diff --git a/src/keys.c b/src/keys.c index cb8145c0c3e..b4b39a43f2f 100644 --- a/src/keys.c +++ b/src/keys.c @@ -33,6 +33,12 @@ #include #endif #endif +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif #if defined(WOLFSSL_RENESAS_FSPSM_TLS) || defined(WOLFSSL_RENESAS_TSIP_TLS) #include @@ -3902,6 +3908,7 @@ int DeriveKeys(WOLFSSL* ssl) return MEMORY_E; } #endif + XMEMSET(shaOutput, 0, WC_SHA_DIGEST_SIZE); ret = wc_InitMd5(md5); if (ret == 0) { @@ -3948,6 +3955,26 @@ int DeriveKeys(WOLFSSL* ssl) ret = StoreKeys(ssl, keyData, PROVISION_CLIENT_SERVER); } +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("DeriveKeys shaOutput", shaOutput, WC_SHA_DIGEST_SIZE); + wc_MemZero_Add("DeriveKeys md5Input", md5Input, + SECRET_LEN + WC_SHA_DIGEST_SIZE); + wc_MemZero_Add("DeriveKeys shaInput", shaInput, + KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN); + wc_MemZero_Add("DeriveKeys keyData", keyData, + KEY_PREFIX * WC_MD5_DIGEST_SIZE); +#endif + ForceZero(shaOutput, WC_SHA_DIGEST_SIZE); + ForceZero(md5Input, SECRET_LEN + WC_SHA_DIGEST_SIZE); + ForceZero(shaInput, KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN); + ForceZero(keyData, KEY_PREFIX * WC_MD5_DIGEST_SIZE); +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Check(shaOutput, WC_SHA_DIGEST_SIZE); + wc_MemZero_Check(md5Input, SECRET_LEN + WC_SHA_DIGEST_SIZE); + wc_MemZero_Check(shaInput, KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN); + wc_MemZero_Check(keyData, KEY_PREFIX * WC_MD5_DIGEST_SIZE); +#endif + WC_FREE_VAR_EX(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -3959,26 +3986,24 @@ int DeriveKeys(WOLFSSL* ssl) } -static int CleanPreMaster(WOLFSSL* ssl) +static void CleanPreMaster(WOLFSSL* ssl) { - int i, ret, sz = (int)(ssl->arrays->preMasterSz); + int sz = (int)(ssl->arrays->preMasterSz); - for (i = 0; i < sz; i++) - ssl->arrays->preMasterSecret[i] = 0; +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("CleanPreMaster preMasterSecret", + ssl->arrays->preMasterSecret, sz); +#endif - ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->preMasterSecret, - (word32)(sz)); - if (ret != 0) - return ret; + ForceZero(ssl->arrays->preMasterSecret, sz); - for (i = 0; i < sz; i++) - ssl->arrays->preMasterSecret[i] = 0; +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Check(ssl->arrays->preMasterSecret, sz); +#endif XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_SECRET); ssl->arrays->preMasterSecret = NULL; ssl->arrays->preMasterSz = 0; - - return 0; } @@ -4038,6 +4063,13 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) return MEMORY_E; } #endif +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("MakeSslMasterSecret md5Input", md5Input, + ENCRYPT_LEN + WC_SHA_DIGEST_SIZE); + wc_MemZero_Add("MakeSslMasterSecret shaInput", shaInput, + PREFIX + ENCRYPT_LEN + 2 * RAN_LEN); +#endif + XMEMSET(shaOutput, 0, WC_SHA_DIGEST_SIZE); ret = wc_InitMd5(md5); @@ -4096,16 +4128,20 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) ret = DeriveKeys(ssl); } + ForceZero(md5Input, ENCRYPT_LEN + WC_SHA_DIGEST_SIZE); + ForceZero(shaInput, PREFIX + ENCRYPT_LEN + 2 * RAN_LEN); +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Check(md5Input, ENCRYPT_LEN + WC_SHA_DIGEST_SIZE); + wc_MemZero_Check(shaInput, PREFIX + ENCRYPT_LEN + 2 * RAN_LEN); +#endif + WC_FREE_VAR_EX(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (ret == 0) - ret = CleanPreMaster(ssl); - else - CleanPreMaster(ssl); + CleanPreMaster(ssl); return ret; } diff --git a/src/tls.c b/src/tls.c index d5cb43ec428..f16b57ffc47 100644 --- a/src/tls.c +++ b/src/tls.c @@ -488,6 +488,14 @@ int DeriveTlsKeys(WOLFSSL* ssl) if (ret == 0) ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER); +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("DeriveTlsKeys key_dig", key_dig, MAX_PRF_DIG); +#endif + ForceZero(key_dig, MAX_PRF_DIG); +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Check(key_dig, MAX_PRF_DIG); +#endif + WC_FREE_VAR_EX(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST); return ret; diff --git a/src/tls13.c b/src/tls13.c index db5659cd052..2c2e6719801 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -1207,16 +1207,22 @@ int DeriveHandshakeSecret(WOLFSSL* ssl) ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, derivedLabel, DERIVED_LABEL_SZ, NULL, 0, ssl->specs.mac_algorithm); - if (ret != 0) - return ret; - - PRIVATE_KEY_UNLOCK(); - ret = Tls13_HKDF_Extract(ssl, ssl->arrays->preMasterSecret, - key, ssl->specs.hash_size, - ssl->arrays->preMasterSecret, (int)ssl->arrays->preMasterSz, - mac2hash(ssl->specs.mac_algorithm)); - PRIVATE_KEY_LOCK(); + if (ret == 0) { + PRIVATE_KEY_UNLOCK(); + ret = Tls13_HKDF_Extract(ssl, ssl->arrays->preMasterSecret, + key, ssl->specs.hash_size, + ssl->arrays->preMasterSecret, (int)ssl->arrays->preMasterSz, + mac2hash(ssl->specs.mac_algorithm)); + PRIVATE_KEY_LOCK(); + } +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("DeriveHandshakeSecret key", key, WC_MAX_DIGEST_SIZE); +#endif + ForceZero(key, sizeof(key)); +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Check(key, sizeof(key)); +#endif return ret; } @@ -1244,14 +1250,22 @@ int DeriveMasterSecret(WOLFSSL* ssl) ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret, derivedLabel, DERIVED_LABEL_SZ, NULL, 0, ssl->specs.mac_algorithm); - if (ret != 0) - return ret; + if (ret == 0) { + PRIVATE_KEY_UNLOCK(); + ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret, + key, ssl->specs.hash_size, + ssl->arrays->masterSecret, 0, + mac2hash(ssl->specs.mac_algorithm)); + PRIVATE_KEY_LOCK(); + } - PRIVATE_KEY_UNLOCK(); - ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret, - key, ssl->specs.hash_size, - ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm)); - PRIVATE_KEY_LOCK(); +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("DeriveMasterSecret key", key, WC_MAX_DIGEST_SIZE); +#endif + ForceZero(key, sizeof(key)); +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Check(key, sizeof(key)); +#endif #ifdef HAVE_KEYING_MATERIAL if (ret != 0)