RSA: wipe stack buffers

The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the stack. Wipe it before returning. Thanks to Laurent Simon for reporting this issue.
2025-01-08 08:55:29 +00:00 · 2017-03-23 14:37:37 +01:00 · 2017-03-23 14:37:37 +01:00 · 8877ec23a3
parent 63a48d10e9
commit 8877ec23a3
2 changed files with 42 additions and 9 deletions
--- a/7
+++ b/7
@ -1,5 +1,12 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS 2.1.x branch released xxxx-xx-xx
+
+Security
+   * Wipe stack buffers in RSA private key operations
+     (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
+     Found by Laurent Simon.
+
 = mbed TLS 2.1.7 branch released 2017-03-08

 Security
--- a/library/rsa.c
+++ b/library/rsa.c
@ -55,6 +55,11 @@
 #define mbedtls_free   free
 #endif

+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
 /*
 * Initialize an RSA context
 */
@ -724,7 +729,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
          : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

    if( ret != 0 )
-        return( ret );
+        goto cleanup;

    /*
     * Unmask data and generate lHash
@ -733,7 +738,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
    {
        mbedtls_md_free( &md_ctx );
-        return( ret );
+        goto cleanup;
    }


@ -784,15 +789,26 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
     * the different error conditions.
     */
    if( bad != 0 )
-        return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto cleanup;
+    }

    if( ilen - ( p - buf ) > output_max_len )
-        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+    {
+        ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+        goto cleanup;
+    }

    *olen = ilen - (p - buf);
    memcpy( output, p, *olen );
+    ret = 0;

-    return( 0 );
+cleanup:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_zeroize( lhash, sizeof( lhash ) );
+
+    return( ret );
 }
 #endif /* MBEDTLS_PKCS1_V21 */

@ -826,7 +842,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
          : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

    if( ret != 0 )
-        return( ret );
+        goto cleanup;

    p = buf;
    bad = 0;
@ -871,15 +887,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
    bad |= ( pad_count < 8 );

    if( bad )
-        return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto cleanup;
+    }

    if( ilen - ( p - buf ) > output_max_len )
-        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+    {
+        ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+        goto cleanup;
+    }

    *olen = ilen - (p - buf);
    memcpy( output, p, *olen );
+    ret = 0;

-    return( 0 );
+cleanup:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
 }
 #endif /* MBEDTLS_PKCS1_V15 */