TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a8405447aa8ee90c3f3d5e0360d7168ba9b7bb74^! / .
commita8405447aa8ee90c3f3d5e0360d7168ba9b7bb74[log] [tgz]
authorAndrzej Kurek <andrzej.kurek@arm.com>Tue Nov 12 03:34:03 2019 -0500
committerSimon Butcher <simon.butcher@arm.com>Fri Mar 13 15:27:12 2020 +0000
treee954dd693ef3df1600a7655d8b159bc8364d8014
parente9db2aa5b47899c7292fe544369e96d0330e6938 [diff]
Zeroize local AES variables before exiting the function

This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).

In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
diff --git a/ChangeLog b/ChangeLog
index 95c0d17..8a9e6d6 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -71,6 +71,14 @@
      blinded value, factor it (as it is smaller than RSA keys and not guaranteed
      to have only large prime factors), and then, by brute force, recover the
      key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
+   * Zeroize local variables in mbedtls_internal_aes_encrypt() and
+     mbedtls_internal_aes_decrypt() before exiting the function. The value of
+     these variables can be used to recover the last round key. To follow best
+     practice and to limit the impact of buffer overread vulnerabilities (like
+     Heartbleed) we need to zeroize them before exiting the function.
+     Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
+     Grant Hernandez, and Kevin Butler (University of Florida) and
+     Dave Tian (Purdue University).
 
 Bugfix
    * Remove redundant line for getting the bitlen of a bignum, since the variable

diff --git a/library/aes.c b/library/aes.c
index 9098d47..5746987 100644
--- a/library/aes.c
+++ b/library/aes.c

@@ -1246,6 +1246,18 @@
     PUT_UINT32_LE( X2, output,  8 );
     PUT_UINT32_LE( X3, output, 12 );
 
+    mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_platform_zeroize( &RK, sizeof( RK ) );
+
     return( 0 );
 }
 #endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
@@ -1513,6 +1525,18 @@
     PUT_UINT32_LE( X2, output,  8 );
     PUT_UINT32_LE( X3, output, 12 );
 
+    mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_platform_zeroize( &RK, sizeof( RK ) );
+
     return( 0 );
 }
 #endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */