From nobody Fri Dec 17 22:00:09 2021 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4162218F5D17; Fri, 17 Dec 2021 22:00:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JG2w975WSz3sw8; Fri, 17 Dec 2021 22:00:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B87A7239B8; Fri, 17 Dec 2021 22:00:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BHM09dm006432; Fri, 17 Dec 2021 22:00:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BHM09Vc006429; Fri, 17 Dec 2021 22:00:09 GMT (envelope-from git) Date: Fri, 17 Dec 2021 22:00:09 GMT Message-Id: <202112172200.1BHM09Vc006429@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: 7051c5796ff4 - main - cryptosoft: Consolidate calls to explicit_bzero. List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7051c5796ff44e7883f93dccc06e25f0711937e1 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639778410; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jk4wy2i2GXw3+UQmEFRt6RzoMqPLi9OR/PTVVeA9wQk=; b=DHYwWDMkpAAVp4NIYsYMyk9/itJCOfaWCbM+NBkvLHChPinBygyBvagEQgffmJh05KSmIX 5FcxUIs5K7KG3PzRrt83S4rYrdGczbpCVTV9l+zPIHDfU5EkLLa8LKqMdGOndiPLJxyEwQ 2PSfLIGpjIROZ1Ui+hSJjTa6e3HoxTOzkc2WH33VjfSxr1LplpuztB0TJB13veGoZkCPTU wvgY6Yc0zADzwEQRSOnuXtRb+MuA6tPorJfws58ubqmhI7qGgkTEU2tDGa2yk3sM9BUstB TVCoph84I8nF73BM3gpn59q4gfQoYgQRBIM02GCFhsOCqoVSwkbJbK+neczPyw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639778410; a=rsa-sha256; cv=none; b=L9FrsDYixlgzblgDDE/7zNUI9ETPfXx+R59k7832Scl6DYoE1u3cOWdvwKcnNCIb9+VaSJ /NR2D03rmfTtRD4nl3E4+NbTWMp+rBmJSdjQ42KXpO81uOqKKqjczYyINj3GzAFhR0d1f1 mUoz+fVFLqk5AGBWlrMldNaaQLn3XaceUMb3gkc8V2H3+Ype94OoBv4zqA07LHbsfTTAvf QjFW8Vcid6ThpirXe5t1/nplGN5Bp7kR0Ux4EPk1CanYCHGDBZaH/Qc8uJGra9guPmtgEI D3YxzAWp2CEop9NVCLNRoVTCiZNVH8SeSQvaaZVNcdN6YmzhmybrZ1rh3qDn2Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=7051c5796ff44e7883f93dccc06e25f0711937e1 commit 7051c5796ff44e7883f93dccc06e25f0711937e1 Author: John Baldwin AuthorDate: 2021-12-17 21:58:58 +0000 Commit: John Baldwin CommitDate: 2021-12-17 21:58:58 +0000 cryptosoft: Consolidate calls to explicit_bzero. Group sensitive on-stack variables into anonymous structs so that they can be cleared with a single call to explicit_bzero rather than multiple calls. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33527 --- sys/opencrypto/cryptosoft.c | 209 ++++++++++++++++++++++---------------------- 1 file changed, 103 insertions(+), 106 deletions(-) diff --git a/sys/opencrypto/cryptosoft.c b/sys/opencrypto/cryptosoft.c index 8d39eec19b88..0cc4e56550f3 100644 --- a/sys/opencrypto/cryptosoft.c +++ b/sys/opencrypto/cryptosoft.c @@ -237,11 +237,14 @@ swcr_encdec(const struct swcr_session *ses, struct cryptop *crp) static int swcr_authcompute(const struct swcr_session *ses, struct cryptop *crp) { - u_char aalg[HASH_MAX_LEN]; + struct { + union authctx ctx; + u_char aalg[HASH_MAX_LEN]; + u_char uaalg[HASH_MAX_LEN]; + } s; const struct crypto_session_params *csp; const struct swcr_auth *sw; const struct auth_hash *axf; - union authctx ctx; int err; sw = &ses->swcr_auth; @@ -252,20 +255,20 @@ swcr_authcompute(const struct swcr_session *ses, struct cryptop *crp) if (crp->crp_auth_key != NULL) { if (sw->sw_hmac) { hmac_init_ipad(axf, crp->crp_auth_key, - csp->csp_auth_klen, &ctx); + csp->csp_auth_klen, &s.ctx); } else { - axf->Init(&ctx); - axf->Setkey(&ctx, crp->crp_auth_key, + axf->Init(&s.ctx); + axf->Setkey(&s.ctx, crp->crp_auth_key, csp->csp_auth_klen); } } else - memcpy(&ctx, sw->sw_ictx, axf->ctxsize); + memcpy(&s.ctx, sw->sw_ictx, axf->ctxsize); if (crp->crp_aad != NULL) - err = axf->Update(&ctx, crp->crp_aad, crp->crp_aad_length); + err = axf->Update(&s.ctx, crp->crp_aad, crp->crp_aad_length); else err = crypto_apply(crp, crp->crp_aad_start, crp->crp_aad_length, - axf->Update, &ctx); + axf->Update, &s.ctx); if (err) goto out; @@ -273,41 +276,37 @@ swcr_authcompute(const struct swcr_session *ses, struct cryptop *crp) CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) err = crypto_apply_buf(&crp->crp_obuf, crp->crp_payload_output_start, crp->crp_payload_length, - axf->Update, &ctx); + axf->Update, &s.ctx); else err = crypto_apply(crp, crp->crp_payload_start, - crp->crp_payload_length, axf->Update, &ctx); + crp->crp_payload_length, axf->Update, &s.ctx); if (err) goto out; if (csp->csp_flags & CSP_F_ESN) - axf->Update(&ctx, crp->crp_esn, 4); + axf->Update(&s.ctx, crp->crp_esn, 4); - axf->Final(aalg, &ctx); + axf->Final(s.aalg, &s.ctx); if (sw->sw_hmac) { if (crp->crp_auth_key != NULL) hmac_init_opad(axf, crp->crp_auth_key, - csp->csp_auth_klen, &ctx); + csp->csp_auth_klen, &s.ctx); else - memcpy(&ctx, sw->sw_octx, axf->ctxsize); - axf->Update(&ctx, aalg, axf->hashsize); - axf->Final(aalg, &ctx); + memcpy(&s.ctx, sw->sw_octx, axf->ctxsize); + axf->Update(&s.ctx, s.aalg, axf->hashsize); + axf->Final(s.aalg, &s.ctx); } if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) { - u_char uaalg[HASH_MAX_LEN]; - - crypto_copydata(crp, crp->crp_digest_start, sw->sw_mlen, uaalg); - if (timingsafe_bcmp(aalg, uaalg, sw->sw_mlen) != 0) + crypto_copydata(crp, crp->crp_digest_start, sw->sw_mlen, s.uaalg); + if (timingsafe_bcmp(s.aalg, s.uaalg, sw->sw_mlen) != 0) err = EBADMSG; - explicit_bzero(uaalg, sizeof(uaalg)); } else { /* Inject the authentication data */ - crypto_copyback(crp, crp->crp_digest_start, sw->sw_mlen, aalg); + crypto_copyback(crp, crp->crp_digest_start, sw->sw_mlen, s.aalg); } - explicit_bzero(aalg, sizeof(aalg)); out: - explicit_bzero(&ctx, sizeof(ctx)); + explicit_bzero(&s, sizeof(s)); return (err); } @@ -317,12 +316,15 @@ CTASSERT(INT_MAX <= (uint64_t)-1); /* GCM: associated data <= 2^64-1 */ static int swcr_gmac(const struct swcr_session *ses, struct cryptop *crp) { - uint32_t blkbuf[howmany(AES_BLOCK_LEN, sizeof(uint32_t))]; - u_char *blk = (u_char *)blkbuf; - u_char tag[GMAC_DIGEST_LEN]; + struct { + union authctx ctx; + uint32_t blkbuf[howmany(AES_BLOCK_LEN, sizeof(uint32_t))]; + u_char tag[GMAC_DIGEST_LEN]; + u_char tag2[GMAC_DIGEST_LEN]; + } s; + u_char *blk = (u_char *)s.blkbuf; struct crypto_buffer_cursor cc; const u_char *inblk; - union authctx ctx; const struct swcr_auth *swa; const struct auth_hash *axf; uint32_t *blkp; @@ -336,17 +338,17 @@ swcr_gmac(const struct swcr_session *ses, struct cryptop *crp) __func__)); if (crp->crp_auth_key != NULL) { - axf->Init(&ctx); - axf->Setkey(&ctx, crp->crp_auth_key, + axf->Init(&s.ctx); + axf->Setkey(&s.ctx, crp->crp_auth_key, crypto_get_params(crp->crp_session)->csp_auth_klen); } else - memcpy(&ctx, swa->sw_ictx, axf->ctxsize); + memcpy(&s.ctx, swa->sw_ictx, axf->ctxsize); /* Initialize the IV */ ivlen = AES_GCM_IV_LEN; crypto_read_iv(crp, blk); - axf->Reinit(&ctx, blk, ivlen); + axf->Reinit(&s.ctx, blk, ivlen); crypto_cursor_init(&cc, &crp->crp_buf); crypto_cursor_advance(&cc, crp->crp_payload_start); for (resid = crp->crp_payload_length; resid >= blksz; resid -= len) { @@ -359,47 +361,46 @@ swcr_gmac(const struct swcr_session *ses, struct cryptop *crp) crypto_cursor_copydata(&cc, len, blk); inblk = blk; } - axf->Update(&ctx, inblk, len); + axf->Update(&s.ctx, inblk, len); } if (resid > 0) { memset(blk, 0, blksz); crypto_cursor_copydata(&cc, resid, blk); - axf->Update(&ctx, blk, blksz); + axf->Update(&s.ctx, blk, blksz); } /* length block */ memset(blk, 0, blksz); blkp = (uint32_t *)blk + 1; *blkp = htobe32(crp->crp_payload_length * 8); - axf->Update(&ctx, blk, blksz); + axf->Update(&s.ctx, blk, blksz); /* Finalize MAC */ - axf->Final(tag, &ctx); + axf->Final(s.tag, &s.ctx); error = 0; if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) { - u_char tag2[GMAC_DIGEST_LEN]; - crypto_copydata(crp, crp->crp_digest_start, swa->sw_mlen, - tag2); - if (timingsafe_bcmp(tag, tag2, swa->sw_mlen) != 0) + s.tag2); + if (timingsafe_bcmp(s.tag, s.tag2, swa->sw_mlen) != 0) error = EBADMSG; - explicit_bzero(tag2, sizeof(tag2)); } else { /* Inject the authentication data */ - crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, tag); + crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, s.tag); } - explicit_bzero(blkbuf, sizeof(blkbuf)); - explicit_bzero(tag, sizeof(tag)); + explicit_bzero(&s, sizeof(s)); return (error); } static int swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) { - uint32_t blkbuf[howmany(AES_BLOCK_LEN, sizeof(uint32_t))]; - u_char *blk = (u_char *)blkbuf; - u_char tag[GMAC_DIGEST_LEN]; + struct { + uint32_t blkbuf[howmany(AES_BLOCK_LEN, sizeof(uint32_t))]; + u_char tag[GMAC_DIGEST_LEN]; + u_char tag2[GMAC_DIGEST_LEN]; + } s; + u_char *blk = (u_char *)s.blkbuf; struct crypto_buffer_cursor cc_in, cc_out; const u_char *inblk; u_char *outblk; @@ -513,17 +514,14 @@ swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) exf->update(ctx, blk, blksz); /* Finalize MAC */ - exf->final(tag, ctx); + exf->final(s.tag, ctx); /* Validate tag */ error = 0; if (!CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { - u_char tag2[GMAC_DIGEST_LEN]; - - crypto_copydata(crp, crp->crp_digest_start, swa->sw_mlen, tag2); - - r = timingsafe_bcmp(tag, tag2, swa->sw_mlen); - explicit_bzero(tag2, sizeof(tag2)); + crypto_copydata(crp, crp->crp_digest_start, swa->sw_mlen, + s.tag2); + r = timingsafe_bcmp(s.tag, s.tag2, swa->sw_mlen); if (r != 0) { error = EBADMSG; goto out; @@ -556,13 +554,13 @@ swcr_gcm(const struct swcr_session *ses, struct cryptop *crp) } } else { /* Inject the authentication data */ - crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, tag); + crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, + s.tag); } out: