202 lines
6.6 KiB
Diff
202 lines
6.6 KiB
Diff
|
# HG changeset patch
|
||
|
|
# User Hans Petter Jansson <hpj@cl.no>
|
||
|
|
# Date 1574240665 -3600
|
||
|
|
# Wed Nov 20 10:04:25 2019 +0100
|
||
|
|
# Node ID 3a2cb65dc157344cdad19e8e16e9c33e36f82d96
|
||
|
|
# Parent 2d4483f4a1259f965f32ff4c65436e92aef83be7
|
||
|
|
[PATCH 07/10] 29
|
||
|
|
From 76da775313bd40a1353a9d2f6cc43ebe1a287574 Mon Sep 17 00:00:00 2001
|
||
|
|
---
|
||
|
|
nss/lib/freebl/aeskeywrap.c | 1 +
|
||
|
|
nss/lib/freebl/cts.c | 18 +++++++++------
|
||
|
|
nss/lib/freebl/dh.c | 4 ++++
|
||
|
|
nss/lib/freebl/ec.c | 2 +-
|
||
|
|
nss/lib/freebl/gcm.c | 45 +++++++++++++++++++++++++++++++++----
|
||
|
|
5 files changed, 58 insertions(+), 12 deletions(-)
|
||
|
|
|
||
|
|
Index: nss/lib/freebl/aeskeywrap.c
|
||
|
|
===================================================================
|
||
|
|
--- nss.orig/lib/freebl/aeskeywrap.c
|
||
|
|
+++ nss/lib/freebl/aeskeywrap.c
|
||
|
|
@@ -102,6 +102,7 @@ AESKeyWrap_DestroyContext(AESKeyWrapCont
|
||
|
|
{
|
||
|
|
if (cx) {
|
||
|
|
AES_DestroyContext(&cx->aescx, PR_FALSE);
|
||
|
|
+ memset(cx->iv, 0, sizeof (cx->iv));
|
||
|
|
/* memset(cx, 0, sizeof *cx); */
|
||
|
|
if (freeit) {
|
||
|
|
PORT_Free(cx->mem);
|
||
|
|
Index: nss/lib/freebl/cts.c
|
||
|
|
===================================================================
|
||
|
|
--- nss.orig/lib/freebl/cts.c
|
||
|
|
+++ nss/lib/freebl/cts.c
|
||
|
|
@@ -37,6 +37,7 @@ CTS_CreateContext(void *context, freeblC
|
||
|
|
void
|
||
|
|
CTS_DestroyContext(CTSContext *cts, PRBool freeit)
|
||
|
|
{
|
||
|
|
+ PORT_Memset(cts, 0, sizeof(CTSContext));
|
||
|
|
if (freeit) {
|
||
|
|
PORT_Free(cts);
|
||
|
|
}
|
||
|
|
@@ -135,7 +136,7 @@ CTS_EncryptUpdate(CTSContext *cts, unsig
|
||
|
|
PORT_Memset(lastBlock + inlen, 0, blocksize - inlen);
|
||
|
|
rv = (*cts->cipher)(cts->context, outbuf, &tmp, maxout, lastBlock,
|
||
|
|
blocksize, blocksize);
|
||
|
|
- PORT_Memset(lastBlock, 0, blocksize);
|
||
|
|
+ PORT_Memset(lastBlock, 0, MAX_BLOCK_SIZE);
|
||
|
|
if (rv == SECSuccess) {
|
||
|
|
*outlen = written + blocksize;
|
||
|
|
} else {
|
||
|
|
@@ -230,13 +231,15 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
|
||
|
|
rv = (*cts->cipher)(cts->context, outbuf, outlen, maxout, inbuf,
|
||
|
|
fullblocks, blocksize);
|
||
|
|
if (rv != SECSuccess) {
|
||
|
|
- return SECFailure;
|
||
|
|
+ rv = SECFailure;
|
||
|
|
+ goto cleanup;
|
||
|
|
}
|
||
|
|
*outlen = fullblocks; /* AES low level doesn't set outlen */
|
||
|
|
inbuf += fullblocks;
|
||
|
|
inlen -= fullblocks;
|
||
|
|
if (inlen == 0) {
