Zeroize internal buffers and variables in PKCS and SHA Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac() and mbedtls_internal_sha*_process() functions to erase sensitive data from memory. Checked all function for possible missing zeroisation in PKCS and SHA. Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>

commit: 461c5a89dfd9cccd76815b2ce38e1edc501edf77 [log] [tgz]
author: gabor-mezei-arm <gabor.mezei@arm.com> Thu Jul 30 16:41:25 2020 +0200
committer: gabor-mezei-arm <gabor.mezei@arm.com> Wed Sep 09 14:49:31 2020 +0200
tree: bb022c491e09b2877435a800054cff127a0e5694
parent: d4c464ff225c55f767316d79ebf3f0821d6b14aa [diff] [blame]
diff --git a/library/pkcs5.c b/library/pkcs5.c
index 8a80aa5..1533a92 100644
--- a/library/pkcs5.c
+++ b/library/pkcs5.c

@@ -79,6 +79,11 @@
 #define mbedtls_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
 #if defined(MBEDTLS_ASN1_PARSE_C)
 static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params,
                                       mbedtls_asn1_buf *salt, int *iterations,
@@ -312,6 +317,10 @@
                 break;
     }
 
+    /* Zeroise buffers to clear sensitive data from memory. */
+    mbedtls_zeroize( work, MBEDTLS_MD_MAX_SIZE );
+    mbedtls_zeroize( md1, MBEDTLS_MD_MAX_SIZE );
+
     return( 0 );
 }
commit	461c5a89dfd9cccd76815b2ce38e1edc501edf77	[log] [tgz]
author	gabor-mezei-arm <gabor.mezei@arm.com>	Thu Jul 30 16:41:25 2020 +0200
committer	gabor-mezei-arm <gabor.mezei@arm.com>	Wed Sep 09 14:49:31 2020 +0200
tree	bb022c491e09b2877435a800054cff127a0e5694
parent	d4c464ff225c55f767316d79ebf3f0821d6b14aa [diff] [blame]