Allocate internal buffer in LUKS2 keyring token with crypt_safe_alloc.

With changes in db65a5ceac and subsequent
drop of library memlock_all we should lock keyring key material buffer
in memory system memory as well.

lib/luks2/luks2_internal.h

@@ -189,6 +189,8 @@ void keyring_dump(struct crypt_device *cd, const char *json);
 
 int keyring_validate(struct crypt_device *cd, const char *json);
 
+void keyring_buffer_free(void *buffer, size_t buffer_size);
+
 struct crypt_token_handler_v2 {
 	const char *name;
 	crypt_token_open_func open;

lib/luks2/luks2_token.c

@@ -37,6 +37,7 @@ static struct crypt_token_handler_internal token_handlers[LUKS2_TOKENS_MAX] = {
 	  .u = {
 		  .v1 = { .name = LUKS2_TOKEN_KEYRING,
 			  .open = keyring_open,
+			  .buffer_free = keyring_buffer_free,
 			  .validate = keyring_validate,
 			  .dump = keyring_dump }
 	       }

lib/luks2/luks2_token_keyring.c

@@ -137,3 +137,8 @@ int LUKS2_token_keyring_get(struct luks2_hdr *hdr,
 
 	return token;
 }
+
+void keyring_buffer_free(void *buffer, size_t buffer_len __attribute__((unused)))
+{
+	crypt_safe_free(buffer);
+}

lib/setup.c

@@ -6491,8 +6491,7 @@ int crypt_activate_by_keyring(struct crypt_device *cd,
 
 	r = _activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags);
 
-	crypt_safe_memzero(passphrase, passphrase_size);
+	crypt_safe_free(passphrase);
-	free(passphrase);
 
 	return r;
 }

lib/utils_keyring.c

@@ -163,7 +163,7 @@ int keyring_get_passphrase(const char *key_desc,
 	ret = keyctl_read(kid, NULL, 0);
 	if (ret > 0) {
 		len = ret;
-		buf = malloc(len);
+		buf = crypt_safe_alloc(len);
 		if (!buf)
 			return -ENOMEM;
 
@@ -173,9 +173,7 @@ int keyring_get_passphrase(const char *key_desc,
 
 	if (ret < 0) {
 		err = errno;
-		if (buf)
+		crypt_safe_free(buf);
-			crypt_safe_memzero(buf, len);
-		free(buf);
 		return -err;
 	}