wolfcrypt: zero sensitive buffers

This commit is contained in:
Jeremiah Mackey
2026-05-06 15:46:59 +00:00
parent a454248791
commit 90eb7253b6
7 changed files with 36 additions and 5 deletions
+8
View File
@@ -1634,5 +1634,13 @@ int wc_CamelliaCbcDecrypt(wc_Camellia* cam, byte* out, const byte* in, word32 sz
}
void wc_CamelliaFree(wc_Camellia* cam)
{
if (cam == NULL)
return;
ForceZero(cam, sizeof(wc_Camellia));
}
#endif /* HAVE_CAMELLIA */
+9 -3
View File
@@ -250,7 +250,7 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
for (cnt = 0; cnt < WOLFSSL_CURVE25519_BLINDING_RAND_CNT; cnt++) {
ret = wc_RNG_GenerateBlock(rng, rz, sizeof(rz));
if (ret < 0) {
return ret;
goto cleanup;
}
for (i = CURVE25519_KEYSIZE - 1; i >= 0; i--) {
if (rz[i] != 0xff)
@@ -261,13 +261,14 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
}
}
if (cnt == WOLFSSL_CURVE25519_BLINDING_RAND_CNT) {
return RNG_FAILURE_E;
ret = RNG_FAILURE_E;
goto cleanup;
}
/* Generate 253 random bits. */
ret = wc_RNG_GenerateBlock(rng, a, sizeof(a));
if (ret != 0)
return ret;
goto cleanup;
a[CURVE25519_KEYSIZE-1] &= 0x7f;
/* k' = k ^ 2k ^ a */
n_a[0] = n[0] ^ (byte)(n[0] << 1) ^ a[0];
@@ -281,6 +282,11 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
/* Scalar multiple blinded scalar with blinding value. */
ret = curve25519_blind(rp, n_a, a, p, rz);
cleanup:
ForceZero(a, sizeof(a));
ForceZero(n_a, sizeof(n_a));
ForceZero(rz, sizeof(rz));
RESTORE_VECTOR_REGISTERS();
return ret;
+6
View File
@@ -3016,6 +3016,9 @@ int wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(WOLFSSL_EVP_PKEY_CTX* ctx,
}
if (ret == WOLFSSL_SUCCESS) {
if (ctx->pkey->hkdfKey != NULL && ctx->pkey->hkdfKeySz > 0) {
ForceZero(ctx->pkey->hkdfKey, ctx->pkey->hkdfKeySz);
}
XFREE(ctx->pkey->hkdfKey, NULL, DYNAMIC_TYPE_KEY);
ctx->pkey->hkdfKey = (byte*)XMALLOC((size_t)keySz, NULL,
DYNAMIC_TYPE_KEY);
@@ -11778,6 +11781,9 @@ void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY* key)
case WC_EVP_PKEY_HKDF:
XFREE(key->hkdfSalt, NULL, DYNAMIC_TYPE_SALT);
key->hkdfSalt = NULL;
if (key->hkdfKey != NULL && key->hkdfKeySz > 0) {
ForceZero(key->hkdfKey, key->hkdfKeySz);
}
XFREE(key->hkdfKey, NULL, DYNAMIC_TYPE_KEY);
key->hkdfKey = NULL;
XFREE(key->hkdfInfo, NULL, DYNAMIC_TYPE_INFO);
+4 -2
View File
@@ -584,7 +584,6 @@ static int Hash_DRBG_Reseed(DRBG_internal* drbg, const byte* seed, word32 seedSz
additional, additionalSz);
if (ret == DRBG_SUCCESS) {
XMEMCPY(drbg->V, newV, sizeof(drbg->V));
ForceZero(newV, DRBG_SEED_LEN);
ret = Hash_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
sizeof(drbg->V), NULL, 0, NULL, 0);
@@ -593,6 +592,8 @@ static int Hash_DRBG_Reseed(DRBG_internal* drbg, const byte* seed, word32 seedSz
drbg->reseedCtr = 1;
}
ForceZero(newV, DRBG_SEED_LEN);
#ifndef WOLFSSL_SMALL_STACK_CACHE
WC_FREE_VAR_EX(newV, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
@@ -1177,7 +1178,6 @@ static int Hash512_DRBG_Reseed(DRBG_SHA512_internal* drbg, const byte* seed,
additional, additionalSz);
if (ret == DRBG_SUCCESS) {
XMEMCPY(drbg->V, newV, sizeof(drbg->V));
ForceZero(newV, DRBG_SHA512_SEED_LEN);
ret = Hash512_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
sizeof(drbg->V), NULL, 0,
@@ -1187,6 +1187,8 @@ static int Hash512_DRBG_Reseed(DRBG_SHA512_internal* drbg, const byte* seed,
drbg->reseedCtr = 1;
}
ForceZero(newV, DRBG_SHA512_SEED_LEN);
#ifndef WOLFSSL_SMALL_STACK_CACHE
WC_FREE_VAR_EX(newV, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
+4
View File
@@ -1398,6 +1398,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
/* generate random seed */
if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
ForceZero(seed, hLen);
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
return ret;
}
@@ -1408,6 +1409,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
if (dbMask == NULL) {
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
ForceZero(seed, hLen);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
return MEMORY_E;
}
@@ -1421,6 +1423,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
if (ret != 0) {
WC_FREE_VAR_EX(dbMask, heap, DYNAMIC_TYPE_RSA);
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
ForceZero(seed, hLen);
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
return ret;
}
@@ -1435,6 +1438,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
pkcsBlock + 1, hLen, heap)) != 0) {
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
ForceZero(seed, hLen);
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
return ret;
}
+4
View File
@@ -7261,6 +7261,8 @@ int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx, byte ctxSz,
sigSz, addRnd);
}
ForceZero(addRnd, sizeof(addRnd));
return ret;
}
@@ -8056,6 +8058,8 @@ int wc_SlhDsaKey_SignHash(SlhDsaKey* key, const byte* ctx, byte ctxSz,
hashType, sig, sigSz, addRnd);
}
ForceZero(addRnd, sizeof(addRnd));
return ret;
}
#endif /* !WOLFSSL_SLHDSA_VERIFY_ONLY */
+1
View File
@@ -90,6 +90,7 @@ WOLFSSL_API int wc_CamelliaCbcEncrypt(wc_Camellia* cam,
byte* out, const byte* in, word32 sz);
WOLFSSL_API int wc_CamelliaCbcDecrypt(wc_Camellia* cam,
byte* out, const byte* in, word32 sz);
WOLFSSL_API void wc_CamelliaFree(wc_Camellia* cam);
#ifndef OPENSSL_COEXIST