|
||
|
|
- return SECSuccess;
|
||
|
|
+ rv = SECSuccess;
|
||
|
|
+ goto cleanup;
|
||
|
|
}
|
||
|
|
outbuf += fullblocks;
|
||
|
|
|
||
|
|
@@ -280,9 +283,9 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
|
||
|
|
rv = (*cts->cipher)(cts->context, Pn, &tmpLen, blocksize, lastBlock,
|
||
|
|
blocksize, blocksize);
|
||
|
|
if (rv != SECSuccess) {
|
||
|
|
- PORT_Memset(lastBlock, 0, blocksize);
|
||
|
|
PORT_Memset(saveout, 0, *outlen);
|
||
|
|
- return SECFailure;
|
||
|
|
+ rv = SECFailure;
|
||
|
|
+ goto cleanup;
|
||
|
|
}
|
||
|
|
/* make up for the out of order CBC decryption */
|
||
|
|
XOR_BLOCK(Pn, Cn_2, blocksize);
|
||
|
|
@@ -297,7 +300,8 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
|
||
|
|
/* clear last block. At this point last block contains Pn xor Cn_1 xor
|
||
|
|
* Cn_2, both of with an attacker would know, so we need to clear this
|
||
|
|
* buffer out */
|
||
|
|
- PORT_Memset(lastBlock, 0, blocksize);
|
||
|
|
+cleanup:
|
||
|
|
+ PORT_Memset(lastBlock, 0, MAX_BLOCK_SIZE);
|
||
|
|
/* Cn, Cn_1, and Cn_2 have encrypted data, so no need to clear them */
|
||
|
|
- return SECSuccess;
|
||
|
|
+ return rv;
|
||
|
|
}
|
||
|
|
Index: nss/lib/freebl/dh.c
|
||
|
|
===================================================================
|
||
|
|
--- nss.orig/lib/freebl/dh.c
|
||
|
|
+++ nss/lib/freebl/dh.c
|
||
|
|
@@ -192,6 +192,10 @@ cleanup:
|
||
|
|
rv = SECFailure;
|
||
|
|
}
|
||
|
|
if (rv) {
|
||
|
|
+ SECITEM_ZfreeItem(&key->prime, PR_FALSE);
|
||
|
|
+ SECITEM_ZfreeItem(&key->base, PR_FALSE);
|
||
|
|
+ SECITEM_ZfreeItem(&key->publicValue, PR_FALSE);
|
||
|
|
+ SECITEM_ZfreeItem(&key->privateValue, PR_FALSE);
|
||
|
|
*privKey = NULL;
|
||
|
|
PORT_FreeArena(arena, PR_TRUE);
|
||
|
|
}
|
||
|
|
Index: nss/lib/freebl/gcm.c
|
||
|
|
===================================================================
|
||
|
|
--- nss.orig/lib/freebl/gcm.c
|
||
|
|
+++ nss/lib/freebl/gcm.c
|
||
|
|
@@ -162,6 +162,9 @@ bmul(uint64_t x, uint64_t y, uint64_t *r
|
||
|
|
|
||
|
|
*r_high = (uint64_t)(r >> 64);
|
||
|
|
*r_low = (uint64_t)r;
|
||
|
|
+
|
||
|
|
+ /* Zeroization */
|
||
|
|
+ x1 = x2 = x3 = x4 = x5 = y1 = y2 = y3 = y4 = y5 = r = z = 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
SECStatus
|
||
|
|
@@ -200,6 +203,12 @@ gcm_HashMult_sftw(gcmHashContext *ghash,
|
||
|
|
}
|
||
|
|
ghash->x_low = ci_low;
|
||
|
|
ghash->x_high = ci_high;
|
||
|
|
+
|
||
|
|
+ /* Zeroization */
|
||
|
|
+ ci_low = ci_high = z2_low = z2_high = z0_low = z0_high = z1a_low = z1a_high = 0;
|
||
|
|
+ z_low = z_high = 0;
|
||
|
|
+ i = 0;
|
