Merge tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random

Pull /dev/random updates from Ted Ts'o: "This adds a memzero_explicit() call which is guaranteed not to be optimized away by GCC. This is important when we are wiping cryptographically sensitive material" * tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: crypto: memzero_explicit - make sure to clear out sensitive data random: add and use memzero_explicit() for clearing data

Merge tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random
Pull /dev/random updates from Ted Ts'o: "This adds a memzero_explicit() call which is guaranteed not to be optimized away by GCC. This is important when we are wiping cryptographically sensitive material" * tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: crypto: memzero_explicit - make sure to clear out sensitive data random: add and use memzero_explicit() for clearing data
Linus Torvalds
2 parents 1c45d9a920 7185ad2672
Showing 10 changed files Side-by-side Diff
crypto/cts.c
crypto/sha1_generic.c
crypto/sha256_generic.c
crypto/sha512_generic.c
crypto/tgr192.c
crypto/vmac.c
crypto/wp512.c
drivers/char/random.c
include/linux/string.h
lib/string.c
@@ -202,7 +202,8 @@
 	/* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */
 	memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);
 	/* 6. Decrypt En to create Pn-1 */
-	memset(iv, 0, sizeof(iv));
+	memzero_explicit(iv, sizeof(iv));
+
 	sg_set_buf(&sgsrc[0], s + bsize, bsize);
 	sg_set_buf(&sgdst[0], d, bsize);
 	err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
@@ -64,7 +64,7 @@
 			src = data + done;
 		} while (done + SHA1_BLOCK_SIZE <= len);
  
-		memset(temp, 0, sizeof(temp));
+		memzero_explicit(temp, sizeof(temp));
 		partial = 0;
 	}
 	memcpy(sctx->buffer + partial, src, len - done);
@@ -211,10 +211,9 @@
  
 	/* clear any sensitive info... */
 	a = b = c = d = e = f = g = h = t1 = t2 = 0;
-	memset(W, 0, 64 * sizeof(u32));
+	memzero_explicit(W, 64 * sizeof(u32));
 }
  
-
 static int sha224_init(struct shash_desc *desc)
 {
 	struct sha256_state *sctx = shash_desc_ctx(desc);
@@ -317,7 +316,7 @@
 	sha256_final(desc, D);
  
 	memcpy(hash, D, SHA224_DIGEST_SIZE);
-	memset(D, 0, SHA256_DIGEST_SIZE);
+	memzero_explicit(D, SHA256_DIGEST_SIZE);
  
 	return 0;
 }
@@ -239,7 +239,7 @@
 	sha512_final(desc, D);
  
 	memcpy(hash, D, 48);
-	memset(D, 0, 64);
+	memzero_explicit(D, 64);
  
 	return 0;
 }
@@ -612,7 +612,7 @@
  
 	tgr192_final(desc, D);
 	memcpy(out, D, TGR160_DIGEST_SIZE);
-	memset(D, 0, TGR192_DIGEST_SIZE);
+	memzero_explicit(D, TGR192_DIGEST_SIZE);
  
 	return 0;
 }
@@ -623,7 +623,7 @@
  
 	tgr192_final(desc, D);
 	memcpy(out, D, TGR128_DIGEST_SIZE);
-	memset(D, 0, TGR192_DIGEST_SIZE);
+	memzero_explicit(D, TGR192_DIGEST_SIZE);
  
 	return 0;
 }
@@ -613,7 +613,7 @@
 	}
 	mac = vmac(ctx->partial, ctx->partial_size, nonce, NULL, ctx);
 	memcpy(out, &mac, sizeof(vmac_t));
-	memset(&mac, 0, sizeof(vmac_t));
+	memzero_explicit(&mac, sizeof(vmac_t));
 	memset(&ctx->__vmac_ctx, 0, sizeof(struct vmac_ctx));
 	ctx->partial_size = 0;
 	return 0;
@@ -1102,8 +1102,8 @@
 	u8 D[64];
  
 	wp512_final(desc, D);
-	memcpy (out, D, WP384_DIGEST_SIZE);
-	memset (D, 0, WP512_DIGEST_SIZE);
+	memcpy(out, D, WP384_DIGEST_SIZE);
+	memzero_explicit(D, WP512_DIGEST_SIZE);
  
 	return 0;
 }
@@ -1113,8 +1113,8 @@
 	u8 D[64];
  
 	wp512_final(desc, D);
-	memcpy (out, D, WP256_DIGEST_SIZE);
-	memset (D, 0, WP512_DIGEST_SIZE);
+	memcpy(out, D, WP256_DIGEST_SIZE);
+	memzero_explicit(D, WP512_DIGEST_SIZE);
  
 	return 0;
 }
@@ -1106,7 +1106,7 @@
 	__mix_pool_bytes(r, hash.w, sizeof(hash.w));
 	spin_unlock_irqrestore(&r->lock, flags);
  
