Skip to content

Commit e4dea8f

Browse files
douzzerdouzzer
authored
Merge pull request #9885 from Frauschi/missing_force_zero
Add missing ForceZero calls
2 parents f9b1521 + 001eae7 commit e4dea8f

3 files changed

Lines changed: 90 additions & 32 deletions

File tree

src/keys.c

Lines changed: 52 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,12 @@
3333
#include <stdio.h>
3434
#endif
3535
#endif
36+
#ifdef NO_INLINE
37+
#include <wolfssl/wolfcrypt/misc.h>
38+
#else
39+
#define WOLFSSL_MISC_INCLUDED
40+
#include <wolfcrypt/src/misc.c>
41+
#endif
3642

3743
#if defined(WOLFSSL_RENESAS_FSPSM_TLS) || defined(WOLFSSL_RENESAS_TSIP_TLS)
3844
#include <wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h>
@@ -3902,6 +3908,7 @@ int DeriveKeys(WOLFSSL* ssl)
39023908
return MEMORY_E;
39033909
}
39043910
#endif
3911+
39053912
XMEMSET(shaOutput, 0, WC_SHA_DIGEST_SIZE);
39063913
ret = wc_InitMd5(md5);
39073914
if (ret == 0) {
@@ -3948,6 +3955,26 @@ int DeriveKeys(WOLFSSL* ssl)
39483955
ret = StoreKeys(ssl, keyData, PROVISION_CLIENT_SERVER);
39493956
}
39503957

3958+
#ifdef WOLFSSL_CHECK_MEM_ZERO
3959+
wc_MemZero_Add("DeriveKeys shaOutput", shaOutput, WC_SHA_DIGEST_SIZE);
3960+
wc_MemZero_Add("DeriveKeys md5Input", md5Input,
3961+
SECRET_LEN + WC_SHA_DIGEST_SIZE);
3962+
wc_MemZero_Add("DeriveKeys shaInput", shaInput,
3963+
KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN);
3964+
wc_MemZero_Add("DeriveKeys keyData", keyData,
3965+
KEY_PREFIX * WC_MD5_DIGEST_SIZE);
3966+
#endif
3967+
ForceZero(shaOutput, WC_SHA_DIGEST_SIZE);
3968+
ForceZero(md5Input, SECRET_LEN + WC_SHA_DIGEST_SIZE);
3969+
ForceZero(shaInput, KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN);
3970+
ForceZero(keyData, KEY_PREFIX * WC_MD5_DIGEST_SIZE);
3971+
#ifdef WOLFSSL_CHECK_MEM_ZERO
3972+
wc_MemZero_Check(shaOutput, WC_SHA_DIGEST_SIZE);
3973+
wc_MemZero_Check(md5Input, SECRET_LEN + WC_SHA_DIGEST_SIZE);
3974+
wc_MemZero_Check(shaInput, KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN);
3975+
wc_MemZero_Check(keyData, KEY_PREFIX * WC_MD5_DIGEST_SIZE);
3976+
#endif
3977+
39513978
WC_FREE_VAR_EX(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
39523979
WC_FREE_VAR_EX(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER);
39533980
WC_FREE_VAR_EX(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -3959,26 +3986,24 @@ int DeriveKeys(WOLFSSL* ssl)
39593986
}
39603987

39613988

3962-
static int CleanPreMaster(WOLFSSL* ssl)
3989+
static void CleanPreMaster(WOLFSSL* ssl)
39633990
{
3964-
int i, ret, sz = (int)(ssl->arrays->preMasterSz);
3991+
int sz = (int)(ssl->arrays->preMasterSz);
39653992

3966-
for (i = 0; i < sz; i++)
3967-
ssl->arrays->preMasterSecret[i] = 0;
3993+
#ifdef WOLFSSL_CHECK_MEM_ZERO
3994+
wc_MemZero_Add("CleanPreMaster preMasterSecret",
3995+
ssl->arrays->preMasterSecret, sz);
3996+
#endif
39683997

3969-
ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->preMasterSecret,
3970-
(word32)(sz));
3971-
if (ret != 0)
3972-
return ret;
3998+
ForceZero(ssl->arrays->preMasterSecret, sz);
39733999

3974-
for (i = 0; i < sz; i++)
3975-
ssl->arrays->preMasterSecret[i] = 0;
4000+
#ifdef WOLFSSL_CHECK_MEM_ZERO
4001+
wc_MemZero_Check(ssl->arrays->preMasterSecret, sz);
4002+
#endif
39764003

39774004
XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
39784005
ssl->arrays->preMasterSecret = NULL;
39794006
ssl->arrays->preMasterSz = 0;
3980-
3981-
return 0;
39824007
}
39834008

39844009

@@ -4038,6 +4063,13 @@ static int MakeSslMasterSecret(WOLFSSL* ssl)
40384063
return MEMORY_E;
40394064
}
40404065
#endif
4066+
#ifdef WOLFSSL_CHECK_MEM_ZERO
4067+
wc_MemZero_Add("MakeSslMasterSecret md5Input", md5Input,
4068+
ENCRYPT_LEN + WC_SHA_DIGEST_SIZE);
4069+
wc_MemZero_Add("MakeSslMasterSecret shaInput", shaInput,
4070+
PREFIX + ENCRYPT_LEN + 2 * RAN_LEN);
4071+
#endif
4072+
40414073
XMEMSET(shaOutput, 0, WC_SHA_DIGEST_SIZE);
40424074

