mirror of
https://github.com/yuzu-emu/mbedtls
synced 2024-11-24 07:58:11 +00:00
Merge remote-tracking branch 'restricted/pr/669' into mbedtls-2.16-restricted
* restricted/pr/669: Zeroize local AES variables before exiting the function
This commit is contained in:
commit
baf23000e1
2 changed files with 32 additions and 0 deletions
|
@ -8,6 +8,14 @@ Security
|
||||||
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
|
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
|
||||||
to have only large prime factors), and then, by brute force, recover the
|
to have only large prime factors), and then, by brute force, recover the
|
||||||
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
||||||
|
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
|
||||||
|
mbedtls_internal_aes_decrypt() before exiting the function. The value of
|
||||||
|
these variables can be used to recover the last round key. To follow best
|
||||||
|
practice and to limit the impact of buffer overread vulnerabilities (like
|
||||||
|
Heartbleed) we need to zeroize them before exiting the function.
|
||||||
|
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
|
||||||
|
Grant Hernandez, and Kevin Butler (University of Florida) and
|
||||||
|
Dave Tian (Purdue University).
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Remove redundant line for getting the bitlen of a bignum, since the variable
|
* Remove redundant line for getting the bitlen of a bignum, since the variable
|
||||||
|
|
|
@ -918,6 +918,18 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
|
||||||
PUT_UINT32_LE( X2, output, 8 );
|
PUT_UINT32_LE( X2, output, 8 );
|
||||||
PUT_UINT32_LE( X3, output, 12 );
|
PUT_UINT32_LE( X3, output, 12 );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
|
||||||
|
mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
|
||||||
|
mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
|
||||||
|
mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
|
||||||
|
mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
|
||||||
|
mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
|
||||||
|
mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( &RK, sizeof( RK ) );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
|
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
|
||||||
|
@ -986,6 +998,18 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
|
||||||
PUT_UINT32_LE( X2, output, 8 );
|
PUT_UINT32_LE( X2, output, 8 );
|
||||||
PUT_UINT32_LE( X3, output, 12 );
|
PUT_UINT32_LE( X3, output, 12 );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
|
||||||
|
mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
|
||||||
|
mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
|
||||||
|
mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
|
||||||
|
mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
|
||||||
|
mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
|
||||||
|
mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( &RK, sizeof( RK ) );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* !MBEDTLS_AES_DECRYPT_ALT */
|
#endif /* !MBEDTLS_AES_DECRYPT_ALT */
|
||||||
|
|
Loading…
Reference in a new issue