-	memset(workspace, 0, sizeof(workspace));
+	memzero_explicit(workspace, sizeof(workspace));
  
 	/*
 	 * In case the hash function has some recognizable output
@@ -1118,7 +1118,7 @@
 	hash.w[2] ^= rol32(hash.w[2], 16);
  
 	memcpy(out, &hash, EXTRACT_SIZE);
-	memset(&hash, 0, sizeof(hash));
+	memzero_explicit(&hash, sizeof(hash));
 }
  
 /*
@@ -1175,7 +1175,7 @@
 	}
  
 	/* Wipe data just returned from memory */
-	memset(tmp, 0, sizeof(tmp));
+	memzero_explicit(tmp, sizeof(tmp));
  
 	return ret;
 }
@@ -1218,7 +1218,7 @@
 	}
  
 	/* Wipe data just returned from memory */
-	memset(tmp, 0, sizeof(tmp));
+	memzero_explicit(tmp, sizeof(tmp));
  
 	return ret;
 }
@@ -132,7 +132,7 @@
 #endif
  
 extern ssize_t memory_read_from_buffer(void *to, size_t count, loff_t *ppos,
-			const void *from, size_t available);
+				       const void *from, size_t available);
  
 /**
  * strstarts - does @str start with @prefix?
@@ -144,7 +144,8 @@
 	return strncmp(str, prefix, strlen(prefix)) == 0;
 }
  
-extern size_t memweight(const void *ptr, size_t bytes);
+size_t memweight(const void *ptr, size_t bytes);
+void memzero_explicit(void *s, size_t count);
  
 /**
  * kbasename - return the last part of a pathname.
@@ -598,6 +598,22 @@
 EXPORT_SYMBOL(memset);
 #endif
  
