Merge remote-tracking branch 'upstream-restricted/pr/386' into mbedtls-2.1-restricted
diff --git a/ChangeLog b/ChangeLog
index 2928a90..8ab4dbf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,8 @@
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707.
* Tighten should-be-constant-time memcmp against compiler optimizations.
+ * Ensure that buffers are cleared after use if they contain sensitive data.
+ Changes were introduced in multiple places in the library.
Bugfix
* Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
diff --git a/library/bignum.c b/library/bignum.c
index 52edd3d..142aeac 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1877,6 +1877,8 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( X, buf, size ) );
cleanup:
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
return( ret );
}
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 646196e..e8fdd9b 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -430,20 +430,20 @@
goto exit;
if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
- {
ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
- goto exit;
- }
-
- ret = 0;
+ else
+ ret = 0;
exit:
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
fclose( f );
return( ret );
}
int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
{
+ int ret = 0;
FILE *f;
size_t n;
unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
@@ -462,14 +462,16 @@
}
if( fread( buf, 1, n, f ) != n )
- {
- fclose( f );
- return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
- }
+ ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+ else
+ mbedtls_ctr_drbg_update( ctx, buf, n );
fclose( f );
- mbedtls_ctr_drbg_update( ctx, buf, n );
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
+ if( ret != 0 )
+ return( ret );
return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
}
diff --git a/library/dhm.c b/library/dhm.c
index dc72c53..1268c5d 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -539,7 +539,10 @@
if( fread( *buf, 1, *n, f ) != *n )
{
fclose( f );
+
+ mbedtls_zeroize( *buf, *n + 1 );
mbedtls_free( *buf );
+
return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
}
diff --git a/library/entropy.c b/library/entropy.c
index 3622ad2..f19ab4e 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -175,6 +175,8 @@
mbedtls_sha256_update( &ctx->accumulator, p, use_len );
#endif
+ mbedtls_zeroize( tmp, sizeof( tmp ) );
+
return( 0 );
}
@@ -222,7 +224,7 @@
if( ( ret = ctx->source[i].f_source( ctx->source[i].p_source,
buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen ) ) != 0 )
{
- return( ret );
+ goto cleanup;
}
/*
@@ -236,9 +238,12 @@
}
if( have_one_strong == 0 )
- return( MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE );
+ ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
- return( 0 );
+cleanup:
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
+ return( ret );
}
/*
@@ -338,6 +343,8 @@
ret = 0;
exit:
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
#if defined(MBEDTLS_THREADING_C)
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
@@ -368,12 +375,15 @@
ret = 0;
exit:
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
fclose( f );
return( ret );
}
int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *path )
{
+ int ret = 0;
FILE *f;
size_t n;
unsigned char buf[ MBEDTLS_ENTROPY_MAX_SEED_SIZE ];
@@ -389,14 +399,16 @@
n = MBEDTLS_ENTROPY_MAX_SEED_SIZE;
if( fread( buf, 1, n, f ) != n )
- {
- fclose( f );
- return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
- }
+ ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+ else
+ ret = mbedtls_entropy_update_manual( ctx, buf, n );
fclose( f );
- mbedtls_entropy_update_manual( ctx, buf, n );
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
+ if( ret != 0 )
+ return( ret );
return( mbedtls_entropy_write_seed_file( ctx, path ) );
}
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
index bf5f9b5..24c609e 100644
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@@ -364,11 +364,14 @@
exit:
fclose( f );
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
return( ret );
}
int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
{
+ int ret = 0;
FILE *f;
size_t n;
unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
@@ -387,14 +390,16 @@
}
if( fread( buf, 1, n, f ) != n )
- {
- fclose( f );
- return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
- }
+ ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+ else
+ mbedtls_hmac_drbg_update( ctx, buf, n );
fclose( f );
- mbedtls_hmac_drbg_update( ctx, buf, n );
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
+ if( ret != 0 )
+ return( ret );
return( mbedtls_hmac_drbg_write_seed_file( ctx, path ) );
}
diff --git a/library/md.c b/library/md.c
index eda98f6..75b9717 100644
--- a/library/md.c
+++ b/library/md.c
@@ -312,12 +312,11 @@
md_info->update_func( ctx.md_ctx, buf, n );
if( ferror( f ) != 0 )
- {
ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
- goto cleanup;
- }
+ else
+ md_info->finish_func( ctx.md_ctx, output );
- md_info->finish_func( ctx.md_ctx, output );
+ mbedtls_zeroize( buf, sizeof( buf ) );
cleanup:
fclose( f );
diff --git a/library/pem.c b/library/pem.c
index 8dd86a4..ea36df8 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -331,6 +331,7 @@
if( ( ret = mbedtls_base64_decode( buf, len, &len, s1, s2 - s1 ) ) != 0 )
{
+ mbedtls_zeroize( buf, len );
mbedtls_free( buf );
return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
}
@@ -341,6 +342,7 @@
( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
if( pwd == NULL )
{
+ mbedtls_zeroize( buf, len );
mbedtls_free( buf );
return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED );
}
@@ -369,10 +371,12 @@
*/
if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 )
{
+ mbedtls_zeroize( buf, len );
mbedtls_free( buf );
return( MBEDTLS_ERR_PEM_PASSWORD_MISMATCH );
}
#else
+ mbedtls_zeroize( buf, len );
mbedtls_free( buf );
return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE );
#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
diff --git a/library/pkparse.c b/library/pkparse.c
index 2664fe9..361747f 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -101,7 +101,10 @@
if( fread( *buf, 1, *n, f ) != *n )
{
fclose( f );
+
+ mbedtls_zeroize( *buf, *n );
mbedtls_free( *buf );
+
return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
}
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 79fb9a7..1c45407 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5870,12 +5870,19 @@
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
- if( conf->psk != NULL || conf->psk_identity != NULL )
+ if( conf->psk != NULL )
{
+ mbedtls_zeroize( conf->psk, conf->psk_len );
+
mbedtls_free( conf->psk );
- mbedtls_free( conf->psk_identity );
conf->psk = NULL;
+ conf->psk_len = 0;
+ }
+ if( conf->psk_identity != NULL )
+ {
+ mbedtls_free( conf->psk_identity );
conf->psk_identity = NULL;
+ conf->psk_identity_len = 0;
}
if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ||
@@ -5907,7 +5914,11 @@
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( ssl->handshake->psk != NULL )
+ {
+ mbedtls_zeroize( ssl->handshake->psk, ssl->handshake->psk_len );
mbedtls_free( ssl->handshake->psk );
+ ssl->handshake->psk_len = 0;
+ }
if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );