Merge remote-tracking branch 'restricted/pr/514' into mbedtls-2.1
diff --git a/ChangeLog b/ChangeLog
index 951c134..4b4cd3a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,8 @@
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
+ * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
+ modules.
= mbed TLS 2.1.16 branch released 2018-11-19
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index e8fdd9b..d388848 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -226,6 +226,10 @@
mbedtls_aes_free( &aes_ctx );
+ mbedtls_zeroize( buf, sizeof( buf ) );
+ mbedtls_zeroize( tmp, sizeof( tmp ) );
+ mbedtls_zeroize( key, sizeof( key ) );
+ mbedtls_zeroize( chain, sizeof( chain ) );
return( 0 );
}
@@ -264,6 +268,7 @@
mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+ mbedtls_zeroize( tmp, sizeof( tmp ) );
return( 0 );
}
@@ -281,6 +286,7 @@
block_cipher_df( add_input, additional, add_len );
ctr_drbg_update_internal( ctx, add_input );
+ mbedtls_zeroize( add_input, sizeof( add_input ) );
}
}
@@ -327,6 +333,7 @@
ctr_drbg_update_internal( ctx, seed );
ctx->reseed_counter = 1;
+ mbedtls_zeroize( seed, sizeof( seed ) );
return( 0 );
}
@@ -393,6 +400,8 @@
ctx->reseed_counter++;
+ mbedtls_zeroize( add_input, sizeof( add_input ) );
+ mbedtls_zeroize( tmp, sizeof( tmp ) );
return( 0 );
}
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
index 24c609e..40e2b0a 100644
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@@ -93,6 +93,8 @@
mbedtls_md_hmac_update( &ctx->md_ctx, ctx->V, md_len );
mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V );
}
+
+ mbedtls_zeroize( K, sizeof( K ) );
}
/*
@@ -158,6 +160,7 @@
ctx->reseed_counter = 1;
/* 4. Done */
+ mbedtls_zeroize( seed, seedlen );
return( 0 );
}