d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rijndael (AES): Avoid leaking sensitive data on kernel stack

Browse Source 
Noticed this investigating Fortuna.  Remove useless duplicate stack copies
of sensitive contents when possible, or if not possible, be sure to zero
them out when we're finished.

Approved by:	secteam (gordon)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D16935
This commit is contained in:
Conrad Meyer 2018-10-26 20:53:01 +00:00
parent 2384981b61
commit 070249043e
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=339787
1 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
sys/crypto/rijndael/rijndael-api-fst.c
View File

@ -36,7 +36,6 @@ typedef u_int8_t BYTE;
int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen,
const char *keyMaterial) {
u_int8_t cipherKey[RIJNDAEL_MAXKB];
if (key == NULL) {
return BAD_KEY_INSTANCE;
@ -59,13 +58,12 @@ int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen,
}
/* initialize key schedule: */
memcpy(cipherKey, key->keyMaterial, keyLen/8);
if (direction == DIR_ENCRYPT) {
key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen);
key->Nr = rijndaelKeySetupEnc(key->rk, key->keyMaterial, keyLen);
} else {
key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen);
key->Nr = rijndaelKeySetupDec(key->rk, key->keyMaterial, keyLen);
}
rijndaelKeySetupEnc(key->ek, cipherKey, keyLen);
rijndaelKeySetupEnc(key->ek, key->keyMaterial, keyLen);
return TRUE;
}
@ -186,6 +184,7 @@ int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
return BAD_CIPHER_STATE;
}
explicit_bzero(block, sizeof(block));
return 128*numBlocks;
}
@ -258,6 +257,7 @@ int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
return BAD_CIPHER_STATE;
}
explicit_bzero(block, sizeof(block));
return 16*(numBlocks + 1);
}
@ -357,12 +357,13 @@ int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
return BAD_CIPHER_STATE;
}
explicit_bzero(block, sizeof(block));
return 128*numBlocks;
}
int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
const BYTE *input, int inputOctets, BYTE *outBuffer) {
int i, numBlocks, padLen;
int i, numBlocks, padLen, rval;
u_int8_t block[16];
u_int32_t iv[4];
@ -392,11 +393,13 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
rijndaelDecrypt(key->rk, key->Nr, input, block);
padLen = block[15];
if (padLen >= 16) {
return BAD_DATA;
rval = BAD_DATA;
goto out;
}
for (i = 16 - padLen; i < 16; i++) {
if (block[i] != padLen) {
return BAD_DATA;
rval = BAD_DATA;
goto out;
}
}
memcpy(outBuffer, block, 16 - padLen);
@ -424,11 +427,13 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
((u_int32_t*)block)[3] ^= iv[3];
padLen = block[15];
if (padLen <= 0 || padLen > 16) {
return BAD_DATA;
rval = BAD_DATA;
goto out;
}
for (i = 16 - padLen; i < 16; i++) {
if (block[i] != padLen) {
return BAD_DATA;
rval = BAD_DATA;
goto out;
}
}
memcpy(outBuffer, block, 16 - padLen);
@ -438,5 +443,9 @@ int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
return BAD_CIPHER_STATE;
}
return 16*numBlocks - padLen;
rval = 16*numBlocks - padLen;
out:
explicit_bzero(block, sizeof(block));
return rval;
}