From 346177255931fb1e3514e124a1f598715a5fe92d Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Fri, 13 Jun 2014 17:20:13 +0200 Subject: [PATCH] Introduce polarssl_zeroize() instead of memset() for zeroization --- ChangeLog | 2 + library/aes.c | 7 ++- library/bignum.c | 11 +++-- library/camellia.c | 7 ++- library/ccm.c | 9 +++- library/cipher.c | 6 +++ library/cipher_wrap.c | 20 +++++++- library/des.c | 13 +++-- library/dhm.c | 9 +++- library/ecp.c | 7 ++- library/entropy.c | 7 ++- library/gcm.c | 9 +++- library/hmac_drbg.c | 7 ++- library/md.c | 8 ++- library/md2.c | 15 ++++-- library/md4.c | 15 ++++-- library/md5.c | 15 ++++-- library/md_wrap.c | 14 ++++++ library/memory_buffer_alloc.c | 7 ++- library/pem.c | 27 +++++----- library/pk.c | 8 ++- library/pk_wrap.c | 6 +++ library/pkparse.c | 9 +++- library/ripemd160.c | 15 ++++-- library/sha1.c | 15 ++++-- library/sha256.c | 15 ++++-- library/sha512.c | 15 ++++-- library/ssl_cli.c | 9 ++++ library/ssl_srv.c | 7 ++- library/ssl_tls.c | 77 +++++++++++++++-------------- library/x509_crl.c | 15 ++++-- library/x509_crt.c | 19 ++++--- library/x509_csr.c | 13 +++-- library/x509write_crt.c | 7 ++- library/x509write_csr.c | 7 ++- tests/suites/test_suite_md.function | 2 - 36 files changed, 325 insertions(+), 129 deletions(-) diff --git a/ChangeLog b/ChangeLog index 67332bf48..110398ec2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,8 @@ Features Changes * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is required on some platforms (e.g. OpenBSD) + * Migrate zeroizing of data to polarssl_zeroize() instead of memset() + against unwanted compiler optimizations Bugfix * Fix in debug_print_msg() diff --git a/library/aes.c b/library/aes.c index c03cbbe83..38e5e954b 100644 --- a/library/aes.c +++ b/library/aes.c @@ -53,6 +53,11 @@ #if !defined(POLARSSL_AES_ALT) +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * 32-bit integer manipulation macros (little endian) */ @@ -633,7 +638,7 @@ int aes_setkey_dec( aes_context *ctx, const unsigned char *key, #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64) done: #endif - memset( &cty, 0, sizeof( aes_context ) ); + polarssl_zeroize( &cty, sizeof( aes_context ) ); return( 0 ); } diff --git a/library/bignum.c b/library/bignum.c index 56670d418..eda046c9b 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -51,6 +51,11 @@ #include +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #define ciL (sizeof(t_uint)) /* chars in limb */ #define biL (ciL << 3) /* bits in limb */ #define biH (ciL << 2) /* half limb size */ @@ -84,7 +89,7 @@ void mpi_free( mpi *X ) if( X->p != NULL ) { - memset( X->p, 0, X->n * ciL ); + polarssl_zeroize( X->p, X->n * ciL ); polarssl_free( X->p ); } @@ -113,7 +118,7 @@ int mpi_grow( mpi *X, size_t nblimbs ) if( X->p != NULL ) { memcpy( p, X->p, X->n * ciL ); - memset( X->p, 0, X->n * ciL ); + polarssl_zeroize( X->p, X->n * ciL ); polarssl_free( X->p ); } @@ -153,7 +158,7 @@ int mpi_shrink( mpi *X, size_t nblimbs ) if( X->p != NULL ) { memcpy( p, X->p, i * ciL ); - memset( X->p, 0, X->n * ciL ); + polarssl_zeroize( X->p, X->n * ciL ); polarssl_free( X->p ); } diff --git a/library/camellia.c b/library/camellia.c index 306be61fe..9fab664f0 100644 --- a/library/camellia.c +++ b/library/camellia.c @@ -47,6 +47,11 @@ #if !defined(POLARSSL_CAMELLIA_ALT) +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * 32-bit integer manipulation macros (big endian) */ @@ -463,7 +468,7 @@ int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, *RK++ = *SK++; *RK++ = *SK++; - memset( &cty, 0, sizeof( camellia_context ) ); + polarssl_zeroize( &cty, sizeof( camellia_context ) ); return( 0 ); } diff --git a/library/ccm.c b/library/ccm.c index f245d680e..91dee6720 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -42,6 +42,11 @@ #include "polarssl/ccm.h" +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #define CCM_ENCRYPT 0 #define CCM_DECRYPT 1 @@ -81,7 +86,7 @@ int ccm_init( ccm_context *ctx, cipher_id_t cipher, void ccm_free( ccm_context *ctx ) { (void) cipher_free_ctx( &ctx->cipher_ctx ); - memset( ctx, 0, sizeof( ccm_context ) ); + polarssl_zeroize( ctx, sizeof( ccm_context ) ); } /* @@ -320,7 +325,7 @@ int ccm_auth_decrypt( ccm_context *ctx, size_t length, if( diff != 0 ) { - memset( output, 0, length ); + polarssl_zeroize( output, length ); return( POLARSSL_ERR_CCM_AUTH_FAILED ); } diff --git a/library/cipher.c b/library/cipher.c index 4f76b487a..794f34f0c 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -57,6 +57,11 @@ #define strcasecmp _stricmp #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + static int supported_init = 0; const int *cipher_list( void ) @@ -152,6 +157,7 @@ int cipher_free_ctx( cipher_context_t *ctx ) return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx ); + polarssl_zeroize( ctx, sizeof(cipher_context_t) ); return 0; } diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c index e80a3655a..c045322d4 100644 --- a/library/cipher_wrap.c +++ b/library/cipher_wrap.c @@ -74,6 +74,11 @@ #include +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if defined(POLARSSL_GCM_C) /* shared by all GCM ciphers */ static void *gcm_ctx_alloc( void ) @@ -187,6 +192,7 @@ static void * aes_ctx_alloc( void ) static void aes_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( aes_context ) ); polarssl_free( ctx ); } @@ -540,6 +546,7 @@ static void * camellia_ctx_alloc( void ) static void camellia_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( camellia_context ) ); polarssl_free( ctx ); } @@ -948,6 +955,13 @@ static void * des3_ctx_alloc( void ) static void des_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( des_context ) ); + polarssl_free( ctx ); +} + +static void des3_ctx_free( void *ctx ) +{ + polarssl_zeroize( ctx, sizeof( des3_context ) ); polarssl_free( ctx ); } @@ -998,7 +1012,7 @@ const cipher_base_t des_ede_info = { des3_set2key_enc_wrap, des3_set2key_dec_wrap, des3_ctx_alloc, - des_ctx_free + des3_ctx_free }; const cipher_info_t des_ede_ecb_info = { @@ -1035,7 +1049,7 @@ const cipher_base_t des_ede3_info = { des3_set3key_enc_wrap, des3_set3key_dec_wrap, des3_ctx_alloc, - des_ctx_free + des3_ctx_free }; const cipher_info_t des_ede3_ecb_info = { @@ -1143,6 +1157,7 @@ static void * blowfish_ctx_alloc( void ) static void blowfish_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( blowfish_context ) ); polarssl_free( ctx ); } @@ -1236,6 +1251,7 @@ static void * arc4_ctx_alloc( void ) static void arc4_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( arc4_context ) ); polarssl_free( ctx ); } diff --git a/library/des.c b/library/des.c index 2f06af3d2..a979096eb 100644 --- a/library/des.c +++ b/library/des.c @@ -47,6 +47,11 @@ #if !defined(POLARSSL_DES_ALT) +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * 32-bit integer manipulation macros (big endian) */ @@ -519,7 +524,7 @@ int des3_set2key_enc( des3_context *ctx, uint32_t sk[96]; des3_set2key( ctx->sk, sk, key ); - memset( sk, 0, sizeof( sk ) ); + polarssl_zeroize( sk, sizeof( sk ) ); return( 0 ); } @@ -533,7 +538,7 @@ int des3_set2key_dec( des3_context *ctx, uint32_t sk[96]; des3_set2key( sk, ctx->sk, key ); - memset( sk, 0, sizeof( sk ) ); + polarssl_zeroize( sk, sizeof( sk ) ); return( 0 ); } @@ -570,7 +575,7 @@ int des3_set3key_enc( des3_context *ctx, uint32_t sk[96]; des3_set3key( ctx->sk, sk, key ); - memset( sk, 0, sizeof( sk ) ); + polarssl_zeroize( sk, sizeof( sk ) ); return( 0 ); } @@ -584,7 +589,7 @@ int des3_set3key_dec( des3_context *ctx, uint32_t sk[96]; des3_set3key( sk, ctx->sk, key ); - memset( sk, 0, sizeof( sk ) ); + polarssl_zeroize( sk, sizeof( sk ) ); return( 0 ); } diff --git a/library/dhm.c b/library/dhm.c index 41c573d29..362cd1dd3 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -55,6 +55,11 @@ #define polarssl_free free #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * helper to validate the mpi size and import it */ @@ -395,7 +400,7 @@ void dhm_free( dhm_context *ctx ) mpi_free( &ctx->GX ); mpi_free( &ctx->X ); mpi_free( &ctx->G ); mpi_free( &ctx->P ); - memset( ctx, 0, sizeof( dhm_context ) ); + polarssl_zeroize( ctx, sizeof( dhm_context ) ); } #if defined(POLARSSL_ASN1_PARSE_C) @@ -535,7 +540,7 @@ int dhm_parse_dhmfile( dhm_context *dhm, const char *path ) ret = dhm_parse_dhm( dhm, buf, n ); - memset( buf, 0, n + 1 ); + polarssl_zeroize( buf, n + 1 ); polarssl_free( buf ); return( ret ); diff --git a/library/ecp.c b/library/ecp.c index ca0ce7ed3..0c9c48310 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -77,6 +77,11 @@ #endif /* __ARMCC_VERSION */ #endif /*_MSC_VER */ +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if defined(POLARSSL_SELF_TEST) /* * Counts of point addition and doubling, and field multiplications. @@ -344,7 +349,7 @@ void ecp_group_free( ecp_group *grp ) polarssl_free( grp->T ); } - memset( grp, 0, sizeof( ecp_group ) ); + polarssl_zeroize( grp, sizeof( ecp_group ) ); } /* diff --git a/library/entropy.c b/library/entropy.c index c01acf38d..0560c397f 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -42,6 +42,11 @@ #include "polarssl/havege.h" #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #define ENTROPY_MAX_LOOP 256 /**< Maximum amount to loop before error */ void entropy_init( entropy_context *ctx ) @@ -78,7 +83,7 @@ void entropy_init( entropy_context *ctx ) void entropy_free( entropy_context *ctx ) { - ((void) ctx); + polarssl_zeroize( ctx, sizeof( entropy_context ) ); #if defined(POLARSSL_THREADING_C) polarssl_mutex_free( &ctx->mutex ); #endif diff --git a/library/gcm.c b/library/gcm.c index 62fe1852b..c96da4e60 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -76,6 +76,11 @@ } #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * Precompute small multiples of H, that is set * HH[i] || HL[i] = H times i, @@ -464,7 +469,7 @@ int gcm_auth_decrypt( gcm_context *ctx, if( diff != 0 ) { - memset( output, 0, length ); + polarssl_zeroize( output, length ); return( POLARSSL_ERR_GCM_AUTH_FAILED ); } @@ -474,7 +479,7 @@ int gcm_auth_decrypt( gcm_context *ctx, void gcm_free( gcm_context *ctx ) { (void) cipher_free_ctx( &ctx->cipher_ctx ); - memset( ctx, 0, sizeof( gcm_context ) ); + polarssl_zeroize( ctx, sizeof( gcm_context ) ); } #if defined(POLARSSL_SELF_TEST) && defined(POLARSSL_AES_C) diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c index 619b4464e..30307b083 100644 --- a/library/hmac_drbg.c +++ b/library/hmac_drbg.c @@ -49,6 +49,11 @@ #define polarssl_printf printf #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * HMAC_DRBG update, using optional additional data (10.1.2.2) */ @@ -305,7 +310,7 @@ void hmac_drbg_free( hmac_drbg_context *ctx ) md_free_ctx( &ctx->md_ctx ); - memset( ctx, 0, sizeof( hmac_drbg_context ) ); + polarssl_zeroize( ctx, sizeof( hmac_drbg_context ) ); } #if defined(POLARSSL_FS_IO) diff --git a/library/md.c b/library/md.c index 4a92cd417..558f829a1 100644 --- a/library/md.c +++ b/library/md.c @@ -45,6 +45,11 @@ #define strcasecmp _stricmp #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + static const int supported_digests[] = { #if defined(POLARSSL_MD2_C) @@ -190,7 +195,8 @@ int md_free_ctx( md_context_t *ctx ) return POLARSSL_ERR_MD_BAD_INPUT_DATA; ctx->md_info->ctx_free_func( ctx->md_ctx ); - ctx->md_ctx = NULL; + + polarssl_zeroize( ctx, sizeof( md_context_t ) ); return 0; } diff --git a/library/md2.c b/library/md2.c index 71f8d0b42..589c5cc0a 100644 --- a/library/md2.c +++ b/library/md2.c @@ -49,6 +49,11 @@ #define polarssl_printf printf #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if !defined(POLARSSL_MD2_ALT) static const unsigned char PI_SUBST[256] = @@ -188,7 +193,7 @@ void md2( const unsigned char *input, size_t ilen, unsigned char output[16] ) md2_update( &ctx, input, ilen ); md2_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md2_context ) ); + polarssl_zeroize( &ctx, sizeof( md2_context ) ); } #if defined(POLARSSL_FS_IO) @@ -212,7 +217,7 @@ int md2_file( const char *path, unsigned char output[16] ) md2_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md2_context ) ); + polarssl_zeroize( &ctx, sizeof( md2_context ) ); if( ferror( f ) != 0 ) { @@ -253,7 +258,7 @@ void md2_hmac_starts( md2_context *ctx, const unsigned char *key, md2_starts( ctx ); md2_update( ctx, ctx->ipad, 16 ); - memset( sum, 0, sizeof( sum ) ); + polarssl_zeroize( sum, sizeof( sum ) ); } /* @@ -278,7 +283,7 @@ void md2_hmac_finish( md2_context *ctx, unsigned char output[16] ) md2_update( ctx, tmpbuf, 16 ); md2_finish( ctx, output ); - memset( tmpbuf, 0, sizeof( tmpbuf ) ); + polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) ); } /* @@ -303,7 +308,7 @@ void md2_hmac( const unsigned char *key, size_t keylen, md2_hmac_update( &ctx, input, ilen ); md2_hmac_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md2_context ) ); + polarssl_zeroize( &ctx, sizeof( md2_context ) ); } #if defined(POLARSSL_SELF_TEST) diff --git a/library/md4.c b/library/md4.c index 97cb5f0aa..ccde1a16b 100644 --- a/library/md4.c +++ b/library/md4.c @@ -49,6 +49,11 @@ #define polarssl_printf printf #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if !defined(POLARSSL_MD4_ALT) /* @@ -284,7 +289,7 @@ void md4( const unsigned char *input, size_t ilen, unsigned char output[16] ) md4_update( &ctx, input, ilen ); md4_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md4_context ) ); + polarssl_zeroize( &ctx, sizeof( md4_context ) ); } #if defined(POLARSSL_FS_IO) @@ -308,7 +313,7 @@ int md4_file( const char *path, unsigned char output[16] ) md4_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md4_context ) ); + polarssl_zeroize( &ctx, sizeof( md4_context ) ); if( ferror( f ) != 0 ) { @@ -349,7 +354,7 @@ void md4_hmac_starts( md4_context *ctx, const unsigned char *key, md4_starts( ctx ); md4_update( ctx, ctx->ipad, 64 ); - memset( sum, 0, sizeof( sum ) ); + polarssl_zeroize( sum, sizeof( sum ) ); } /* @@ -374,7 +379,7 @@ void md4_hmac_finish( md4_context *ctx, unsigned char output[16] ) md4_update( ctx, tmpbuf, 16 ); md4_finish( ctx, output ); - memset( tmpbuf, 0, sizeof( tmpbuf ) ); + polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) ); } /* @@ -399,7 +404,7 @@ void md4_hmac( const unsigned char *key, size_t keylen, md4_hmac_update( &ctx, input, ilen ); md4_hmac_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md4_context ) ); + polarssl_zeroize( &ctx, sizeof( md4_context ) ); } #if defined(POLARSSL_SELF_TEST) diff --git a/library/md5.c b/library/md5.c index 87e2b1d69..ca1631752 100644 --- a/library/md5.c +++ b/library/md5.c @@ -48,6 +48,11 @@ #define polarssl_printf printf #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if !defined(POLARSSL_MD5_ALT) /* @@ -301,7 +306,7 @@ void md5( const unsigned char *input, size_t ilen, unsigned char output[16] ) md5_update( &ctx, input, ilen ); md5_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md5_context ) ); + polarssl_zeroize( &ctx, sizeof( md5_context ) ); } #if defined(POLARSSL_FS_IO) @@ -325,7 +330,7 @@ int md5_file( const char *path, unsigned char output[16] ) md5_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md5_context ) ); + polarssl_zeroize( &ctx, sizeof( md5_context ) ); if( ferror( f ) != 0 ) { @@ -366,7 +371,7 @@ void md5_hmac_starts( md5_context *ctx, const unsigned char *key, md5_starts( ctx ); md5_update( ctx, ctx->ipad, 64 ); - memset( sum, 0, sizeof( sum ) ); + polarssl_zeroize( sum, sizeof( sum ) ); } /* @@ -391,7 +396,7 @@ void md5_hmac_finish( md5_context *ctx, unsigned char output[16] ) md5_update( ctx, tmpbuf, 16 ); md5_finish( ctx, output ); - memset( tmpbuf, 0, sizeof( tmpbuf ) ); + polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) ); } /* @@ -416,7 +421,7 @@ void md5_hmac( const unsigned char *key, size_t keylen, md5_hmac_update( &ctx, input, ilen ); md5_hmac_finish( &ctx, output ); - memset( &ctx, 0, sizeof( md5_context ) ); + polarssl_zeroize( &ctx, sizeof( md5_context ) ); } #if defined(POLARSSL_SELF_TEST) diff --git a/library/md_wrap.c b/library/md_wrap.c index 9627878aa..64476222d 100644 --- a/library/md_wrap.c +++ b/library/md_wrap.c @@ -74,6 +74,11 @@ #include +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if defined(POLARSSL_MD2_C) static void md2_starts_wrap( void *ctx ) @@ -132,6 +137,7 @@ static void * md2_ctx_alloc( void ) static void md2_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( md2_context ) ); polarssl_free( ctx ); } @@ -221,6 +227,7 @@ static void *md4_ctx_alloc( void ) static void md4_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( md4_context ) ); polarssl_free( ctx ); } @@ -308,6 +315,7 @@ static void * md5_ctx_alloc( void ) static void md5_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( md5_context ) ); polarssl_free( ctx ); } @@ -395,6 +403,7 @@ static void * ripemd160_ctx_alloc( void ) static void ripemd160_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( ripemd160_context ) ); polarssl_free( ctx ); } @@ -482,6 +491,7 @@ static void * sha1_ctx_alloc( void ) static void sha1_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( sha1_context ) ); polarssl_free( ctx ); } @@ -585,6 +595,7 @@ static void * sha224_ctx_alloc( void ) static void sha224_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( sha256_context ) ); polarssl_free( ctx ); } @@ -681,6 +692,7 @@ static void * sha256_ctx_alloc( void ) static void sha256_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( sha256_context ) ); polarssl_free( ctx ); } @@ -781,6 +793,7 @@ static void * sha384_ctx_alloc( void ) static void sha384_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( sha512_context ) ); polarssl_free( ctx ); } @@ -877,6 +890,7 @@ static void * sha512_ctx_alloc( void ) static void sha512_ctx_free( void *ctx ) { + polarssl_zeroize( ctx, sizeof( sha512_context ) ); polarssl_free( ctx ); } diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c index 7dfeda946..81862fc81 100644 --- a/library/memory_buffer_alloc.c +++ b/library/memory_buffer_alloc.c @@ -52,6 +52,11 @@ #define polarssl_fprintf fprintf #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #define MAGIC1 0xFF00AA55 #define MAGIC2 0xEE119966 #define MAX_BT 20 @@ -578,7 +583,7 @@ void memory_buffer_alloc_free() #if defined(POLARSSL_THREADING_C) polarssl_mutex_free( &heap.mutex ); #endif - memset( &heap, 0, sizeof(buffer_alloc_ctx) ); + polarssl_zeroize( &heap, sizeof(buffer_alloc_ctx) ); } #endif /* POLARSSL_MEMORY_BUFFER_ALLOC_C */ diff --git a/library/pem.c b/library/pem.c index 3dd3b7980..4e00b63f6 100644 --- a/library/pem.c +++ b/library/pem.c @@ -46,6 +46,11 @@ #include +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if defined(POLARSSL_PEM_PARSE_C) void pem_init( pem_context *ctx ) { @@ -99,8 +104,8 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen, { memcpy( key, md5sum, keylen ); - memset( &md5_ctx, 0, sizeof( md5_ctx ) ); - memset( md5sum, 0, 16 ); + polarssl_zeroize( &md5_ctx, sizeof( md5_ctx ) ); + polarssl_zeroize( md5sum, 16 ); return; } @@ -121,8 +126,8 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen, memcpy( key + 16, md5sum, use_len ); - memset( &md5_ctx, 0, sizeof( md5_ctx ) ); - memset( md5sum, 0, 16 ); + polarssl_zeroize( &md5_ctx, sizeof( md5_ctx ) ); + polarssl_zeroize( md5sum, 16 ); } #if defined(POLARSSL_DES_C) @@ -142,8 +147,8 @@ static void pem_des_decrypt( unsigned char des_iv[8], des_crypt_cbc( &des_ctx, DES_DECRYPT, buflen, des_iv, buf, buf ); - memset( &des_ctx, 0, sizeof( des_ctx ) ); - memset( des_key, 0, 8 ); + polarssl_zeroize( &des_ctx, sizeof( des_ctx ) ); + polarssl_zeroize( des_key, 8 ); } /* @@ -162,8 +167,8 @@ static void pem_des3_decrypt( unsigned char des3_iv[8], des3_crypt_cbc( &des3_ctx, DES_DECRYPT, buflen, des3_iv, buf, buf ); - memset( &des3_ctx, 0, sizeof( des3_ctx ) ); - memset( des3_key, 0, 24 ); + polarssl_zeroize( &des3_ctx, sizeof( des3_ctx ) ); + polarssl_zeroize( des3_key, 24 ); } #endif /* POLARSSL_DES_C */ @@ -184,8 +189,8 @@ static void pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen, aes_crypt_cbc( &aes_ctx, AES_DECRYPT, buflen, aes_iv, buf, buf ); - memset( &aes_ctx, 0, sizeof( aes_ctx ) ); - memset( aes_key, 0, keylen ); + polarssl_zeroize( &aes_ctx, sizeof( aes_ctx ) ); + polarssl_zeroize( aes_key, keylen ); } #endif /* POLARSSL_AES_C */ @@ -373,7 +378,7 @@ void pem_free( pem_context *ctx ) polarssl_free( ctx->buf ); polarssl_free( ctx->info ); - memset( ctx, 0, sizeof( pem_context ) ); + polarssl_zeroize( ctx, sizeof( pem_context ) ); } #endif /* POLARSSL_PEM_PARSE_C */ diff --git a/library/pk.c b/library/pk.c index 8000c10f4..e923d79b1 100644 --- a/library/pk.c +++ b/library/pk.c @@ -44,6 +44,11 @@ #include "polarssl/ecdsa.h" #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * Initialise a pk_context */ @@ -65,9 +70,8 @@ void pk_free( pk_context *ctx ) return; ctx->pk_info->ctx_free_func( ctx->pk_ctx ); - ctx->pk_ctx = NULL; - ctx->pk_info = NULL; + polarssl_zeroize( ctx, sizeof( pk_context ) ); } /* diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 6bfc4d2fe..56739b7ef 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -52,6 +52,11 @@ #define polarssl_free free #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if defined(POLARSSL_RSA_C) static int rsa_can_do( pk_type_t type ) { @@ -426,6 +431,7 @@ static void *rsa_alt_alloc_wrap( void ) static void rsa_alt_free_wrap( void *ctx ) { + polarssl_zeroize( ctx, sizeof( rsa_alt_context ) ); polarssl_free( ctx ); } diff --git a/library/pkparse.c b/library/pkparse.c index b3d3b1daa..cd5be9246 