mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-10 22:35:38 +00:00
Merge remote-tracking branch 'restricted/pr/668' into mbedtls-2.7-restricted
* restricted/pr/668: Zeroize local AES variables before exiting the function
This commit is contained in:
commit
e70059df85
|
@ -8,6 +8,14 @@ Security
|
||||||
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
|
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
|
||||||
to have only large prime factors), and then, by brute force, recover the
|
to have only large prime factors), and then, by brute force, recover the
|
||||||
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
||||||
|
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
|
||||||
|
mbedtls_internal_aes_decrypt() before exiting the function. The value of
|
||||||
|
these variables can be used to recover the last round key. To follow best
|
||||||
|
practice and to limit the impact of buffer overread vulnerabilities (like
|
||||||
|
Heartbleed) we need to zeroize them before exiting the function.
|
||||||
|
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
|
||||||
|
Grant Hernandez, and Kevin Butler (University of Florida) and
|
||||||
|
Dave Tian (Purdue University).
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
|
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
|
||||||
|
|
|
@ -761,6 +761,18 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
|
||||||
PUT_UINT32_LE( X2, output, 8 );
|
PUT_UINT32_LE( X2, output, 8 );
|
||||||
PUT_UINT32_LE( X3, output, 12 );
|
PUT_UINT32_LE( X3, output, 12 );
|
||||||
|
|
||||||
|
mbedtls_zeroize( &X0, sizeof( X0 ) );
|
||||||
|
mbedtls_zeroize( &X1, sizeof( X1 ) );
|
||||||
|
mbedtls_zeroize( &X2, sizeof( X2 ) );
|
||||||
|
mbedtls_zeroize( &X3, sizeof( X3 ) );
|
||||||
|
|
||||||
|
mbedtls_zeroize( &Y0, sizeof( Y0 ) );
|
||||||
|
mbedtls_zeroize( &Y1, sizeof( Y1 ) );
|
||||||
|
mbedtls_zeroize( &Y2, sizeof( Y2 ) );
|
||||||
|
mbedtls_zeroize( &Y3, sizeof( Y3 ) );
|
||||||
|
|
||||||
|
mbedtls_zeroize( &RK, sizeof( RK ) );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
|
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
|
||||||
|
@ -829,6 +841,18 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
|
||||||
PUT_UINT32_LE( X2, output, 8 );
|
PUT_UINT32_LE( X2, output, 8 );
|
||||||
PUT_UINT32_LE( X3, output, 12 );
|
PUT_UINT32_LE( X3, output, 12 );
|
||||||
|
|
||||||
|
mbedtls_zeroize( &X0, sizeof( X0 ) );
|
||||||
|
mbedtls_zeroize( &X1, sizeof( X1 ) );
|
||||||
|
mbedtls_zeroize( &X2, sizeof( X2 ) );
|
||||||
|
mbedtls_zeroize( &X3, sizeof( X3 ) );
|
||||||
|
|
||||||
|
mbedtls_zeroize( &Y0, sizeof( Y0 ) );
|
||||||
|
mbedtls_zeroize( &Y1, sizeof( Y1 ) );
|
||||||
|
mbedtls_zeroize( &Y2, sizeof( Y2 ) );
|
||||||
|
mbedtls_zeroize( &Y3, sizeof( Y3 ) );
|
||||||
|
|
||||||
|
mbedtls_zeroize( &RK, sizeof( RK ) );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* !MBEDTLS_AES_DECRYPT_ALT */
|
#endif /* !MBEDTLS_AES_DECRYPT_ALT */
|
||||||
|
|
Loading…
Reference in a new issue