From 607c92141cdec6e472d80de813f5251685b9ddc1 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 5 May 2025 11:18:23 -0700 Subject: [PATCH] crypto: lib/chacha - add strongly-typed state zeroization Now that the ChaCha state matrix is strongly-typed, add a helper function chacha_zeroize_state() which zeroizes it. Then convert all applicable callers to use it instead of direct memzero_explicit. No functional changes. Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu --- drivers/char/random.c | 4 ++-- fs/bcachefs/checksum.c | 4 ++-- include/crypto/chacha.h | 6 ++++++ lib/crypto/chacha20poly1305.c | 6 +++--- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 9f876ed2655b..5f22a08101f6 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -422,7 +422,7 @@ static void _get_random_bytes(void *buf, size_t len) buf += CHACHA_BLOCK_SIZE; } - memzero_explicit(&chacha_state, sizeof(chacha_state)); + chacha_zeroize_state(&chacha_state); } /* @@ -485,7 +485,7 @@ static ssize_t get_random_bytes_user(struct iov_iter *iter) memzero_explicit(block, sizeof(block)); out_zero_chacha: - memzero_explicit(&chacha_state, sizeof(chacha_state)); + chacha_zeroize_state(&chacha_state); return ret ? ret : -EFAULT; } diff --git a/fs/bcachefs/checksum.c b/fs/bcachefs/checksum.c index 312fda4bb1b5..a4df8eba75f3 100644 --- a/fs/bcachefs/checksum.c +++ b/fs/bcachefs/checksum.c @@ -113,7 +113,7 @@ static void bch2_chacha20(const struct bch_key *key, struct nonce nonce, bch2_chacha20_init(&state, key, nonce); chacha20_crypt(&state, data, data, len); - memzero_explicit(&state, sizeof(state)); + chacha_zeroize_state(&state); } static void bch2_poly1305_init(struct poly1305_desc_ctx *desc, @@ -283,7 +283,7 @@ int __bch2_encrypt_bio(struct bch_fs *c, unsigned type, chacha20_crypt(&chacha_state, p, p, bv.bv_len); kunmap_local(p); } - memzero_explicit(&chacha_state, sizeof(chacha_state)); + chacha_zeroize_state(&chacha_state); return ret; } diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h index 64fb270f2bfc..7c2e6c68919b 100644 --- a/include/crypto/chacha.h +++ b/include/crypto/chacha.h @@ -16,6 +16,7 @@ #define _CRYPTO_CHACHA_H #include +#include #include /* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */ @@ -108,6 +109,11 @@ static inline void chacha20_crypt(struct chacha_state *state, chacha_crypt(state, dst, src, bytes, 20); } +static inline void chacha_zeroize_state(struct chacha_state *state) +{ + memzero_explicit(state, sizeof(*state)); +} + #if IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA) bool chacha_is_arch_optimized(void); #else diff --git a/lib/crypto/chacha20poly1305.c b/lib/crypto/chacha20poly1305.c index ed81f0658956..2e7bbc1a67ea 100644 --- a/lib/crypto/chacha20poly1305.c +++ b/lib/crypto/chacha20poly1305.c @@ -84,7 +84,7 @@ __chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len, poly1305_final(&poly1305_state, dst + src_len); - memzero_explicit(chacha_state, sizeof(*chacha_state)); + chacha_zeroize_state(chacha_state); memzero_explicit(&b, sizeof(b)); } @@ -188,7 +188,7 @@ bool chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len, ret = __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len, &chacha_state); - memzero_explicit(&chacha_state, sizeof(chacha_state)); + chacha_zeroize_state(&chacha_state); memzero_explicit(iv, sizeof(iv)); memzero_explicit(k, sizeof(k)); return ret; @@ -328,7 +328,7 @@ bool chacha20poly1305_crypt_sg_inplace(struct scatterlist *src, !crypto_memneq(b.mac[0], b.mac[1], POLY1305_DIGEST_SIZE); } - memzero_explicit(&chacha_state, sizeof(chacha_state)); + chacha_zeroize_state(&chacha_state); memzero_explicit(&b, sizeof(b)); return ret; -- 2.50.1