Date: Fri, 26 Oct 2018 20:53:01 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r339787 - head/sys/crypto/rijndael Message-ID: <201810262053.w9QKr1o6086090@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Fri Oct 26 20:53:01 2018 New Revision: 339787 URL: https://svnweb.freebsd.org/changeset/base/339787 Log: rijndael (AES): Avoid leaking sensitive data on kernel stack Noticed this investigating Fortuna. Remove useless duplicate stack copies of sensitive contents when possible, or if not possible, be sure to zero them out when we're finished. Approved by: secteam (gordon) Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D16935 Modified: head/sys/crypto/rijndael/rijndael-api-fst.c Modified: head/sys/crypto/rijndael/rijndael-api-fst.c ============================================================================== --- head/sys/crypto/rijndael/rijndael-api-fst.c Fri Oct 26 20:07:46 2018 (r339786) +++ head/sys/crypto/rijndael/rijndael-api-fst.c Fri Oct 26 20:53:01 2018 (r339787) @@ -36,7 +36,6 @@ typedef u_int8_t BYTE; int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, const char *keyMaterial) { - u_int8_t cipherKey[RIJNDAEL_MAXKB]; if (key == NULL) { return BAD_KEY_INSTANCE; @@ -59,13 +58,12 @@ int rijndael_makeKey(keyInstance *key, BYTE direction, } /* initialize key schedule: */ - memcpy(cipherKey, key->keyMaterial, keyLen/8); if (direction == DIR_ENCRYPT) { - key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen); + key->Nr = rijndaelKeySetupEnc(key->rk, key->keyMaterial, keyLen); } else { - key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen); + key->Nr = rijndaelKeySetupDec(key->rk, key->keyMaterial, keyLen); } - rijndaelKeySetupEnc(key->ek, cipherKey, keyLen); + rijndaelKeySetupEnc(key->ek, key->keyMaterial, keyLen); return TRUE; } @@ -186,6 +184,7 @@ int rijndael_blockEncrypt(cipherInstance *cipher, keyI return BAD_CIPHER_STATE; } + explicit_bzero(block, sizeof(block)); return 128*numBlocks; } @@ -258,6 +257,7 @@ int rijndael_padEncrypt(cipherInstance *cipher, keyIns return BAD_CIPHER_STATE; } + explicit_bzero(block, sizeof(block)); return 16*(numBlocks + 1); } @@ -357,12 +357,13 @@ int rijndael_blockDecrypt(cipherInstance *cipher, keyI return BAD_CIPHER_STATE; } + explicit_bzero(block, sizeof(block)); return 128*numBlocks; } int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, const BYTE *input, int inputOctets, BYTE *outBuffer) { - int i, numBlocks, padLen; + int i, numBlocks, padLen, rval; u_int8_t block[16]; u_int32_t iv[4]; @@ -392,11 +393,13 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyIns rijndaelDecrypt(key->rk, key->Nr, input, block); padLen = block[15]; if (padLen >= 16) { - return BAD_DATA; + rval = BAD_DATA; + goto out; } for (i = 16 - padLen; i < 16; i++) { if (block[i] != padLen) { - return BAD_DATA; + rval = BAD_DATA; + goto out; } } memcpy(outBuffer, block, 16 - padLen); @@ -424,11 +427,13 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyIns ((u_int32_t*)block)[3] ^= iv[3]; padLen = block[15]; if (padLen <= 0 || padLen > 16) { - return BAD_DATA; + rval = BAD_DATA; + goto out; } for (i = 16 - padLen; i < 16; i++) { if (block[i] != padLen) { - return BAD_DATA; + rval = BAD_DATA; + goto out; } } memcpy(outBuffer, block, 16 - padLen); @@ -438,5 +443,9 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyIns return BAD_CIPHER_STATE; } - return 16*numBlocks - padLen; + rval = 16*numBlocks - padLen; + +out: + explicit_bzero(block, sizeof(block)); + return rval; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201810262053.w9QKr1o6086090>