+/**
+ * memzero_explicit - Fill a region of memory (e.g. sensitive
+ *		      keying data) with 0s.
+ * @s: Pointer to the start of the area.
+ * @count: The size of the area.
+ *
+ * memzero_explicit() doesn't need an arch-specific version as
+ * it just invokes the one of memset() implicitly.
+ */
+void memzero_explicit(void *s, size_t count)
+{
+	memset(s, 0, count);
+	OPTIMIZER_HIDE_VAR(s);
+}
+EXPORT_SYMBOL(memzero_explicit);
+
 #ifndef __HAVE_ARCH_MEMCPY
 /**
  * memcpy - Copy one area of memory to another
...	...	@@ -202,7 +202,8 @@
202	202	/* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */
203	203	memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);
204	204	/* 6. Decrypt En to create Pn-1 */
205		- memset(iv, 0, sizeof(iv));
	205	+ memzero_explicit(iv, sizeof(iv));
	206	+
206	207	sg_set_buf(&sgsrc[0], s + bsize, bsize);
207	208	sg_set_buf(&sgdst[0], d, bsize);
208	209	err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
...	...	@@ -64,7 +64,7 @@
64	64	src = data + done;
65	65	} while (done + SHA1_BLOCK_SIZE <= len);
66	66
67		- memset(temp, 0, sizeof(temp));
	67	+ memzero_explicit(temp, sizeof(temp));
68	68	partial = 0;
69	69	}
70	70	memcpy(sctx->buffer + partial, src, len - done);
...	...	@@ -211,10 +211,9 @@
211	211
212	212	/* clear any sensitive info... */
213	213	a = b = c = d = e = f = g = h = t1 = t2 = 0;
214		- memset(W, 0, 64 * sizeof(u32));
	214	+ memzero_explicit(W, 64 * sizeof(u32));
215	215	}
216	216
217		-
218	217	static int sha224_init(struct shash_desc *desc)
219	218	{
220	219	struct sha256_state *sctx = shash_desc_ctx(desc);
...	...	@@ -317,7 +316,7 @@
317	316	sha256_final(desc, D);
318	317
319	318	memcpy(hash, D, SHA224_DIGEST_SIZE);
320		- memset(D, 0, SHA256_DIGEST_SIZE);
	319	+ memzero_explicit(D, SHA256_DIGEST_SIZE);
321	320
322	321	return 0;
323	322	}
...	...	@@ -239,7 +239,7 @@
239	239	sha512_final(desc, D);
240	240
241	241	memcpy(hash, D, 48);
242		- memset(D, 0, 64);
	242	+ memzero_explicit(D, 64);
243	243
244	244	return 0;
245	245	}
...	...	@@ -612,7 +612,7 @@
612	612
613	613	tgr192_final(desc, D);
614	614	memcpy(out, D, TGR160_DIGEST_SIZE);
615		- memset(D, 0, TGR192_DIGEST_SIZE);
	615	+ memzero_explicit(D, TGR192_DIGEST_SIZE);
616	616
617	617	return 0;
618	618	}
...	...	@@ -623,7 +623,7 @@
623	623
624	624	tgr192_final(desc, D);
625	625	memcpy(out, D, TGR128_DIGEST_SIZE);
626		- memset(D, 0, TGR192_DIGEST_SIZE);
	626	+ memzero_explicit(D, TGR192_DIGEST_SIZE);
627	627
628	628	return 0;
629	629	}
...	...	@@ -613,7 +613,7 @@
613	613	}
614	614	mac = vmac(ctx->partial, ctx->partial_size, nonce, NULL, ctx);
615	615	memcpy(out, &mac, sizeof(vmac_t));
616		- memset(&mac, 0, sizeof(vmac_t));
	616	+ memzero_explicit(&mac, sizeof(vmac_t));
617	617	memset(&ctx->__vmac_ctx, 0, sizeof(struct vmac_ctx));
618	618	ctx->partial_size = 0;
619	619	return 0;
...	...	@@ -1102,8 +1102,8 @@
1102	1102	u8 D[64];
1103	1103
1104	1104	wp512_final(desc, D);
1105		- memcpy (out, D, WP384_DIGEST_SIZE);
1106		- memset (D, 0, WP512_DIGEST_SIZE);
	1105	+ memcpy(out, D, WP384_DIGEST_SIZE);
	1106	+ memzero_explicit(D, WP512_DIGEST_SIZE);
1107	1107
1108	1108	return 0;
1109	1109	}
...	...	@@ -1113,8 +1113,8 @@
1113	1113	u8 D[64];
1114	1114
1115	1115	wp512_final(desc, D);
1116		- memcpy (out, D, WP256_DIGEST_SIZE);
1117		- memset (D, 0, WP512_DIGEST_SIZE);
	1116	+ memcpy(out, D, WP256_DIGEST_SIZE);
	1117	+ memzero_explicit(D, WP512_DIGEST_SIZE);
1118	1118
1119	1119	return 0;
1120	1120	}
...	...	@@ -1106,7 +1106,7 @@
1106	1106	__mix_pool_bytes(r, hash.w, sizeof(hash.w));
1107	1107	spin_unlock_irqrestore(&r->lock, flags);
1108	1108
1109		- memset(workspace, 0, sizeof(workspace));
	1109	+ memzero_explicit(workspace, sizeof(workspace));
1110	1110
1111	1111	/*
1112	1112	* In case the hash function has some recognizable output
...	...	@@ -1118,7 +1118,7 @@
1118	1118	hash.w[2] ^= rol32(hash.w[2], 16);
1119	1119
1120	1120	memcpy(out, &hash, EXTRACT_SIZE);
1121		- memset(&hash, 0, sizeof(hash));
	1121	+ memzero_explicit(&hash, sizeof(hash));
1122	1122	}
1123	1123
1124	1124	/*
...	...	@@ -1175,7 +1175,7 @@
1175	1175	}
1176	1176
1177	1177	/* Wipe data just returned from memory */
1178		- memset(tmp, 0, sizeof(tmp));
	1178	+ memzero_explicit(tmp, sizeof(tmp));
1179	1179
1180	1180	return ret;
1181	1181	}
...	...	@@ -1218,7 +1218,7 @@
1218	1218	}
1219	1219
1220	1220	/* Wipe data just returned from memory */
1221		- memset(tmp, 0, sizeof(tmp));
	1221	+ memzero_explicit(tmp, sizeof(tmp));
1222	1222
1223	1223	return ret;
1224	1224	}
...	...	@@ -132,7 +132,7 @@
132	132	#endif
133	133
134	134	extern ssize_t memory_read_from_buffer(void to, size_t count, loff_t ppos,
135		- const void *from, size_t available);
	135	+ const void *from, size_t available);
136	136
137	137	/**
138	138	* strstarts - does @str start with @prefix?
...	...	@@ -144,7 +144,8 @@
144	144	return strncmp(str, prefix, strlen(prefix)) == 0;
145	145	}
146	146
147		-extern size_t memweight(const void *ptr, size_t bytes);
	147	+size_t memweight(const void *ptr, size_t bytes);
	148	+void memzero_explicit(void *s, size_t count);
148	149
149	150	/**
150	151	* kbasename - return the last part of a pathname.
...	...	@@ -598,6 +598,22 @@
598	598	EXPORT_SYMBOL(memset);
599	599	#endif
600	600
	601	+/**
	602	+ * memzero_explicit - Fill a region of memory (e.g. sensitive
	603	+ * keying data) with 0s.
	604	+ * @s: Pointer to the start of the area.
	605	+ * @count: The size of the area.
	606	+ *
	607	+ * memzero_explicit() doesn't need an arch-specific version as
	608	+ * it just invokes the one of memset() implicitly.
	609	+ */
	610	+void memzero_explicit(void *s, size_t count)
	611	+{
	612	+ memset(s, 0, count);
	613	+ OPTIMIZER_HIDE_VAR(s);
	614	+}
	615	+EXPORT_SYMBOL(memzero_explicit);
	616	+
601	617	#ifndef __HAVE_ARCH_MEMCPY
602	618	/**
603	619	* memcpy - Copy one area of memory to another