# HG changeset patch
# User Hans Petter Jansson <hpj@cl.no>
# Date 1574240665 -3600
#      Wed Nov 20 10:04:25 2019 +0100
# Node ID 3a2cb65dc157344cdad19e8e16e9c33e36f82d96
# Parent  2d4483f4a1259f965f32ff4c65436e92aef83be7
[PATCH 07/10] 29
From 76da775313bd40a1353a9d2f6cc43ebe1a287574 Mon Sep 17 00:00:00 2001
---
 nss/lib/freebl/aeskeywrap.c |  1 +
 nss/lib/freebl/cts.c        | 18 +++++++++------
 nss/lib/freebl/dh.c         |  4 ++++
 nss/lib/freebl/ec.c         |  2 +-
 nss/lib/freebl/gcm.c        | 45 +++++++++++++++++++++++++++++++++----
 5 files changed, 58 insertions(+), 12 deletions(-)

Index: nss/lib/freebl/aeskeywrap.c
===================================================================
--- nss.orig/lib/freebl/aeskeywrap.c
+++ nss/lib/freebl/aeskeywrap.c
@@ -102,6 +102,7 @@ AESKeyWrap_DestroyContext(AESKeyWrapCont
 {
     if (cx) {
         AES_DestroyContext(&cx->aescx, PR_FALSE);
+	memset(cx->iv, 0, sizeof (cx->iv));
         /*  memset(cx, 0, sizeof *cx); */
         if (freeit) {
             PORT_Free(cx->mem);
Index: nss/lib/freebl/cts.c
===================================================================
--- nss.orig/lib/freebl/cts.c
+++ nss/lib/freebl/cts.c
@@ -37,6 +37,7 @@ CTS_CreateContext(void *context, freeblC
 void
 CTS_DestroyContext(CTSContext *cts, PRBool freeit)
 {
+    PORT_Memset(cts, 0, sizeof(CTSContext));
     if (freeit) {
         PORT_Free(cts);
     }
@@ -135,7 +136,7 @@ CTS_EncryptUpdate(CTSContext *cts, unsig
     PORT_Memset(lastBlock + inlen, 0, blocksize - inlen);
     rv = (*cts->cipher)(cts->context, outbuf, &tmp, maxout, lastBlock,
                         blocksize, blocksize);
-    PORT_Memset(lastBlock, 0, blocksize);
+    PORT_Memset(lastBlock, 0, MAX_BLOCK_SIZE);
     if (rv == SECSuccess) {
         *outlen = written + blocksize;
     } else {
@@ -230,13 +231,15 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
     rv = (*cts->cipher)(cts->context, outbuf, outlen, maxout, inbuf,
                         fullblocks, blocksize);
     if (rv != SECSuccess) {
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
     *outlen = fullblocks; /* AES low level doesn't set outlen */
     inbuf += fullblocks;
     inlen -= fullblocks;
     if (inlen == 0) {
-        return SECSuccess;
+        rv = SECSuccess;
+        goto cleanup;
     }
     outbuf += fullblocks;
 
@@ -280,9 +283,9 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
     rv = (*cts->cipher)(cts->context, Pn, &tmpLen, blocksize, lastBlock,
                         blocksize, blocksize);
     if (rv != SECSuccess) {
-        PORT_Memset(lastBlock, 0, blocksize);
         PORT_Memset(saveout, 0, *outlen);
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
     /* make up for the out of order CBC decryption */
     XOR_BLOCK(Pn, Cn_2, blocksize);
@@ -297,7 +300,8 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
     /* clear last block. At this point last block contains Pn xor Cn_1 xor
      * Cn_2, both of with an attacker would know, so we need to clear this
      * buffer out */
-    PORT_Memset(lastBlock, 0, blocksize);
+cleanup:
+    PORT_Memset(lastBlock, 0, MAX_BLOCK_SIZE);
     /* Cn, Cn_1, and Cn_2 have encrypted data, so no need to clear them */
-    return SECSuccess;
+    return rv;
 }
Index: nss/lib/freebl/dh.c
===================================================================
--- nss.orig/lib/freebl/dh.c
+++ nss/lib/freebl/dh.c
@@ -192,6 +192,10 @@ cleanup:
         rv = SECFailure;
     }
     if (rv) {
+        SECITEM_ZfreeItem(&key->prime, PR_FALSE);
+        SECITEM_ZfreeItem(&key->base, PR_FALSE);
+        SECITEM_ZfreeItem(&key->publicValue, PR_FALSE);
+        SECITEM_ZfreeItem(&key->privateValue, PR_FALSE);
         *privKey = NULL;
         PORT_FreeArena(arena, PR_TRUE);
     }
Index: nss/lib/freebl/ec.c
===================================================================
--- nss.orig/lib/freebl/ec.c
+++ nss/lib/freebl/ec.c
@@ -1121,7 +1121,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
     mp_int n;
     SECItem pointC = { siBuffer, NULL, 0 };
     int slen;       /* length in bytes of a half signature (r or s) */
-    int flen;       /* length in bytes of the field size */
+    int flen = 0;   /* length in bytes of the field size */
     unsigned olen;  /* length in bytes of the base point order */
     unsigned obits; /* length in bits  of the base point order */
 
