Just doing memset() on keys is not enough, compiler can optimize
it away. Need something with a barrier.
Signed-off-by: Stephen Hemminger <step...@networkplumber.org>
---
drivers/crypto/qat/qat_sym_session.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/crypto/qat/qat_sym_session.c
b/drivers/crypto/qat/qat_sym_session.c
index 50d687fd37..4b4e9ccbab 100644
--- a/drivers/crypto/qat/qat_sym_session.c
+++ b/drivers/crypto/qat/qat_sym_session.c
@@ -26,6 +26,7 @@
#include <rte_crypto_sym.h>
#include <rte_security_driver.h>
#include <rte_ether.h>
+#include <rte_string_fns.h>
#include "qat_logs.h"
#include "qat_sym_session.h"
@@ -1633,7 +1634,7 @@ static int qat_sym_do_precomputes(enum
icp_qat_hw_auth_algo hash_alg,
aes_cmac_key_derive(k0, k1);
aes_cmac_key_derive(k1, k2);
- memset(k0, 0, ICP_QAT_HW_AES_128_KEY_SZ);
+ rte_memset_sensative(k0, 0, ICP_QAT_HW_AES_128_KEY_SZ);
*p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
rte_free(in);
goto out;
@@ -1668,7 +1669,7 @@ static int qat_sym_do_precomputes(enum
icp_qat_hw_auth_algo hash_alg,
&enc_key) != 0) {
rte_free(in -
(x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ));
- memset(out -
+ rte_memset_sensative(out -
(x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ),
0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
return -EFAULT;
@@ -1698,7 +1699,7 @@ static int qat_sym_do_precomputes(enum
icp_qat_hw_auth_algo hash_alg,
return -ENOMEM;
}
- memset(in, 0, ICP_QAT_HW_GALOIS_H_SZ);
+ rte_memset_sensative(in, 0, ICP_QAT_HW_GALOIS_H_SZ);
if (AES_set_encrypt_key(auth_key, auth_keylen << 3,
&enc_key) != 0) {
return -EFAULT;
@@ -1757,8 +1758,8 @@ static int qat_sym_do_precomputes(enum
icp_qat_hw_auth_algo hash_alg,
}
/* don't leave data lying around */
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
+ rte_memset_sensative(ipad, 0, block_size);
+ rte_memset_sensative(opad, 0, block_size);
out:
return 0;
}
@@ -2006,8 +2007,8 @@ static int qat_sym_do_precomputes_ipsec_mb(enum
icp_qat_hw_auth_algo hash_alg,
out:
/* don't leave data lying around */
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
+ rte_memset_sensative(ipad, 0, block_size);
+ rte_memset_sensative(opad, 0, block_size);
free_mb_mgr(m);
return ret;
}
@@ -3232,7 +3233,7 @@ qat_security_session_destroy(void *dev __rte_unused,
if (s->mb_mgr)
free_mb_mgr(s->mb_mgr);
#endif
- memset(s, 0, qat_sym_session_get_private_size(dev));
+ rte_memset_sensative(s, 0,
qat_sym_session_get_private_size(dev));
}
return 0;
--
2.45.2