||
|
|
+
|
||
|
|
return SECSuccess;
|
||
|
|
}
|
||
|
|
#else
|
||
|
|
@@ -239,6 +248,10 @@ bmul32(uint32_t x, uint32_t y, uint32_t
|
||
|
|
z = z0 | z1 | z2 | z3;
|
||
|
|
*r_high = (uint32_t)(z >> 32);
|
||
|
|
*r_low = (uint32_t)z;
|
||
|
|
+
|
||
|
|
+ /* Zeroization */
|
||
|
|
+ x0 = x1 = x2 = x3 = y0 = y1 = y2 = y3 = 0;
|
||
|
|
+ z0 = z1 = z2 = z3 = z = 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
SECStatus
|
||
|
|
@@ -324,6 +337,20 @@ gcm_HashMult_sftw32(gcmHashContext *ghas
|
||
|
|
ghash->x_high = z_high_h;
|
||
|
|
ghash->x_low = z_high_l;
|
||
|
|
}
|
||
|
|
+
|
||
|
|
+ /* Zeroization */
|
||
|
|
+ ci_low = ci_high = z_high_h = z_high_l = z_low_h = z_low_l = 0;
|
||
|
|
+
|
||
|
|
+ ci_high_h = ci_high_l = ci_low_h = ci_low_l
|
||
|
|
+ = b_a_h = b_a_l = a_a_h = a_a_l = b_b_h = b_b_l
|
||
|
|
+ = a_b_h = a_b_l = b_c_h = b_c_l = a_c_h = a_c_l = c_c_h = c_c_l
|
||
|
|
+ = ci_highXlow_h = ci_highXlow_l = c_a_h = c_a_l = c_b_h = c_b_l
|
||
|
|
+ = h_high_h = h_high_l = h_low_h = h_low_l = h_highXlow_h = h_highXlow_l
|
||
|
|
+ = h_highX_xored
|
||
|
|
+ = 0;
|
||
|
|
+
|
||
|
|
+ i = 0;
|
||
|
|
+
|
||
|
|
return SECSuccess;
|
||
|
|
}
|
||
|
|
#endif /* HAVE_INT128_SUPPORT */
|
||
|
|
@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
||
|
|
/* verify the block */
|
||
|
|
rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
|
||
|
|
if (rv != SECSuccess) {
|
||
|
|
- return SECFailure;
|
||
|
|
+ rv = SECFailure;
|
||
|
|
+ goto cleanup;
|
||
|
|
}
|
||
|
|
rv = gcm_GetTag(gcm, tag, &len, AES_BLOCK_SIZE);
|
||
|
|
if (rv != SECSuccess) {
|
||
|
|
- return SECFailure;
|
||
|
|
+ rv = SECFailure;
|
||
|
|
+ goto cleanup;
|
||
|
|
}
|
||
|
|
/* Don't decrypt if we can't authenticate the encrypted data!
|
||
|
|
* This assumes that if tagBits is not a multiple of 8, intag will
|
||
|
|
@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
||
|
|
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
|
||
|
|
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
||
|
|
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||
|
|
- PORT_Memset(tag, 0, sizeof(tag));
|
||
|
|
- return SECFailure;
|
||
|
|
+ rv = SECFailure;
|
||
|
|
+ goto cleanup;
|
||
|
|
}
|
||
|
|
+cleanup:
|
||
|
|
+ tagBytes = 0;
|
||
|
|
PORT_Memset(tag, 0, sizeof(tag));
|
||
|
|
+ intag = NULL;
|
||
|
|
+ len = 0;
|
||
|
|
+ if (rv != SECSuccess) {
|
||
|
|
+ return rv;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
/* finish the decryption */
|
||
|
|
return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
|
||
|
|
inbuf, inlen, AES_BLOCK_SIZE);
|