40434075
ret = wc_InitMd5(md5);
@@ -4096,16 +4128,20 @@ static int MakeSslMasterSecret(WOLFSSL* ssl)
40964128
ret = DeriveKeys(ssl);
40974129
}
40984130

4131+
ForceZero(md5Input, ENCRYPT_LEN + WC_SHA_DIGEST_SIZE);
4132+
ForceZero(shaInput, PREFIX + ENCRYPT_LEN + 2 * RAN_LEN);
4133+
#ifdef WOLFSSL_CHECK_MEM_ZERO
4134+
wc_MemZero_Check(md5Input, ENCRYPT_LEN + WC_SHA_DIGEST_SIZE);
4135+
wc_MemZero_Check(shaInput, PREFIX + ENCRYPT_LEN + 2 * RAN_LEN);
4136+
#endif
4137+
40994138
WC_FREE_VAR_EX(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
41004139
WC_FREE_VAR_EX(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER);
41014140
WC_FREE_VAR_EX(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
41024141
WC_FREE_VAR_EX(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
41034142
WC_FREE_VAR_EX(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
41044143

4105-
if (ret == 0)
4106-
ret = CleanPreMaster(ssl);
4107-
else
4108-
CleanPreMaster(ssl);
4144+
CleanPreMaster(ssl);
41094145

41104146
return ret;
41114147
}

src/tls.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -488,6 +488,14 @@ int DeriveTlsKeys(WOLFSSL* ssl)
488488
if (ret == 0)
489489
ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER);
490490

491+
#ifdef WOLFSSL_CHECK_MEM_ZERO
492+
wc_MemZero_Add("DeriveTlsKeys key_dig", key_dig, MAX_PRF_DIG);
493+
#endif
494+
ForceZero(key_dig, MAX_PRF_DIG);
495+
#ifdef WOLFSSL_CHECK_MEM_ZERO
496+
wc_MemZero_Check(key_dig, MAX_PRF_DIG);
497+
#endif
498+
491499
WC_FREE_VAR_EX(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
492500

493501
return ret;

src/tls13.c

Lines changed: 30 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1207,16 +1207,22 @@ int DeriveHandshakeSecret(WOLFSSL* ssl)
12071207
ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
12081208
derivedLabel, DERIVED_LABEL_SZ,
12091209
NULL, 0, ssl->specs.mac_algorithm);
1210-
if (ret != 0)
1211-
return ret;
1212-
1213-
PRIVATE_KEY_UNLOCK();
1214-
ret = Tls13_HKDF_Extract(ssl, ssl->arrays->preMasterSecret,
1215-
key, ssl->specs.hash_size,
1216-
ssl->arrays->preMasterSecret, (int)ssl->arrays->preMasterSz,
1217-
mac2hash(ssl->specs.mac_algorithm));
1218-
PRIVATE_KEY_LOCK();
1210+
if (ret == 0) {
1211+
PRIVATE_KEY_UNLOCK();
1212+
ret = Tls13_HKDF_Extract(ssl, ssl->arrays->preMasterSecret,
1213+
key, ssl->specs.hash_size,
1214+
ssl->arrays->preMasterSecret, (int)ssl->arrays->preMasterSz,
1215+
mac2hash(ssl->specs.mac_algorithm));
1216+
PRIVATE_KEY_LOCK();
1217+
}
12191218

1219+
#ifdef WOLFSSL_CHECK_MEM_ZERO
1220+
wc_MemZero_Add("DeriveHandshakeSecret key", key, WC_MAX_DIGEST_SIZE);
1221+
#endif
1222+
ForceZero(key, sizeof(key));
1223+
#ifdef WOLFSSL_CHECK_MEM_ZERO
1224+
wc_MemZero_Check(key, sizeof(key));
1225+
#endif
12201226
return ret;
12211227
}
12221228

@@ -1244,14 +1250,22 @@ int DeriveMasterSecret(WOLFSSL* ssl)
12441250
ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
12451251
derivedLabel, DERIVED_LABEL_SZ,
12461252
NULL, 0, ssl->specs.mac_algorithm);
1247-
if (ret != 0)
1248-
return ret;
1253+
if (ret == 0) {
1254+
PRIVATE_KEY_UNLOCK();
1255+
ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret,
1256+
key, ssl->specs.hash_size,
1257+
ssl->arrays->masterSecret, 0,
1258+
mac2hash(ssl->specs.mac_algorithm));
1259+
PRIVATE_KEY_LOCK();
1260+
}
12491261

1250-
PRIVATE_KEY_UNLOCK();
1251-
ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret,
1252-
key, ssl->specs.hash_size,
1253-
ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm));
1254-
PRIVATE_KEY_LOCK();
1262+
#ifdef WOLFSSL_CHECK_MEM_ZERO
1263+
wc_MemZero_Add("DeriveMasterSecret key", key, WC_MAX_DIGEST_SIZE);
1264+
#endif
1265+
ForceZero(key, sizeof(key));
1266+
#ifdef WOLFSSL_CHECK_MEM_ZERO
1267+
wc_MemZero_Check(key, sizeof(key));
1268+
#endif
12551269

12561270
#ifdef HAVE_KEYING_MATERIAL
12571271
if (ret != 0)

0 commit comments

Comments
 (0)