Zeroize local AES variables before exiting the function

This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).

In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
This commit is contained in:
Andrzej Kurek 2019-11-12 03:34:03 -05:00
parent ec904e4b57
commit f18de50b49
2 changed files with 34 additions and 0 deletions

View File

@ -2,6 +2,16 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.16.x branch released xxxx-xx-xx = mbed TLS 2.16.x branch released xxxx-xx-xx
Security
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
mbedtls_internal_aes_decrypt() before exiting the function. The value of
these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).
Bugfix Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable * Remove redundant line for getting the bitlen of a bignum, since the variable
holding the returned value is overwritten a line after. holding the returned value is overwritten a line after.

View File

@ -918,6 +918,18 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
PUT_UINT32_LE( X2, output, 8 ); PUT_UINT32_LE( X2, output, 8 );
PUT_UINT32_LE( X3, output, 12 ); PUT_UINT32_LE( X3, output, 12 );
mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
mbedtls_platform_zeroize( &RK, sizeof( RK ) );
return( 0 ); return( 0 );
} }
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */ #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
@ -986,6 +998,18 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
PUT_UINT32_LE( X2, output, 8 ); PUT_UINT32_LE( X2, output, 8 );
PUT_UINT32_LE( X3, output, 12 ); PUT_UINT32_LE( X3, output, 12 );
mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
mbedtls_platform_zeroize( &RK, sizeof( RK ) );
return( 0 ); return( 0 );
} }
#endif /* !MBEDTLS_AES_DECRYPT_ALT */ #endif /* !MBEDTLS_AES_DECRYPT_ALT */