From 17b2ac2a7c1fd5b7ca054357e5260dfd22f6dabf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 11 Sep 2018 15:34:17 +0200 Subject: [PATCH 1/4] CTR_DRBG: clean stack buffers Wipe stack buffers that may contain sensitive data (data that contributes to the DRBG state. --- library/ctr_drbg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index e8fdd9b6cb..c023c699e5 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -264,6 +264,7 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx, mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ); memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE ); + mbedtls_zeroize( tmp, sizeof( tmp ) ); return( 0 ); } @@ -281,6 +282,7 @@ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx, block_cipher_df( add_input, additional, add_len ); ctr_drbg_update_internal( ctx, add_input ); + mbedtls_zeroize( add_input, sizeof( add_input ) ); } } @@ -327,6 +329,7 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx, ctr_drbg_update_internal( ctx, seed ); ctx->reseed_counter = 1; + mbedtls_zeroize( seed, sizeof( seed ) ); return( 0 ); } @@ -393,6 +396,8 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng, ctx->reseed_counter++; + mbedtls_zeroize( add_input, sizeof( add_input ) ); + mbedtls_zeroize( tmp, sizeof( tmp ) ); return( 0 ); } From 51de2d25a301985719a4d854d63457146b98de1e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 11 Sep 2018 15:35:41 +0200 Subject: [PATCH 2/4] HMAC_DRBG: clean stack buffers Wipe stack buffers that may contain sensitive data (data that contributes to the DRBG state. --- library/hmac_drbg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c index 24c609e9ce..40e2b0ad6a 100644 --- a/library/hmac_drbg.c +++ b/library/hmac_drbg.c @@ -93,6 +93,8 @@ void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx, mbedtls_md_hmac_update( &ctx->md_ctx, ctx->V, md_len ); mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ); } + + mbedtls_zeroize( K, sizeof( K ) ); } /* @@ -158,6 +160,7 @@ int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, ctx->reseed_counter = 1; /* 4. Done */ + mbedtls_zeroize( seed, seedlen ); return( 0 ); } From 73e34facb4726431f995a414f7f39dbd37942c04 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 11 Sep 2018 18:53:58 +0200 Subject: [PATCH 3/4] Add ChangeLog entry for wiping sensitive buffers --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5a7d7a9277..37cc0ab2a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.1.x branch released xxxx-xx-xx + +Security + * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG + modules. + = mbed TLS 2.1.15 branch released 2018-08-31 Security From 43c19648dbefa90d2c52136ecb2cee884caab1e4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 27 Nov 2018 16:37:23 +0100 Subject: [PATCH 4/4] Wipe stack buffers in block_cipher_df This is a partial backport of 1b3649906261dfaafcc5b8750279a0012c1c604a (only for the buffer wiping). Other wiping calls were previously added as backports of "CTR_DRBG: clean stack buffers" (d9aa84dc0d42dcb5e23ba2bb47ce39592193b8f1). This completes the backporting of stack buffer wiping from the development branch. --- library/ctr_drbg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index c023c699e5..d3888483a3 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -226,6 +226,10 @@ static int block_cipher_df( unsigned char *output, mbedtls_aes_free( &aes_ctx ); + mbedtls_zeroize( buf, sizeof( buf ) ); + mbedtls_zeroize( tmp, sizeof( tmp ) ); + mbedtls_zeroize( key, sizeof( key ) ); + mbedtls_zeroize( chain, sizeof( chain ) ); return( 0 ); }