From bc8ce928d4cfb71b47d6e62dfeb47a15adfb02be Mon Sep 17 00:00:00 2001 From: Juan Carrano Date: Fri, 13 Sep 2019 12:33:28 +0200 Subject: [PATCH] sys/hashes/pbkdf2: wipe local variables, prevents leaks. Wipe temporary buffers and sha256 contexts so that no remnants of the password is left on the stack This ensures that the password is not leaked if some function reads the stack afterwards. --- sys/Makefile.dep | 4 ++++ sys/hashes/pbkdf2.c | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/sys/Makefile.dep b/sys/Makefile.dep index e2b0a90b22..242c1b1fa7 100644 --- a/sys/Makefile.dep +++ b/sys/Makefile.dep @@ -732,6 +732,10 @@ ifneq (,$(filter random,$(USEMODULE))) USEMODULE += luid endif +ifneq (,$(filter hashes,$(USEMODULE))) + USEMODULE += crypto +endif + ifneq (,$(filter asymcute,$(USEMODULE))) USEMODULE += sock_udp USEMODULE += sock_util diff --git a/sys/hashes/pbkdf2.c b/sys/hashes/pbkdf2.c index c6b1515989..4e89f391be 100644 --- a/sys/hashes/pbkdf2.c +++ b/sys/hashes/pbkdf2.c @@ -22,6 +22,7 @@ #include "hashes/sha256.h" #include "hashes/pbkdf2.h" +#include "crypto/helper.h" static void inplace_xor_scalar(uint8_t *bytes, size_t len, uint8_t c) { @@ -75,6 +76,8 @@ void pbkdf2_sha256(const uint8_t *password, size_t password_len, inplace_xor_scalar(processed_pass, sizeof(processed_pass), 0x36 ^ 0x5C); sha256_update(&outer, processed_pass, sizeof(processed_pass)); + + crypto_secure_wipe(&processed_pass, sizeof(processed_pass)); } memset(output, 0, SHA256_DIGEST_LENGTH); @@ -96,5 +99,14 @@ void pbkdf2_sha256(const uint8_t *password, size_t password_len, sha256_final(&outer_copy, tmp_digest); inplace_xor_digests(output, tmp_digest); + + if (iterations == 0) { + crypto_secure_wipe(&inner_copy, sizeof(inner_copy)); + crypto_secure_wipe(&outer_copy, sizeof(outer_copy)); + } } + + crypto_secure_wipe(&inner, sizeof(inner)); + crypto_secure_wipe(&outer, sizeof(outer)); + crypto_secure_wipe(&tmp_digest, sizeof(tmp_digest)); }