TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / e70059df852b1f5bd39b35036a0c7e86384a5e88^1..e70059df852b1f5bd39b35036a0c7e86384a5e88 / .
commite70059df852b1f5bd39b35036a0c7e86384a5e88[log] [tgz]
authorJaeden Amero <jaeden.amero@arm.com>Tue Nov 12 10:42:45 2019 +0000
committerJaeden Amero <jaeden.amero@arm.com>Tue Nov 12 10:42:45 2019 +0000
treec7c7875f1bf3c0ef08f750e18ab2c8c68fd3f17f
parent10fcdd25d4a64c4ae3be875608cf53dfc723d233 [diff]
parent07597365cdc4d5be0e2fe5dd8d2ead167da628ec [diff]
Merge remote-tracking branch 'restricted/pr/668' into mbedtls-2.7-restricted

* restricted/pr/668:
  Zeroize local AES variables before exiting the function

diff --git a/ChangeLog b/ChangeLog
index d84a364..f2dc2e7 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -8,6 +8,14 @@
      blinded value, factor it (as it is smaller than RSA keys and not guaranteed
      to have only large prime factors), and then, by brute force, recover the
      key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
+   * Zeroize local variables in mbedtls_internal_aes_encrypt() and
+     mbedtls_internal_aes_decrypt() before exiting the function. The value of
+     these variables can be used to recover the last round key. To follow best
+     practice and to limit the impact of buffer overread vulnerabilities (like
+     Heartbleed) we need to zeroize them before exiting the function.
+     Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
+     Grant Hernandez, and Kevin Butler (University of Florida) and
+     Dave Tian (Purdue University).
 
 Changes
    * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()

diff --git a/library/aes.c b/library/aes.c
index 3d2eac8..beeecae 100644
--- a/library/aes.c
+++ b/library/aes.c

@@ -761,6 +761,18 @@
     PUT_UINT32_LE( X2, output,  8 );
     PUT_UINT32_LE( X3, output, 12 );
 
+    mbedtls_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_zeroize( &RK, sizeof( RK ) );
+
     return( 0 );
 }
 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
@@ -829,6 +841,18 @@
     PUT_UINT32_LE( X2, output,  8 );
     PUT_UINT32_LE( X3, output, 12 );
 
+    mbedtls_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_zeroize( &RK, sizeof( RK ) );
+
     return( 0 );
 }
 #endif /* !MBEDTLS_AES_DECRYPT_ALT */