fpsensor: replace memset() with always_memset()

In fpsensor code, use always_memset() in place of memset().

BRANCH=nocturne
BUG=chromium:968809,chromium:989594,b:130238794
TEST=make -j buildall
TEST=tested enrollment, matching and multifinger on nocturne DUT

Change-Id: I29e32bd2838c1f240607799e61f29759aaee7600
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1737206
Reviewed-by: Tom Hughes <tomhughes@chromium.org>

1 files changed, 4 insertions, 3 deletions

diff --git a/common/fpsensor/fpsensor_crypto.c b/common/fpsensor/fpsensor_crypto.c
index 6385b7116d..d5bbd03c38 100644
--- a/common/fpsensor/fpsensor_crypto.c
+++ b/common/fpsensor/fpsensor_crypto.c
@@ -5,6 +5,7 @@
 
 #include "aes.h"
 #include "aes-gcm.h"
+#include "cryptoc/util.h"
 #include "fpsensor_crypto.h"
 #include "fpsensor_private.h"
 #include "fpsensor_state.h"
@@ -77,7 +78,7 @@ static int hkdf_expand_one_step(uint8_t *out_key, size_t out_key_size,
 	hmac_SHA256(key_buf, prk, prk_size, message_buf, info_size + 1);
 
 	memcpy(out_key, key_buf, out_key_size);
-	memset(key_buf, 0, sizeof(key_buf));
+	always_memset(key_buf, 0, sizeof(key_buf));
 
 	return EC_SUCCESS;
 }
@@ -100,7 +101,7 @@ int derive_encryption_key(uint8_t *out_key, const uint8_t *salt)
 
 	/* "Extract step of HKDF. */
 	hkdf_extract(prk, salt, FP_CONTEXT_SALT_BYTES, ikm, sizeof(ikm));
-	memset(ikm, 0, sizeof(ikm));
+	always_memset(ikm, 0, sizeof(ikm));
 
 	/*
 	 * Only 1 "expand" step of HKDF since the size of the "info" context
@@ -109,7 +110,7 @@ int derive_encryption_key(uint8_t *out_key, const uint8_t *salt)
 	 */
 	ret = hkdf_expand_one_step(out_key, SBP_ENC_KEY_LEN, prk, sizeof(prk),
 				   (uint8_t *)user_id, sizeof(user_id));
-	memset(prk, 0, sizeof(prk));
+	always_memset(prk, 0, sizeof(prk));
 
 	return ret;
 }