KEYS: encrypted: sanitize all key material

[karo-tx-linux.git] / security / keys / encrypted-keys / encrypted.c

diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 5c98c2fe03f0368d8fe8874744ca1a9cec82b0e5..bb6324d1ccec32f6dde05f520d8d2ed2e089c785 100644 (file)
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -375,7 +375,7 @@ static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
        memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
               master_keylen);
        ret = calc_hash(hash_tfm, derived_key, derived_buf, derived_buf_len);
-       kfree(derived_buf);
+       kzfree(derived_buf);
        return ret;
 }
 
@@ -507,6 +507,7 @@ static int datablob_hmac_append(struct encrypted_key_payload *epayload,
        if (!ret)
                dump_hmac(NULL, digest, HASH_SIZE);
 out:
+       memzero_explicit(derived_key, sizeof(derived_key));
        return ret;
 }
 
@@ -545,6 +546,7 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
                dump_hmac("calc", digest, HASH_SIZE);
        }
 out:
+       memzero_explicit(derived_key, sizeof(derived_key));
        return ret;
 }
 
@@ -701,6 +703,7 @@ static int encrypted_key_decrypt(struct encrypted_key_payload *epayload,
 out:
        up_read(&mkey->sem);
        key_put(mkey);
+       memzero_explicit(derived_key, sizeof(derived_key));
        return ret;
 }
 
@@ -807,13 +810,13 @@ static int encrypted_instantiate(struct key *key,
        ret = encrypted_init(epayload, key->description, format, master_desc,
                             decrypted_datalen, hex_encoded_iv);
        if (ret < 0) {
-               kfree(epayload);
+               kzfree(epayload);
                goto out;
        }
 
        rcu_assign_keypointer(key, epayload);
 out:
-       kfree(datablob);
+       kzfree(datablob);
        return ret;
 }
 
@@ -822,8 +825,7 @@ static void encrypted_rcu_free(struct rcu_head *rcu)
        struct encrypted_key_payload *epayload;
 
        epayload = container_of(rcu, struct encrypted_key_payload, rcu);
-       memset(epayload->decrypted_data, 0, epayload->decrypted_datalen);
-       kfree(epayload);
+       kzfree(epayload);
 }
 
 /*
@@ -881,7 +883,7 @@ static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
        rcu_assign_keypointer(key, new_epayload);
        call_rcu(&epayload->rcu, encrypted_rcu_free);
 out:
-       kfree(buf);
+       kzfree(buf);
        return ret;
 }
 
@@ -939,33 +941,26 @@ static long encrypted_read(const struct key *key, char __user *buffer,
 
        up_read(&mkey->sem);
        key_put(mkey);
+       memzero_explicit(derived_key, sizeof(derived_key));
 
        if (copy_to_user(buffer, ascii_buf, asciiblob_len) != 0)
                ret = -EFAULT;
-       kfree(ascii_buf);
+       kzfree(ascii_buf);
 
        return asciiblob_len;
 out:
        up_read(&mkey->sem);
        key_put(mkey);
+       memzero_explicit(derived_key, sizeof(derived_key));
        return ret;
 }
 
 /*
- * encrypted_destroy - before freeing the key, clear the decrypted data
- *
- * Before freeing the key, clear the memory containing the decrypted
- * key data.
+ * encrypted_destroy - clear and free the key's payload
  */
 static void encrypted_destroy(struct key *key)
 {
-       struct encrypted_key_payload *epayload = key->payload.data[0];
-
-       if (!epayload)
-               return;
-
-       memzero_explicit(epayload->decrypted_data, epayload->decrypted_datalen);
-       kfree(key->payload.data[0]);
+       kzfree(key->payload.data[0]);
 }
 
 struct key_type key_type_encrypted = {