mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 10:15:38 +01:00
Zeroize local AES variables before exiting the function
This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University). In AES encrypt and decrypt some variables were left on the stack. The value of these variables can be used to recover the last round key. To follow best practice and to limit the impact of buffer overread vulnerabilities (like Heartbleed) we need to zeroize them before exiting the function.
This commit is contained in:
parent
e9db2aa5b4
commit
a8405447aa
@ -71,6 +71,14 @@ Security
|
||||
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
|
||||
to have only large prime factors), and then, by brute force, recover the
|
||||
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
||||
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
|
||||
mbedtls_internal_aes_decrypt() before exiting the function. The value of
|
||||
these variables can be used to recover the last round key. To follow best
|
||||
practice and to limit the impact of buffer overread vulnerabilities (like
|
||||
Heartbleed) we need to zeroize them before exiting the function.
|
||||
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
|
||||
Grant Hernandez, and Kevin Butler (University of Florida) and
|
||||
Dave Tian (Purdue University).
|
||||
|
||||
Bugfix
|
||||
* Remove redundant line for getting the bitlen of a bignum, since the variable
|
||||
|
@ -1246,6 +1246,18 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
|
||||
PUT_UINT32_LE( X2, output, 8 );
|
||||
PUT_UINT32_LE( X3, output, 12 );
|
||||
|
||||
mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
|
||||
mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
|
||||
mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
|
||||
mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
|
||||
|
||||
mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
|
||||
mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
|
||||
mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
|
||||
mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
|
||||
|
||||
mbedtls_platform_zeroize( &RK, sizeof( RK ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
|
||||
@ -1513,6 +1525,18 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
|
||||
PUT_UINT32_LE( X2, output, 8 );
|
||||
PUT_UINT32_LE( X3, output, 12 );
|
||||
|
||||
mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
|
||||
mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
|
||||
mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
|
||||
mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
|
||||
|
||||
mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
|
||||
mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
|
||||
mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
|
||||
mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
|
||||
|
||||
mbedtls_platform_zeroize( &RK, sizeof( RK ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
|
||||
|
Loading…
Reference in New Issue
Block a user