The clearing of the OKM memory buffer in case of an error is already
performed by the HKDF implementation crypto_hkdf_expand. Thus, the
code clearing is not needed any more in the file system code base.

Signed-off-by: Stephan Mueller <smuel...@chronox.de>
---
 fs/crypto/hkdf.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c
index ae236b42b1f0..c48dd8ca3a46 100644
--- a/fs/crypto/hkdf.c
+++ b/fs/crypto/hkdf.c
@@ -102,13 +102,10 @@ int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, 
u8 context,
                .iov_base = (u8 *)info,
                .iov_len = infolen,
        } };
-       int err = crypto_hkdf_expand(hkdf->hmac_tfm,
-                                    info_iov, ARRAY_SIZE(info_iov),
-                                    okm, okmlen);
 
-       if (unlikely(err))
-               memzero_explicit(okm, okmlen); /* so caller doesn't need to */
-       return err;
+       return crypto_hkdf_expand(hkdf->hmac_tfm,
+                                 info_iov, ARRAY_SIZE(info_iov),
+                                 okm, okmlen);
 }
 
 void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf)
-- 
2.26.2




Reply via email to