explicit_bzero(ctx, exf->ctxsize); - explicit_bzero(blkbuf, sizeof(blkbuf)); - explicit_bzero(tag, sizeof(tag)); + explicit_bzero(&s, sizeof(s)); return (error); } @@ -622,9 +620,12 @@ build_ccm_aad_length(u_int aad_length, uint8_t *blk) static int swcr_ccm_cbc_mac(const struct swcr_session *ses, struct cryptop *crp) { - u_char blk[CCM_CBC_BLOCK_LEN]; - u_char tag[AES_CBC_MAC_HASH_LEN]; - union authctx ctx; + struct { + union authctx ctx; + u_char blk[CCM_CBC_BLOCK_LEN]; + u_char tag[AES_CBC_MAC_HASH_LEN]; + u_char tag2[AES_CBC_MAC_HASH_LEN]; + } s; const struct crypto_session_params *csp; const struct swcr_auth *swa; const struct auth_hash *axf; @@ -635,46 +636,43 @@ swcr_ccm_cbc_mac(const struct swcr_session *ses, struct cryptop *crp) axf = swa->sw_axf; if (crp->crp_auth_key != NULL) { - axf->Init(&ctx); - axf->Setkey(&ctx, crp->crp_auth_key, csp->csp_auth_klen); + axf->Init(&s.ctx); + axf->Setkey(&s.ctx, crp->crp_auth_key, csp->csp_auth_klen); } else - memcpy(&ctx, swa->sw_ictx, axf->ctxsize); + memcpy(&s.ctx, swa->sw_ictx, axf->ctxsize); /* Initialize the IV */ ivlen = csp->csp_ivlen; /* Supply MAC with IV */ - axf->Reinit(&ctx, crp->crp_iv, ivlen); + axf->Reinit(&s.ctx, crp->crp_iv, ivlen); /* Supply MAC with b0. */ build_ccm_b0(crp->crp_iv, ivlen, crp->crp_payload_length, 0, - swa->sw_mlen, blk); - axf->Update(&ctx, blk, CCM_CBC_BLOCK_LEN); + swa->sw_mlen, s.blk); + axf->Update(&s.ctx, s.blk, CCM_CBC_BLOCK_LEN); - len = build_ccm_aad_length(crp->crp_payload_length, blk); - axf->Update(&ctx, blk, len); + len = build_ccm_aad_length(crp->crp_payload_length, s.blk); + axf->Update(&s.ctx, s.blk, len); crypto_apply(crp, crp->crp_payload_start, crp->crp_payload_length, - axf->Update, &ctx); + axf->Update, &s.ctx); /* Finalize MAC */ - axf->Final(tag, &ctx); + axf->Final(s.tag, &s.ctx); error = 0; if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) { - u_char tag2[AES_CBC_MAC_HASH_LEN]; - crypto_copydata(crp, crp->crp_digest_start, swa->sw_mlen, - tag2); - if (timingsafe_bcmp(tag, tag2, swa->sw_mlen) != 0) + s.tag2); + if (timingsafe_bcmp(s.tag, s.tag2, swa->sw_mlen) != 0) error = EBADMSG; - explicit_bzero(tag2, sizeof(tag)); } else { /* Inject the authentication data */ - crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, tag); + crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, + s.tag); } - explicit_bzero(tag, sizeof(tag)); - explicit_bzero(blk, sizeof(blk)); + explicit_bzero(&s, sizeof(s)); return (error); } @@ -682,9 +680,12 @@ static int swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) { const struct crypto_session_params *csp; - uint32_t blkbuf[howmany(AES_BLOCK_LEN, sizeof(uint32_t))]; - u_char *blk = (u_char *)blkbuf; - u_char tag[AES_CBC_MAC_HASH_LEN]; + struct { + uint32_t blkbuf[howmany(AES_BLOCK_LEN, sizeof(uint32_t))]; + u_char tag[AES_CBC_MAC_HASH_LEN]; + u_char tag2[AES_CBC_MAC_HASH_LEN]; + } s; + u_char *blk = (u_char *)s.blkbuf; struct crypto_buffer_cursor cc_in, cc_out; const u_char *inblk; u_char *outblk; @@ -720,7 +721,7 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) exf->reinit(ctx, crp->crp_iv, ivlen); /* Supply MAC with b0. */ - _Static_assert(sizeof(blkbuf) >= CCM_CBC_BLOCK_LEN, + _Static_assert(sizeof(s.blkbuf) >= CCM_CBC_BLOCK_LEN, "blkbuf too small for b0"); build_ccm_b0(crp->crp_iv, ivlen, crp->crp_aad_length, crp->crp_payload_length, swa->sw_mlen, blk); @@ -796,18 +797,14 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) } /* Finalize MAC */ - exf->final(tag, ctx); + exf->final(s.tag, ctx); /* Validate tag */ error = 0; if (!CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { - u_char tag2[AES_CBC_MAC_HASH_LEN]; - crypto_copydata(crp, crp->crp_digest_start, swa->sw_mlen, - tag2); - - r = timingsafe_bcmp(tag, tag2, swa->sw_mlen); - explicit_bzero(tag2, sizeof(tag2)); + s.tag2); + r = timingsafe_bcmp(s.tag, s.tag2, swa->sw_mlen); if (r != 0) { error = EBADMSG; goto out; @@ -841,13 +838,13 @@ swcr_ccm(const struct swcr_session *ses, struct cryptop *crp) } } else { /* Inject the authentication data */ - crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, tag); + crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, + s.tag); } out: explicit_bzero(ctx, exf->ctxsize); - explicit_bzero(blkbuf, sizeof(blkbuf)); - explicit_bzero(tag, sizeof(tag)); + explicit_bzero(&s, sizeof(s)); return (error); } @@ -855,9 +852,12 @@ static int swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) { const struct crypto_session_params *csp; - uint64_t blkbuf[howmany(CHACHA20_NATIVE_BLOCK_LEN, sizeof(uint64_t))]; - u_char *blk = (u_char *)blkbuf; - u_char tag[POLY1305_HASH_LEN]; + struct { + uint64_t blkbuf[howmany(CHACHA20_NATIVE_BLOCK_LEN, sizeof(uint64_t))]; + u_char tag[POLY1305_HASH_LEN]; + u_char tag2[POLY1305_HASH_LEN]; + } s; + u_char *blk = (u_char *)s.blkbuf; struct crypto_buffer_cursor cc_in, cc_out; const u_char *inblk; u_char *outblk; @@ -873,7 +873,7 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) swe = &ses->swcr_encdec; exf = swe->sw_exf; blksz = exf->native_blocksize; - KASSERT(blksz <= sizeof(blkbuf), ("%s: blocksize mismatch", __func__)); + KASSERT(blksz <= sizeof(s.blkbuf), ("%s: blocksize mismatch", __func__)); if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) return (EINVAL); @@ -950,17 +950,14 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) exf->update(ctx, blk, sizeof(uint64_t) * 2); /* Finalize MAC */ - exf->final(tag, ctx); + exf->final(s.tag, ctx); /* Validate tag */ error = 0; if (!CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { - u_char tag2[POLY1305_HASH_LEN]; - - crypto_copydata(crp, crp->crp_digest_start, swa->sw_mlen, tag2); - - r = timingsafe_bcmp(tag, tag2, swa->sw_mlen); - explicit_bzero(tag2, sizeof(tag2)); + crypto_copydata(crp, crp->crp_digest_start, swa->sw_mlen, + s.tag2); + r = timingsafe_bcmp(s.tag, s.tag2, swa->sw_mlen); if (r != 0) { error = EBADMSG; goto out; @@ -993,13 +990,13 @@ swcr_chacha20_poly1305(const struct swcr_session *ses, struct cryptop *crp) } } else { /* Inject the authentication data */ - crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, tag); + crypto_copyback(crp, crp->crp_digest_start, swa->sw_mlen, + s.tag); } out: explicit_bzero(ctx, exf->ctxsize); - explicit_bzero(blkbuf, sizeof(blkbuf)); - explicit_bzero(tag, sizeof(tag)); + explicit_bzero(&s, sizeof(s)); return (error); }