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -62,6 +62,11 @@ #define polarssl_free free #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if defined(POLARSSL_FS_IO) /* * Load all data from a file into a given buffer. @@ -124,7 +129,7 @@ int pk_parse_keyfile( pk_context *ctx, ret = pk_parse_key( ctx, buf, n, (const unsigned char *) pwd, strlen( pwd ) ); - memset( buf, 0, n + 1 ); + polarssl_zeroize( buf, n + 1 ); polarssl_free( buf ); return( ret ); @@ -144,7 +149,7 @@ int pk_parse_public_keyfile( pk_context *ctx, const char *path ) ret = pk_parse_public_key( ctx, buf, n ); - memset( buf, 0, n + 1 ); + polarssl_zeroize( buf, n + 1 ); polarssl_free( buf ); return( ret ); diff --git a/library/ripemd160.c b/library/ripemd160.c index 4781a7ddb..3c2a7e663 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -76,6 +76,11 @@ } #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * RIPEMD-160 context setup */ @@ -363,7 +368,7 @@ void ripemd160( const unsigned char *input, size_t ilen, ripemd160_update( &ctx, input, ilen ); ripemd160_finish( &ctx, output ); - memset( &ctx, 0, sizeof( ripemd160_context ) ); + polarssl_zeroize( &ctx, sizeof( ripemd160_context ) ); } #if defined(POLARSSL_FS_IO) @@ -387,7 +392,7 @@ int ripemd160_file( const char *path, unsigned char output[20] ) ripemd160_finish( &ctx, output ); - memset( &ctx, 0, sizeof( ripemd160_context ) ); + polarssl_zeroize( &ctx, sizeof( ripemd160_context ) ); if( ferror( f ) != 0 ) { @@ -428,7 +433,7 @@ void ripemd160_hmac_starts( ripemd160_context *ctx, ripemd160_starts( ctx ); ripemd160_update( ctx, ctx->ipad, 64 ); - memset( sum, 0, sizeof( sum ) ); + polarssl_zeroize( sum, sizeof( sum ) ); } /* @@ -453,7 +458,7 @@ void ripemd160_hmac_finish( ripemd160_context *ctx, unsigned char output[20] ) ripemd160_update( ctx, tmpbuf, 20 ); ripemd160_finish( ctx, output ); - memset( tmpbuf, 0, sizeof( tmpbuf ) ); + polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) ); } /* @@ -478,7 +483,7 @@ void ripemd160_hmac( const unsigned char *key, size_t keylen, ripemd160_hmac_update( &ctx, input, ilen ); ripemd160_hmac_finish( &ctx, output ); - memset( &ctx, 0, sizeof( ripemd160_context ) ); + polarssl_zeroize( &ctx, sizeof( ripemd160_context ) ); } diff --git a/library/sha1.c b/library/sha1.c index da69a8f6e..ce815792a 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -48,6 +48,11 @@ #define polarssl_printf printf #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if !defined(POLARSSL_SHA1_ALT) /* @@ -334,7 +339,7 @@ void sha1( const unsigned char *input, size_t ilen, unsigned char output[20] ) sha1_update( &ctx, input, ilen ); sha1_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha1_context ) ); + polarssl_zeroize( &ctx, sizeof( sha1_context ) ); } #if defined(POLARSSL_FS_IO) @@ -358,7 +363,7 @@ int sha1_file( const char *path, unsigned char output[20] ) sha1_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha1_context ) ); + polarssl_zeroize( &ctx, sizeof( sha1_context ) ); if( ferror( f ) != 0 ) { @@ -399,7 +404,7 @@ void sha1_hmac_starts( sha1_context *ctx, const unsigned char *key, sha1_starts( ctx ); sha1_update( ctx, ctx->ipad, 64 ); - memset( sum, 0, sizeof( sum ) ); + polarssl_zeroize( sum, sizeof( sum ) ); } /* @@ -424,7 +429,7 @@ void sha1_hmac_finish( sha1_context *ctx, unsigned char output[20] ) sha1_update( ctx, tmpbuf, 20 ); sha1_finish( ctx, output ); - memset( tmpbuf, 0, sizeof( tmpbuf ) ); + polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) ); } /* @@ -449,7 +454,7 @@ void sha1_hmac( const unsigned char *key, size_t keylen, sha1_hmac_update( &ctx, input, ilen ); sha1_hmac_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha1_context ) ); + polarssl_zeroize( &ctx, sizeof( sha1_context ) ); } #if defined(POLARSSL_SELF_TEST) diff --git a/library/sha256.c b/library/sha256.c index 09165cc6f..5633f9e8f 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -48,6 +48,11 @@ #define polarssl_printf printf #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if !defined(POLARSSL_SHA256_ALT) /* @@ -337,7 +342,7 @@ void sha256( const unsigned char *input, size_t ilen, sha256_update( &ctx, input, ilen ); sha256_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha256_context ) ); + polarssl_zeroize( &ctx, sizeof( sha256_context ) ); } #if defined(POLARSSL_FS_IO) @@ -361,7 +366,7 @@ int sha256_file( const char *path, unsigned char output[32], int is224 ) sha256_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha256_context ) ); + polarssl_zeroize( &ctx, sizeof( sha256_context ) ); if( ferror( f ) != 0 ) { @@ -402,7 +407,7 @@ void sha256_hmac_starts( sha256_context *ctx, const unsigned char *key, sha256_starts( ctx, is224 ); sha256_update( ctx, ctx->ipad, 64 ); - memset( sum, 0, sizeof( sum ) ); + polarssl_zeroize( sum, sizeof( sum ) ); } /* @@ -431,7 +436,7 @@ void sha256_hmac_finish( sha256_context *ctx, unsigned char output[32] ) sha256_update( ctx, tmpbuf, hlen ); sha256_finish( ctx, output ); - memset( tmpbuf, 0, sizeof( tmpbuf ) ); + polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) ); } /* @@ -456,7 +461,7 @@ void sha256_hmac( const unsigned char *key, size_t keylen, sha256_hmac_update( &ctx, input, ilen ); sha256_hmac_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha256_context ) ); + polarssl_zeroize( &ctx, sizeof( sha256_context ) ); } #if defined(POLARSSL_SELF_TEST) diff --git a/library/sha512.c b/library/sha512.c index c13e0d996..a29c80a5a 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -48,6 +48,11 @@ #define polarssl_printf printf #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if !defined(POLARSSL_SHA512_ALT) /* @@ -335,7 +340,7 @@ void sha512( const unsigned char *input, size_t ilen, sha512_update( &ctx, input, ilen ); sha512_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha512_context ) ); + polarssl_zeroize( &ctx, sizeof( sha512_context ) ); } #if defined(POLARSSL_FS_IO) @@ -359,7 +364,7 @@ int sha512_file( const char *path, unsigned char output[64], int is384 ) sha512_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha512_context ) ); + polarssl_zeroize( &ctx, sizeof( sha512_context ) ); if( ferror( f ) != 0 ) { @@ -400,7 +405,7 @@ void sha512_hmac_starts( sha512_context *ctx, const unsigned char *key, sha512_starts( ctx, is384 ); sha512_update( ctx, ctx->ipad, 128 ); - memset( sum, 0, sizeof( sum ) ); + polarssl_zeroize( sum, sizeof( sum ) ); } /* @@ -429,7 +434,7 @@ void sha512_hmac_finish( sha512_context *ctx, unsigned char output[64] ) sha512_update( ctx, tmpbuf, hlen ); sha512_finish( ctx, output ); - memset( tmpbuf, 0, sizeof( tmpbuf ) ); + polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) ); } /* @@ -454,7 +459,7 @@ void sha512_hmac( const unsigned char *key, size_t keylen, sha512_hmac_update( &ctx, input, ilen ); sha512_hmac_finish( &ctx, output ); - memset( &ctx, 0, sizeof( sha512_context ) ); + polarssl_zeroize( &ctx, sizeof( sha512_context ) ); } #if defined(POLARSSL_SELF_TEST) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 7121d7bc6..19c33a7ce 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -55,6 +55,13 @@ typedef UINT32 uint32_t; #include #endif +#if defined(POLARSSL_SSL_SESSION_TICKETS) +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} +#endif + #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) static void ssl_write_hostname_ext( ssl_context *ssl, unsigned char *buf, @@ -2466,6 +2473,8 @@ static int ssl_parse_new_session_ticket( ssl_context *ssl ) if( ticket_len == 0) return( 0 ); + polarssl_zeroize( ssl->session_negotiate->ticket, + ssl->session_negotiate->ticket_len ); polarssl_free( ssl->session_negotiate->ticket ); ssl->session_negotiate->ticket = NULL; ssl->session_negotiate->ticket_len = 0; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index a4bf1abbc..cd207c509 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -52,6 +52,11 @@ #endif #if defined(POLARSSL_SSL_SESSION_TICKETS) +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * Serialize a session in the following format: * 0 . n-1 session structure, n = sizeof(ssl_session) @@ -337,7 +342,7 @@ static int ssl_parse_ticket( ssl_context *ssl, ssl_session_free( ssl->session_negotiate ); memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) ); - memset( &session, 0, sizeof( ssl_session ) ); + polarssl_zeroize( &session, sizeof( ssl_session ) ); return( 0 ); } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2cd0cce1d..1374e1104 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -61,6 +61,11 @@ #define strcasecmp _stricmp #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) /* * Convert max_fragment_length codes to length. @@ -175,11 +180,11 @@ static int ssl3_prf( const unsigned char *secret, size_t slen, md5_finish( &md5, dstbuf + i * 16 ); } - memset( &md5, 0, sizeof( md5 ) ); - memset( &sha1, 0, sizeof( sha1 ) ); + polarssl_zeroize( &md5, sizeof( md5 ) ); + polarssl_zeroize( &sha1, sizeof( sha1 ) ); - memset( padding, 0, sizeof( padding ) ); - memset( sha1sum, 0, sizeof( sha1sum ) ); + polarssl_zeroize( padding, sizeof( padding ) ); + polarssl_zeroize( sha1sum, sizeof( sha1sum ) ); return( 0 ); } @@ -241,8 +246,8 @@ static int tls1_prf( const unsigned char *secret, size_t slen, dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); } - memset( tmp, 0, sizeof( tmp ) ); - memset( h_i, 0, sizeof( h_i ) ); + polarssl_zeroize( tmp, sizeof( tmp ) ); + polarssl_zeroize( h_i, sizeof( h_i ) ); return( 0 ); } @@ -284,8 +289,8 @@ static int tls_prf_sha256( const unsigned char *secret, size_t slen, dstbuf[i + j] = h_i[j]; } - memset( tmp, 0, sizeof( tmp ) ); - memset( h_i, 0, sizeof( h_i ) ); + polarssl_zeroize( tmp, sizeof( tmp ) ); + polarssl_zeroize( h_i, sizeof( h_i ) ); return( 0 ); } @@ -326,8 +331,8 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen, dstbuf[i + j] = h_i[j]; } - memset( tmp, 0, sizeof( tmp ) ); - memset( h_i, 0, sizeof( h_i ) ); + polarssl_zeroize( tmp, sizeof( tmp ) ); + polarssl_zeroize( h_i, sizeof( h_i ) ); return( 0 ); } @@ -466,7 +471,7 @@ int ssl_derive_keys( ssl_context *ssl ) "master secret", handshake->randbytes, 64, session->master, 48 ); - memset( handshake->premaster, 0, sizeof( handshake->premaster ) ); + polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) ); } else SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); @@ -477,7 +482,7 @@ int ssl_derive_keys( ssl_context *ssl ) memcpy( tmp, handshake->randbytes, 64 ); memcpy( handshake->randbytes, tmp + 32, 32 ); memcpy( handshake->randbytes + 32, tmp, 32 ); - memset( tmp, 0, sizeof( tmp ) ); + polarssl_zeroize( tmp, sizeof( tmp ) ); /* * SSLv3: @@ -500,7 +505,7 @@ int ssl_derive_keys( ssl_context *ssl ) SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); - memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) ); + polarssl_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) ); /* * Determine the appropriate key, IV and MAC length. @@ -699,7 +704,7 @@ int ssl_derive_keys( ssl_context *ssl ) } #endif /* POLARSSL_CIPHER_MODE_CBC */ - memset( keyblk, 0, sizeof( keyblk ) ); + polarssl_zeroize( keyblk, sizeof( keyblk ) ); #if defined(POLARSSL_ZLIB_SUPPORT) // Initialize compression @@ -2846,12 +2851,12 @@ static void ssl_calc_finished_ssl( SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); - memset( &md5, 0, sizeof( md5_context ) ); - memset( &sha1, 0, sizeof( sha1_context ) ); + polarssl_zeroize( &md5, sizeof( md5_context ) ); + polarssl_zeroize( &sha1, sizeof( sha1_context ) ); - memset( padbuf, 0, sizeof( padbuf ) ); - memset( md5sum, 0, sizeof( md5sum ) ); - memset( sha1sum, 0, sizeof( sha1sum ) ); + polarssl_zeroize( padbuf, sizeof( padbuf ) ); + polarssl_zeroize( md5sum, sizeof( md5sum ) ); + polarssl_zeroize( sha1sum, sizeof( sha1sum ) ); SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); } @@ -2904,10 +2909,10 @@ static void ssl_calc_finished_tls( SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - memset( &md5, 0, sizeof( md5_context ) ); - memset( &sha1, 0, sizeof( sha1_context ) ); + polarssl_zeroize( &md5, sizeof( md5_context ) ); + polarssl_zeroize( &sha1, sizeof( sha1_context ) ); - memset( padbuf, 0, sizeof( padbuf ) ); + polarssl_zeroize( padbuf, sizeof( padbuf ) ); SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); } @@ -2953,9 +2958,9 @@ static void ssl_calc_finished_tls_sha256( SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - memset( &sha256, 0, sizeof( sha256_context ) ); + polarssl_zeroize( &sha256, sizeof( sha256_context ) ); - memset( padbuf, 0, sizeof( padbuf ) ); + polarssl_zeroize( padbuf, sizeof( padbuf ) ); SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); } @@ -3000,9 +3005,9 @@ static void ssl_calc_finished_tls_sha384( SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - memset( &sha512, 0, sizeof( sha512_context ) ); + polarssl_zeroize( &sha512, sizeof( sha512_context ) ); - memset( padbuf, 0, sizeof( padbuf ) ); + polarssl_zeroize( padbuf, sizeof( padbuf ) ); SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); } @@ -4402,7 +4407,7 @@ void ssl_transform_free( ssl_transform *transform ) md_free_ctx( &transform->md_ctx_enc ); md_free_ctx( &transform->md_ctx_dec ); - memset( transform, 0, sizeof( ssl_transform ) ); + polarssl_zeroize( transform, sizeof( ssl_transform ) ); } #if defined(POLARSSL_X509_CRT_PARSE_C) @@ -4459,7 +4464,7 @@ void ssl_handshake_free( ssl_handshake_params *handshake ) } #endif /* POLARSSL_X509_CRT_PARSE_C && POLARSSL_SSL_SERVER_NAME_INDICATION */ - memset( handshake, 0, sizeof( ssl_handshake_params ) ); + polarssl_zeroize( handshake, sizeof( ssl_handshake_params ) ); } void ssl_session_free( ssl_session *session ) @@ -4476,7 +4481,7 @@ void ssl_session_free( ssl_session *session ) polarssl_free( session->ticket ); #endif - memset( session, 0, sizeof( ssl_session ) ); + polarssl_zeroize( session, sizeof( ssl_session ) ); } /* @@ -4488,20 +4493,20 @@ void ssl_free( ssl_context *ssl ) if( ssl->out_ctr != NULL ) { - memset( ssl->out_ctr, 0, SSL_BUFFER_LEN ); + polarssl_zeroize( ssl->out_ctr, SSL_BUFFER_LEN ); polarssl_free( ssl->out_ctr ); } if( ssl->in_ctr != NULL ) { - memset( ssl->in_ctr, 0, SSL_BUFFER_LEN ); + polarssl_zeroize( ssl->in_ctr, SSL_BUFFER_LEN ); polarssl_free( ssl->in_ctr ); } #if defined(POLARSSL_ZLIB_SUPPORT) if( ssl->compress_buf != NULL ) { - memset( ssl->compress_buf, 0, SSL_BUFFER_LEN ); + polarssl_zeroize( ssl->compress_buf, SSL_BUFFER_LEN ); polarssl_free( ssl->compress_buf ); } #endif @@ -4541,7 +4546,7 @@ void ssl_free( ssl_context *ssl ) #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) if ( ssl->hostname != NULL ) { - memset( ssl->hostname, 0, ssl->hostname_len ); + polarssl_zeroize( ssl->hostname, ssl->hostname_len ); polarssl_free( ssl->hostname ); ssl->hostname_len = 0; } @@ -4550,8 +4555,8 @@ void ssl_free( ssl_context *ssl ) #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) if( ssl->psk != NULL ) { - memset( ssl->psk, 0, ssl->psk_len ); - memset( ssl->psk_identity, 0, ssl->psk_identity_len ); + polarssl_zeroize( ssl->psk, ssl->psk_len ); + polarssl_zeroize( ssl->psk_identity, ssl->psk_identity_len ); polarssl_free( ssl->psk ); polarssl_free( ssl->psk_identity ); ssl->psk_len = 0; @@ -4574,7 +4579,7 @@ void ssl_free( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "<= free" ) ); /* Actually clear after last debug message */ - memset( ssl, 0, sizeof( ssl_context ) ); + polarssl_zeroize( ssl, sizeof( ssl_context ) ); } #if defined(POLARSSL_PK_C) diff --git a/library/x509_crl.c b/library/x509_crl.c index 8035ee40e..eecf054e6 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -68,6 +68,11 @@ #include #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * Version ::= INTEGER { v1(0), v2(1) } */ @@ -552,7 +557,7 @@ int x509_crl_parse_file( x509_crl *chain, const char *path ) ret = x509_crl_parse( chain, buf, n ); - memset( buf, 0, n + 1 ); + polarssl_zeroize( buf, n + 1 ); polarssl_free( buf ); return( ret ); @@ -725,7 +730,7 @@ void x509_crl_free( x509_crl *crl ) { name_prv = name_cur; name_cur = name_cur->next; - memset( name_prv, 0, sizeof( x509_name ) ); + polarssl_zeroize( name_prv, sizeof( x509_name ) ); polarssl_free( name_prv ); } @@ -734,13 +739,13 @@ void x509_crl_free( x509_crl *crl ) { entry_prv = entry_cur; entry_cur = entry_cur->next; - memset( entry_prv, 0, sizeof( x509_crl_entry ) ); + polarssl_zeroize( entry_prv, sizeof( x509_crl_entry ) ); polarssl_free( entry_prv ); } if( crl_cur->raw.p != NULL ) { - memset( crl_cur->raw.p, 0, crl_cur->raw.len ); + polarssl_zeroize( crl_cur->raw.p, crl_cur->raw.len ); polarssl_free( crl_cur->raw.p ); } @@ -754,7 +759,7 @@ void x509_crl_free( x509_crl *crl ) crl_prv = crl_cur; crl_cur = crl_cur->next; - memset( crl_prv, 0, sizeof( x509_crl ) ); + polarssl_zeroize( crl_prv, sizeof( x509_crl ) ); if( crl_prv != crl ) polarssl_free( crl_prv ); } diff --git a/library/x509_crt.c b/library/x509_crt.c index 0f41f40f3..f58f6fce5 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -80,6 +80,11 @@ #endif #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } */ @@ -946,7 +951,7 @@ int x509_crt_parse_file( x509_crt *chain, const char *path ) ret = x509_crt_parse( chain, buf, n ); - memset( buf, 0, n + 1 ); + polarssl_zeroize( buf, n + 1 ); polarssl_free( buf ); return( ret ); @@ -1930,7 +1935,7 @@ void x509_crt_free( x509_crt *crt ) { name_prv = name_cur; name_cur = name_cur->next; - memset( name_prv, 0, sizeof( x509_name ) ); + polarssl_zeroize( name_prv, sizeof( x509_name ) ); polarssl_free( name_prv ); } @@ -1939,7 +1944,7 @@ void x509_crt_free( x509_crt *crt ) { name_prv = name_cur; name_cur = name_cur->next; - memset( name_prv, 0, sizeof( x509_name ) ); + polarssl_zeroize( name_prv, sizeof( x509_name ) ); polarssl_free( name_prv ); } @@ -1948,7 +1953,7 @@ void x509_crt_free( x509_crt *crt ) { seq_prv = seq_cur; seq_cur = seq_cur->next; - memset( seq_prv, 0, sizeof( x509_sequence ) ); + polarssl_zeroize( seq_prv, sizeof( x509_sequence ) ); polarssl_free( seq_prv ); } @@ -1957,13 +1962,13 @@ void x509_crt_free( x509_crt *crt ) { seq_prv = seq_cur; seq_cur = seq_cur->next; - memset( seq_prv, 0, sizeof( x509_sequence ) ); + polarssl_zeroize( seq_prv, sizeof( x509_sequence ) ); polarssl_free( seq_prv ); } if( cert_cur->raw.p != NULL ) { - memset( cert_cur->raw.p, 0, cert_cur->raw.len ); + polarssl_zeroize( cert_cur->raw.p, cert_cur->raw.len ); polarssl_free( cert_cur->raw.p ); } @@ -1977,7 +1982,7 @@ void x509_crt_free( x509_crt *crt ) cert_prv = cert_cur; cert_cur = cert_cur->next; - memset( cert_prv, 0, sizeof( x509_crt ) ); + polarssl_zeroize( cert_prv, sizeof( x509_crt ) ); if( cert_prv != crt ) polarssl_free( cert_prv ); } diff --git a/library/x509_csr.c b/library/x509_csr.c index 529e7e423..d82679d0d 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -62,6 +62,11 @@ #include #endif +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + /* * Version ::= INTEGER { v1(0) } */ @@ -295,7 +300,7 @@ int x509_csr_parse_file( x509_csr *csr, const char *path ) ret = x509_csr_parse( csr, buf, n ); - memset( buf, 0, n + 1 ); + polarssl_zeroize( buf, n + 1 ); polarssl_free( buf ); return( ret ); @@ -429,17 +434,17 @@ void x509_csr_free( x509_csr *csr ) { name_prv = name_cur; name_cur = name_cur->next; - memset( name_prv, 0, sizeof( x509_name ) ); + polarssl_zeroize( name_prv, sizeof( x509_name ) ); polarssl_free( name_prv ); } if( csr->raw.p != NULL ) { - memset( csr->raw.p, 0, csr->raw.len ); + polarssl_zeroize( csr->raw.p, csr->raw.len ); polarssl_free( csr->raw.p ); } - memset( csr, 0, sizeof( x509_csr ) ); + polarssl_zeroize( csr, sizeof( x509_csr ) ); } #endif /* POLARSSL_X509_CSR_PARSE_C */ diff --git a/library/x509write_crt.c b/library/x509write_crt.c index df7ab64a2..4b6d75b81 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -46,6 +46,11 @@ #include "polarssl/pem.h" #endif /* POLARSSL_PEM_WRITE_C */ +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + void x509write_crt_init( x509write_cert *ctx ) { memset( ctx, 0, sizeof(x509write_cert) ); @@ -62,7 +67,7 @@ void x509write_crt_free( x509write_cert *ctx ) asn1_free_named_data_list( &ctx->issuer ); asn1_free_named_data_list( &ctx->extensions ); - memset( ctx, 0, sizeof(x509write_cert) ); + polarssl_zeroize( ctx, sizeof(x509write_cert) ); } void x509write_crt_set_version( x509write_cert *ctx, int version ) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index ff766e15e..53ae9c63b 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -47,6 +47,11 @@ #include #include +/* Implementation that should never be optimized out by the compiler */ +static void polarssl_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + void x509write_csr_init( x509write_csr *ctx ) { memset( ctx, 0, sizeof(x509write_csr) ); @@ -57,7 +62,7 @@ void x509write_csr_free( x509write_csr *ctx ) asn1_free_named_data_list( &ctx->subject ); asn1_free_named_data_list( &ctx->extensions ); - memset( ctx, 0, sizeof(x509write_csr) ); + polarssl_zeroize( ctx, sizeof(x509write_csr) ); } void x509write_csr_set_md_alg( x509write_csr *ctx, md_type_t md_alg ) diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function index afd2f5e0d..74c5a6681 100644 --- a/tests/suites/test_suite_md.function +++ b/tests/suites/test_suite_md.function @@ -261,8 +261,6 @@ void md_hmac_multi( char *text_md_name, int trunc_size, char *hex_key_string, hexify( hash_str, output, md_get_size(md_info) ); TEST_ASSERT( strncmp( (char *) hash_str, hex_hash_string, trunc_size * 2 ) == 0 ); - - TEST_ASSERT ( 0 == md_free_ctx( &ctx ) ); } /* END_CASE */