commit d324c5954a53cf1cb5da416cdeffe918210e5732
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Sep 11 15:34:17 2018 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Thu Sep 13 22:10:46 2018 +0200
tree ae4f445a73c191546c254bb0c1060d4c2c9dd91c
parent d6a63f4ca522dfc6fcba656722679845864c5baa

CTR_DRBG: clean stack buffers

Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.

library/ctr_drbg.c

diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index ff532a0..fc3188e 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -283,9 +283,7 @@
          * Crypt counter block
          */
         if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ) ) != 0 )
-        {
-            return( ret );
-        }
+            goto exit;
 
         p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
     }
@@ -297,12 +295,12 @@
      * Update key and counter
      */
     if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
-    {
-        return( ret );
-    }
+        goto exit;
     memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
 
-    return( 0 );
+exit:
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    return( ret );
 }
 
 void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
@@ -319,6 +317,7 @@
 
         block_cipher_df( add_input, additional, add_len );
         ctr_drbg_update_internal( ctx, add_input );
+        mbedtls_zeroize( add_input, sizeof( add_input ) );
     }
 }
 
@@ -359,20 +358,18 @@
      * Reduce to 384 bits
      */
     if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
-    {
-        return( ret );
-    }
+        goto exit;
 
     /*
      * Update state
      */
     if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
-    {
-        return( ret );
-    }
+        goto exit;
     ctx->reseed_counter = 1;
 
-    return( 0 );
+exit:
+    mbedtls_zeroize( seed, sizeof( seed ) );
+    return( ret );
 }
 
 int mbedtls_ctr_drbg_random_with_add( void *p_rng,
@@ -408,13 +405,9 @@
     if( add_len > 0 )
     {
         if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
-        {
-            return( ret );
-        }
+            goto exit;
         if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
-        {
-            return( ret );
-        }
+            goto exit;
     }
 
     while( output_len > 0 )
@@ -430,9 +423,7 @@
          * Crypt counter block
          */
         if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ) ) != 0 )
-        {
-            return( ret );
-        }
+            goto exit;
 
         use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
                                                        output_len;
@@ -445,12 +436,13 @@
     }
 
     if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
-    {
-        return( ret );
-    }
+        goto exit;
 
     ctx->reseed_counter++;
 
+exit:
+    mbedtls_zeroize( add_input, sizeof( add_input ) );
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
     return( 0 );
 }