ICP: AES-GCM: Refactor gcm_clear_ctx()

Currently the temporary buffer in which decryption takes place isn't cleared on context destruction. Further in some routines we fail to call gcm_clear_ctx() on error exit. Both flaws may result in leaking sensitive data. We follow best practices and zero out the plaintext buffer before freeing the memory holding it. Also move all cleanup into gcm_clear_ctx() and call it on any context destruction. The performance impact should be negligible. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Rob Norris <robn@despairlabs.com> Signed-off-by: Attila Fülöp <attila@fueloep.org> Closes #14528
2026-05-22 02:27:36 +03:00 · 2023-02-27 23:38:12 +01:00
parent 3b9309aabe
commit f58e513f74
4 changed files with 36 additions and 55 deletions
@@ -945,17 +945,9 @@ out:
 		memset(aes_ctx.ac_keysched, 0, aes_ctx.ac_keysched_len);
 		kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
 	}
-#ifdef CAN_USE_GCM_ASM
-	if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE) &&
-	    ((gcm_ctx_t *)&aes_ctx)->gcm_Htable != NULL) {
-
-		gcm_ctx_t *ctx = (gcm_ctx_t *)&aes_ctx;
-
-		memset(ctx->gcm_Htable, 0, ctx->gcm_htab_len);
-		kmem_free(ctx->gcm_Htable, ctx->gcm_htab_len);
+	if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) {
+		gcm_clear_ctx((gcm_ctx_t *)&aes_ctx);
 	}
-#endif
-
 	return (ret);
 }

@@ -1101,18 +1093,7 @@ out:
 			vmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len);
 		}
 	} else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) {
-		if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) {
-			vmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf,
-			    ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len);
-		}
-#ifdef CAN_USE_GCM_ASM
-		if (((gcm_ctx_t *)&aes_ctx)->gcm_Htable != NULL) {
-			gcm_ctx_t *ctx = (gcm_ctx_t *)&aes_ctx;
-
-			memset(ctx->gcm_Htable, 0, ctx->gcm_htab_len);
-			kmem_free(ctx->gcm_Htable, ctx->gcm_htab_len);
-		}
-#endif
+		gcm_clear_ctx((gcm_ctx_t *)&aes_ctx);
 	}

 	return (ret);