diff --git a/wolfcrypt/src/camellia.c b/wolfcrypt/src/camellia.c index abf4a3f220..49541144e0 100644 --- a/wolfcrypt/src/camellia.c +++ b/wolfcrypt/src/camellia.c @@ -1634,5 +1634,13 @@ int wc_CamelliaCbcDecrypt(wc_Camellia* cam, byte* out, const byte* in, word32 sz } +void wc_CamelliaFree(wc_Camellia* cam) +{ + if (cam == NULL) + return; + ForceZero(cam, sizeof(wc_Camellia)); +} + + #endif /* HAVE_CAMELLIA */ diff --git a/wolfcrypt/src/curve25519.c b/wolfcrypt/src/curve25519.c index ac70119f99..a12ad9ee99 100644 --- a/wolfcrypt/src/curve25519.c +++ b/wolfcrypt/src/curve25519.c @@ -250,7 +250,7 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p, for (cnt = 0; cnt < WOLFSSL_CURVE25519_BLINDING_RAND_CNT; cnt++) { ret = wc_RNG_GenerateBlock(rng, rz, sizeof(rz)); if (ret < 0) { - return ret; + goto cleanup; } for (i = CURVE25519_KEYSIZE - 1; i >= 0; i--) { if (rz[i] != 0xff) @@ -261,13 +261,14 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p, } } if (cnt == WOLFSSL_CURVE25519_BLINDING_RAND_CNT) { - return RNG_FAILURE_E; + ret = RNG_FAILURE_E; + goto cleanup; } /* Generate 253 random bits. */ ret = wc_RNG_GenerateBlock(rng, a, sizeof(a)); if (ret != 0) - return ret; + goto cleanup; a[CURVE25519_KEYSIZE-1] &= 0x7f; /* k' = k ^ 2k ^ a */ n_a[0] = n[0] ^ (byte)(n[0] << 1) ^ a[0]; @@ -281,6 +282,11 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p, /* Scalar multiple blinded scalar with blinding value. */ ret = curve25519_blind(rp, n_a, a, p, rz); +cleanup: + ForceZero(a, sizeof(a)); + ForceZero(n_a, sizeof(n_a)); + ForceZero(rz, sizeof(rz)); + RESTORE_VECTOR_REGISTERS(); return ret; diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 074c200925..47b6010da1 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -3016,6 +3016,9 @@ int wolfSSL_EVP_PKEY_CTX_set1_hkdf_key(WOLFSSL_EVP_PKEY_CTX* ctx, } if (ret == WOLFSSL_SUCCESS) { + if (ctx->pkey->hkdfKey != NULL && ctx->pkey->hkdfKeySz > 0) { + ForceZero(ctx->pkey->hkdfKey, ctx->pkey->hkdfKeySz); + } XFREE(ctx->pkey->hkdfKey, NULL, DYNAMIC_TYPE_KEY); ctx->pkey->hkdfKey = (byte*)XMALLOC((size_t)keySz, NULL, DYNAMIC_TYPE_KEY); @@ -11778,6 +11781,9 @@ void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY* key) case WC_EVP_PKEY_HKDF: XFREE(key->hkdfSalt, NULL, DYNAMIC_TYPE_SALT); key->hkdfSalt = NULL; + if (key->hkdfKey != NULL && key->hkdfKeySz > 0) { + ForceZero(key->hkdfKey, key->hkdfKeySz); + } XFREE(key->hkdfKey, NULL, DYNAMIC_TYPE_KEY); key->hkdfKey = NULL; XFREE(key->hkdfInfo, NULL, DYNAMIC_TYPE_INFO); diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index efc9eaf59a..d26c1e54a4 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -584,7 +584,6 @@ static int Hash_DRBG_Reseed(DRBG_internal* drbg, const byte* seed, word32 seedSz additional, additionalSz); if (ret == DRBG_SUCCESS) { XMEMCPY(drbg->V, newV, sizeof(drbg->V)); - ForceZero(newV, DRBG_SEED_LEN); ret = Hash_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V, sizeof(drbg->V), NULL, 0, NULL, 0); @@ -593,6 +592,8 @@ static int Hash_DRBG_Reseed(DRBG_internal* drbg, const byte* seed, word32 seedSz drbg->reseedCtr = 1; } + ForceZero(newV, DRBG_SEED_LEN); + #ifndef WOLFSSL_SMALL_STACK_CACHE WC_FREE_VAR_EX(newV, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -1177,7 +1178,6 @@ static int Hash512_DRBG_Reseed(DRBG_SHA512_internal* drbg, const byte* seed, additional, additionalSz); if (ret == DRBG_SUCCESS) { XMEMCPY(drbg->V, newV, sizeof(drbg->V)); - ForceZero(newV, DRBG_SHA512_SEED_LEN); ret = Hash512_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V, sizeof(drbg->V), NULL, 0, @@ -1187,6 +1187,8 @@ static int Hash512_DRBG_Reseed(DRBG_SHA512_internal* drbg, const byte* seed, drbg->reseedCtr = 1; } + ForceZero(newV, DRBG_SHA512_SEED_LEN); + #ifndef WOLFSSL_SMALL_STACK_CACHE WC_FREE_VAR_EX(newV, drbg->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 6f5ae94abc..a116de7aee 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -1398,6 +1398,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock, /* generate random seed */ if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) { WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); + ForceZero(seed, hLen); WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); return ret; } @@ -1408,6 +1409,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock, if (dbMask == NULL) { XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); + ForceZero(seed, hLen); XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); return MEMORY_E; } @@ -1421,6 +1423,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock, if (ret != 0) { WC_FREE_VAR_EX(dbMask, heap, DYNAMIC_TYPE_RSA); WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); + ForceZero(seed, hLen); WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); return ret; } @@ -1435,6 +1438,7 @@ static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock, if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1, pkcsBlock + 1, hLen, heap)) != 0) { WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); + ForceZero(seed, hLen); WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); return ret; } diff --git a/wolfcrypt/src/wc_slhdsa.c b/wolfcrypt/src/wc_slhdsa.c index 7f0f1fed1a..cf9c4a2cbe 100644 --- a/wolfcrypt/src/wc_slhdsa.c +++ b/wolfcrypt/src/wc_slhdsa.c @@ -7261,6 +7261,8 @@ int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx, byte ctxSz, sigSz, addRnd); } + ForceZero(addRnd, sizeof(addRnd)); + return ret; } @@ -8056,6 +8058,8 @@ int wc_SlhDsaKey_SignHash(SlhDsaKey* key, const byte* ctx, byte ctxSz, hashType, sig, sigSz, addRnd); } + ForceZero(addRnd, sizeof(addRnd)); + return ret; } #endif /* !WOLFSSL_SLHDSA_VERIFY_ONLY */ diff --git a/wolfssl/wolfcrypt/camellia.h b/wolfssl/wolfcrypt/camellia.h index 7ed0bc42d5..6fe97f674b 100644 --- a/wolfssl/wolfcrypt/camellia.h +++ b/wolfssl/wolfcrypt/camellia.h @@ -90,6 +90,7 @@ WOLFSSL_API int wc_CamelliaCbcEncrypt(wc_Camellia* cam, byte* out, const byte* in, word32 sz); WOLFSSL_API int wc_CamelliaCbcDecrypt(wc_Camellia* cam, byte* out, const byte* in, word32 sz); +WOLFSSL_API void wc_CamelliaFree(wc_Camellia* cam); #ifndef OPENSSL_COEXIST