yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-09 15:45:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

RSA: wipe stack buffers

Browse source 
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
This commit is contained in:
Gilles Peskine 2017-03-23 14:37:37 +01:00
parent 63a48d10e9
commit 8877ec23a3
2 changed files with 42 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
ChangeLog
View file

@ -1,5 +1,12 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.1.x branch released xxxx-xx-xx
Security
* Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
Found by Laurent Simon.
= mbed TLS 2.1.7 branch released 2017-03-08 = mbed TLS 2.1.7 branch released 2017-03-08
Security Security

44
library/rsa.c
View file

@ -55,6 +55,11 @@
#define mbedtls_free free #define mbedtls_free free
#endif #endif
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
/* /*
* Initialize an RSA context * Initialize an RSA context
*/ */
@ -724,7 +729,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 ) if( ret != 0 )
return( ret ); goto cleanup;
/* /*
* Unmask data and generate lHash * Unmask data and generate lHash
@ -733,7 +738,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{ {
mbedtls_md_free( &md_ctx ); mbedtls_md_free( &md_ctx );
return( ret ); goto cleanup;
} }
@ -784,15 +789,26 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
* the different error conditions. * the different error conditions.
*/ */
if( bad != 0 ) if( bad != 0 )
return( MBEDTLS_ERR_RSA_INVALID_PADDING ); {
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto cleanup;
}
if( ilen - ( p - buf ) > output_max_len ) if( ilen - ( p - buf ) > output_max_len )
return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); {
ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
goto cleanup;
}
*olen = ilen - (p - buf); *olen = ilen - (p - buf);
memcpy( output, p, *olen ); memcpy( output, p, *olen );
ret = 0;
return( 0 ); cleanup:
mbedtls_zeroize( buf, sizeof( buf ) );
mbedtls_zeroize( lhash, sizeof( lhash ) );
return( ret );
} }
#endif /* MBEDTLS_PKCS1_V21 */ #endif /* MBEDTLS_PKCS1_V21 */
@ -826,7 +842,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 ) if( ret != 0 )
return( ret ); goto cleanup;
p = buf; p = buf;
bad = 0; bad = 0;
@ -871,15 +887,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
bad |= ( pad_count < 8 ); bad |= ( pad_count < 8 );
if( bad ) if( bad )
return( MBEDTLS_ERR_RSA_INVALID_PADDING ); {
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto cleanup;
}
if( ilen - ( p - buf ) > output_max_len ) if( ilen - ( p - buf ) > output_max_len )
return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); {
ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
goto cleanup;
}
*olen = ilen - (p - buf); *olen = ilen - (p - buf);
memcpy( output, p, *olen ); memcpy( output, p, *olen );
ret = 0;
return( 0 ); cleanup:
mbedtls_zeroize( buf, sizeof( buf ) );
return( ret );
} }
#endif /* MBEDTLS_PKCS1_V15 */ #endif /* MBEDTLS_PKCS1_V15 */