Merge remote-tracking branch 'restricted/pr/514' into mbedtls-2.1

simonbutcher · simonbutcher · commit 6c2f13927168 · 2018-11-29T17:33:07.000Z
diff --git a/ChangeLog b/ChangeLog
@@ -16,6 +16,8 @@ Security
      plaintexts and forge RSA signatures. Other asymmetric algorithms may
      have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
      Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
+   * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
+     modules.
 
 = mbed TLS 2.1.16 branch released 2018-11-19
 
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
@@ -226,6 +226,10 @@ static int block_cipher_df( unsigned char *output,
 
     mbedtls_aes_free( &aes_ctx );
 
+    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_zeroize( key, sizeof( key ) );
+    mbedtls_zeroize( chain, sizeof( chain ) );
     return( 0 );
 }
 
@@ -264,6 +268,7 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
     mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
     memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
 
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
     return( 0 );
 }
 
@@ -281,6 +286,7 @@ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
 
         block_cipher_df( add_input, additional, add_len );
         ctr_drbg_update_internal( ctx, add_input );
+        mbedtls_zeroize( add_input, sizeof( add_input ) );
     }
 }
 
@@ -327,6 +333,7 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
     ctr_drbg_update_internal( ctx, seed );
     ctx->reseed_counter = 1;
 
+    mbedtls_zeroize( seed, sizeof( seed ) );
     return( 0 );
 }
 
@@ -393,6 +400,8 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
 
     ctx->reseed_counter++;
 
+    mbedtls_zeroize( add_input, sizeof( add_input ) );
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
     return( 0 );
 }
 
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
@@ -93,6 +93,8 @@ void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
         mbedtls_md_hmac_update( &ctx->md_ctx, ctx->V, md_len );
         mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V );
     }
+
+    mbedtls_zeroize( K, sizeof( K ) );
 }
 
 /*
@@ -158,6 +160,7 @@ int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
     ctx->reseed_counter = 1;
 
     /* 4. Done */
+    mbedtls_zeroize( seed, seedlen );
     return( 0 );
 }
 

Original file line number	Diff line number	Diff line change
`@@ -226,6 +226,10 @@ static int block_cipher_df( unsigned char *output,`
`226`	`226`
`227`	`227`	`mbedtls_aes_free( &aes_ctx );`
`228`	`228`
	`229`	`+ mbedtls_zeroize( buf, sizeof( buf ) );`
	`230`	`+ mbedtls_zeroize( tmp, sizeof( tmp ) );`
	`231`	`+ mbedtls_zeroize( key, sizeof( key ) );`
	`232`	`+ mbedtls_zeroize( chain, sizeof( chain ) );`
`229`	`233`	`return( 0 );`
`230`	`234`	`}`
`231`	`235`
`@@ -264,6 +268,7 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,`
`264`	`268`	`mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );`
`265`	`269`	`memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );`
`266`	`270`
	`271`	`+ mbedtls_zeroize( tmp, sizeof( tmp ) );`
`267`	`272`	`return( 0 );`
`268`	`273`	`}`
`269`	`274`
`@@ -281,6 +286,7 @@ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,`
`281`	`286`
`282`	`287`	`block_cipher_df( add_input, additional, add_len );`
`283`	`288`	`ctr_drbg_update_internal( ctx, add_input );`
	`289`	`+ mbedtls_zeroize( add_input, sizeof( add_input ) );`
`284`	`290`	`}`
`285`	`291`	`}`
`286`	`292`
`@@ -327,6 +333,7 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,`
`327`	`333`	`ctr_drbg_update_internal( ctx, seed );`
`328`	`334`	`ctx->reseed_counter = 1;`
`329`	`335`
	`336`	`+ mbedtls_zeroize( seed, sizeof( seed ) );`
`330`	`337`	`return( 0 );`
`331`	`338`	`}`
`332`	`339`
`@@ -393,6 +400,8 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,`
`393`	`400`
`394`	`401`	`ctx->reseed_counter++;`
`395`	`402`
	`403`	`+ mbedtls_zeroize( add_input, sizeof( add_input ) );`
	`404`	`+ mbedtls_zeroize( tmp, sizeof( tmp ) );`
`396`	`405`	`return( 0 );`
`397`	`406`	`}`
`398`	`407`
Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,8 @@ void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,`
`93`	`93`	`mbedtls_md_hmac_update( &ctx->md_ctx, ctx->V, md_len );`
`94`	`94`	`mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V );`
`95`	`95`	`}`
	`96`	`+`
	`97`	`+ mbedtls_zeroize( K, sizeof( K ) );`
`96`	`98`	`}`
`97`	`99`
`98`	`100`	`/*`
`@@ -158,6 +160,7 @@ int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,`
`158`	`160`	`ctx->reseed_counter = 1;`
`159`	`161`
`160`	`162`	`/* 4. Done */`
	`163`	`+ mbedtls_zeroize( seed, seedlen );`
`161`	`164`	`return( 0 );`
`162`	`165`	`}`
`163`	`166`