Index: nss/lib/freebl/gcm.c
===================================================================
--- nss.orig/lib/freebl/gcm.c
+++ nss/lib/freebl/gcm.c
@@ -162,6 +162,9 @@ bmul(uint64_t x, uint64_t y, uint64_t *r
 
     *r_high = (uint64_t)(r >> 64);
     *r_low = (uint64_t)r;
+
+    /* Zeroization */
+    x1 = x2 = x3 = x4 = x5 = y1 = y2 = y3 = y4 = y5 = r = z = 0;
 }
 
 SECStatus
@@ -200,6 +203,12 @@ gcm_HashMult_sftw(gcmHashContext *ghash,
     }
     ghash->x_low = ci_low;
     ghash->x_high = ci_high;
+
+    /* Zeroization */
+    ci_low = ci_high = z2_low = z2_high = z0_low = z0_high = z1a_low = z1a_high = 0;
+    z_low = z_high = 0;
+    i = 0;
+
     return SECSuccess;
 }
 #else
@@ -239,6 +248,10 @@ bmul32(uint32_t x, uint32_t y, uint32_t
     z = z0 | z1 | z2 | z3;
     *r_high = (uint32_t)(z >> 32);
     *r_low = (uint32_t)z;
+
+    /* Zeroization */
+    x0 = x1 = x2 = x3 = y0 = y1 = y2 = y3 = 0;
+    z0 = z1 = z2 = z3 = z = 0;
 }
 
 SECStatus
@@ -324,6 +337,20 @@ gcm_HashMult_sftw32(gcmHashContext *ghas
         ghash->x_high = z_high_h;
         ghash->x_low = z_high_l;
     }
+
+    /* Zeroization */
+    ci_low = ci_high = z_high_h = z_high_l = z_low_h = z_low_l = 0;
+
+    ci_high_h = ci_high_l = ci_low_h = ci_low_l
+        = b_a_h = b_a_l = a_a_h = a_a_l = b_b_h = b_b_l
+        = a_b_h = a_b_l = b_c_h = b_c_l = a_c_h = a_c_l = c_c_h = c_c_l
+        = ci_highXlow_h = ci_highXlow_l = c_a_h = c_a_l = c_b_h = c_b_l
+        = h_high_h = h_high_l = h_low_h = h_low_l = h_highXlow_h = h_highXlow_l
+        = h_highX_xored
+        = 0;
+
+    i = 0;
+
     return SECSuccess;
 }
 #endif /* HAVE_INT128_SUPPORT */
@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
     /* verify the block */
     rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
     if (rv != SECSuccess) {
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
     rv = gcm_GetTag(gcm, tag, &len, AES_BLOCK_SIZE);
     if (rv != SECSuccess) {
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
     /* Don't decrypt if we can't authenticate the encrypted data!
      * This assumes that if tagBits is not a multiple of 8, intag will
@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
     if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
         PORT_SetError(SEC_ERROR_BAD_DATA);
-        PORT_Memset(tag, 0, sizeof(tag));
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
+cleanup:
+    tagBytes = 0;
     PORT_Memset(tag, 0, sizeof(tag));
+    intag = NULL;
+    len = 0;
+    if (rv != SECSuccess) {
+        return rv;
+    }
+
     /* finish the decryption */
     return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
                       inbuf, inlen, AES_BLOCK_SIZE);