(D, 0, 64);
+        memzero_explicit(D, 64);
        return 0;
 }
diff --git a/crypto/tgr192.c b/crypto/tgr192.c
index 87403556fd0b..3c7af0d1ff7a 100644
--- a/crypto/tgr192.c
+++ b/crypto/tgr192.c
@@ -612,7 +612,7 @@ static int tgr160_final(struct shash_desc *desc, u8 * out)
        tgr192_final(desc, D);
        memcpy(out, D, TGR160_DIGEST_SIZE);
-        memset(D, 0, TGR192_DIGEST_SIZE);
+        memzero_explicit(D, TGR192_DIGEST_SIZE);
        return 0;
 }
@@ -623,7 +623,7 @@ static int tgr128_final(struct shash_desc *desc, u8 * out)
        tgr192_final(desc, D);
        memcpy(out, D, TGR128_DIGEST_SIZE);
-        memset(D, 0, TGR192_DIGEST_SIZE);
+        memzero_explicit(D, TGR192_DIGEST_SIZE);
        return 0;
 }
diff --git a/crypto/vmac.c b/crypto/vmac.c
index 2eb11a30c29c..d84c24bd7ff7 100644
--- a/crypto/vmac.c
+++ b/crypto/vmac.c
@@ -613,7 +613,7 @@ static int vmac_final(struct shash_desc *pdesc, u8 *out)
        }
        mac = vmac(ctx->partial, ctx->partial_size, nonce, NULL, ctx);
        memcpy(out, &mac, sizeof(vmac_t));
-        memset(&mac, 0, sizeof(vmac_t));
+        memzero_explicit(&mac, sizeof(vmac_t));
        memset(&ctx->__vmac_ctx, 0, sizeof(struct vmac_ctx));
        ctx->partial_size = 0;
        return 0;
diff --git a/crypto/wp512.c b/crypto/wp512.c
index 180f1d6e03f4..ec64e7762fbb 100644
--- a/crypto/wp512.c
+++ b/crypto/wp512.c
@@ -1102,8 +1102,8 @@ static int wp384_final(struct shash_desc *desc, u8 *out)
        u8 D[64];
        wp512_final(desc, D);
-        memcpy (out, D, WP384_DIGEST_SIZE);
+        memcpy(out, D, WP384_DIGEST_SIZE);
-        memset (D, 0, WP512_DIGEST_SIZE);
+        memzero_explicit(D, WP512_DIGEST_SIZE);
        return 0;
 }
@@ -1113,8 +1113,8 @@ static int wp256_final(struct shash_desc *desc, u8 *out)
        u8 D[64];
        wp512_final(desc, D);
-        memcpy (out, D, WP256_DIGEST_SIZE);
+        memcpy(out, D, WP256_DIGEST_SIZE);
-        memset (D, 0, WP512_DIGEST_SIZE);
+        memzero_explicit(D, WP512_DIGEST_SIZE);
        return 0;
 }
author	Daniel Borkmann <dborkman@redhat.com>	2014-09-07 17:23:38 -0400
committer	Theodore Ts'o <tytso@mit.edu>	2014-10-17 11:44:07 -0400
commit	7185ad2672a7d50bc384de0e38d90b75d99f3d82 (patch)
tree	bfad2f926347d9f23bc1e014ab347192e7592661 /crypto
parent	d4c5efdb97773f59a2b711754ca0953f24516739 (diff)

diff --git a/crypto/cts.c b/crypto/cts.c index 042223f8e733..133f0874c95e 100644 --- a/crypto/cts.c +++ b/crypto/cts.c
@@ -202,7 +202,8 @@ static int cts_cbc_decrypt(struct crypto_cts_ctx *ctx,
202	/* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */	202	/* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */
203	memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);	203	memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);
204	/* 6. Decrypt En to create Pn-1 */	204	/* 6. Decrypt En to create Pn-1 */
205	memset(iv, 0, sizeof(iv));	205	memzero_explicit(iv, sizeof(iv));
		206
206	sg_set_buf(&sgsrc[0], s + bsize, bsize);	207	sg_set_buf(&sgsrc[0], s + bsize, bsize);
207	sg_set_buf(&sgdst[0], d, bsize);	208	sg_set_buf(&sgdst[0], d, bsize);
208	err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);	209	err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);


diff --git a/crypto/sha1_generic.c b/crypto/sha1_generic.c index 42794803c480..7bb047432782 100644 --- a/crypto/sha1_generic.c +++ b/crypto/sha1_generic.c
@@ -64,7 +64,7 @@ int crypto_sha1_update(struct shash_desc desc, const u8 data,
64	src = data + done;	64	src = data + done;
65	} while (done + SHA1_BLOCK_SIZE <= len);	65	} while (done + SHA1_BLOCK_SIZE <= len);
66		66
67	memset(temp, 0, sizeof(temp));	67	memzero_explicit(temp, sizeof(temp));
68	partial = 0;	68	partial = 0;
69	}	69	}
70	memcpy(sctx->buffer + partial, src, len - done);	70	memcpy(sctx->buffer + partial, src, len - done);


diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c index 543366779524..32c5e5ea205a 100644 --- a/crypto/sha256_generic.c +++ b/crypto/sha256_generic.c
@@ -210,10 +210,9 @@ static void sha256_transform(u32 state, const u8 input)
210		210
211	/* clear any sensitive info... */	211	/* clear any sensitive info... */
212	a = b = c = d = e = f = g = h = t1 = t2 = 0;	212	a = b = c = d = e = f = g = h = t1 = t2 = 0;
213	memset(W, 0, 64 * sizeof(u32));	213	memzero_explicit(W, 64 * sizeof(u32));
214	}	214	}
215		215
216
217	static int sha224_init(struct shash_desc *desc)	216	static int sha224_init(struct shash_desc *desc)
218	{	217	{
219	struct sha256_state *sctx = shash_desc_ctx(desc);	218	struct sha256_state *sctx = shash_desc_ctx(desc);
@@ -316,7 +315,7 @@ static int sha224_final(struct shash_desc desc, u8 hash)
316	sha256_final(desc, D);	315	sha256_final(desc, D);
317		316
318	memcpy(hash, D, SHA224_DIGEST_SIZE);	317	memcpy(hash, D, SHA224_DIGEST_SIZE);
319	memset(D, 0, SHA256_DIGEST_SIZE);	318	memzero_explicit(D, SHA256_DIGEST_SIZE);
320		319
321	return 0;	320	return 0;
322	}	321	}


diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c index 6ed124f3ea0f..04d295a8bc08 100644 --- a/crypto/sha512_generic.c +++ b/crypto/sha512_generic.c
@@ -238,7 +238,7 @@ static int sha384_final(struct shash_desc desc, u8 hash)
238	sha512_final(desc, D);	238	sha512_final(desc, D);
239		239
240	memcpy(hash, D, 48);	240	memcpy(hash, D, 48);
241	memset(D, 0, 64);	241	memzero_explicit(D, 64);
242		242
243	return 0;	243	return 0;
244	}	244	}


diff --git a/crypto/tgr192.c b/crypto/tgr192.c index 87403556fd0b..3c7af0d1ff7a 100644 --- a/crypto/tgr192.c +++ b/crypto/tgr192.c
@@ -612,7 +612,7 @@ static int tgr160_final(struct shash_desc desc, u8 out)
612		612
613	tgr192_final(desc, D);	613	tgr192_final(desc, D);
614	memcpy(out, D, TGR160_DIGEST_SIZE);	614	memcpy(out, D, TGR160_DIGEST_SIZE);
615	memset(D, 0, TGR192_DIGEST_SIZE);	615	memzero_explicit(D, TGR192_DIGEST_SIZE);
616		616
617	return 0;	617	return 0;
618	}	618	}
@@ -623,7 +623,7 @@ static int tgr128_final(struct shash_desc desc, u8 out)
623		623
624	tgr192_final(desc, D);	624	tgr192_final(desc, D);
625	memcpy(out, D, TGR128_DIGEST_SIZE);	625	memcpy(out, D, TGR128_DIGEST_SIZE);
626	memset(D, 0, TGR192_DIGEST_SIZE);	626	memzero_explicit(D, TGR192_DIGEST_SIZE);
627		627
628	return 0;	628	return 0;
629	}	629	}


diff --git a/crypto/vmac.c b/crypto/vmac.c index 2eb11a30c29c..d84c24bd7ff7 100644 --- a/crypto/vmac.c +++ b/crypto/vmac.c
@@ -613,7 +613,7 @@ static int vmac_final(struct shash_desc pdesc, u8 out)
613	}	613	}
614	mac = vmac(ctx->partial, ctx->partial_size, nonce, NULL, ctx);	614	mac = vmac(ctx->partial, ctx->partial_size, nonce, NULL, ctx);
615	memcpy(out, &mac, sizeof(vmac_t));	615	memcpy(out, &mac, sizeof(vmac_t));
616	memset(&mac, 0, sizeof(vmac_t));	616	memzero_explicit(&mac, sizeof(vmac_t));
617	memset(&ctx->__vmac_ctx, 0, sizeof(struct vmac_ctx));	617	memset(&ctx->__vmac_ctx, 0, sizeof(struct vmac_ctx));
618	ctx->partial_size = 0;	618	ctx->partial_size = 0;
619	return 0;	619	return 0;


diff --git a/crypto/wp512.c b/crypto/wp512.c index 180f1d6e03f4..ec64e7762fbb 100644 --- a/crypto/wp512.c +++ b/crypto/wp512.c
@@ -1102,8 +1102,8 @@ static int wp384_final(struct shash_desc desc, u8 out)
1102	u8 D[64];	1102	u8 D[64];
1103		1103
1104	wp512_final(desc, D);	1104	wp512_final(desc, D);
1105	memcpy (out, D, WP384_DIGEST_SIZE);	1105	memcpy(out, D, WP384_DIGEST_SIZE);
1106	memset (D, 0, WP512_DIGEST_SIZE);	1106	memzero_explicit(D, WP512_DIGEST_SIZE);
1107		1107
1108	return 0;	1108	return 0;
1109	}	1109	}
@@ -1113,8 +1113,8 @@ static int wp256_final(struct shash_desc desc, u8 out)
1113	u8 D[64];	1113	u8 D[64];
1114		1114
1115	wp512_final(desc, D);	1115	wp512_final(desc, D);
1116	memcpy (out, D, WP256_DIGEST_SIZE);	1116	memcpy(out, D, WP256_DIGEST_SIZE);
1117	memset (D, 0, WP512_DIGEST_SIZE);	1117	memzero_explicit(D, WP512_DIGEST_SIZE);
1118		1118
1119	return 0;	1119	return 0;
1120	}	1120	}