On Sun, Jan 24, 2021 at 03:04:50PM +0100, Stephan Müller wrote: > The clearing of the OKM memory buffer in case of an error is already > performed by the HKDF implementation crypto_hkdf_expand. Thus, the > code clearing is not needed any more in the file system code base. > > Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> > --- > fs/crypto/hkdf.c | 9 +++------ > 1 file changed, 3 insertions(+), 6 deletions(-) > > diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c > index ae236b42b1f0..c48dd8ca3a46 100644 > --- a/fs/crypto/hkdf.c > +++ b/fs/crypto/hkdf.c > @@ -102,13 +102,10 @@ int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context, > .iov_base = (u8 *)info, > .iov_len = infolen, > } }; > - int err = crypto_hkdf_expand(hkdf->hmac_tfm, > - info_iov, ARRAY_SIZE(info_iov), > - okm, okmlen); > > - if (unlikely(err)) > - memzero_explicit(okm, okmlen); /* so caller doesn't need to */ > - return err; > + return crypto_hkdf_expand(hkdf->hmac_tfm, > + info_iov, ARRAY_SIZE(info_iov), > + okm, okmlen); > } > Shoudn't this just be folded into the previous patch, which converted fscrypt_hkdf_expand() to use crypto_hkdf_expand() in the first place? - Eric
|