Skip to content

Commit 211359f

Browse files
JeremiahM37JeremiahM37
committed
pkcs7: zero plaintext before free
1 parent 4e4eec1 commit 211359f

1 file changed

Lines changed: 26 additions & 0 deletions

File tree

wolfcrypt/src/pkcs7.c

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10561,6 +10561,7 @@ int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1056110561
ret = wc_PKCS7_PadData(pkcs7->content, pkcs7->contentSz, plain,
1056210562
(word32)encryptedOutSz, (word32)blockSz);
1056310563
if (ret < 0) {
10564+
ForceZero(plain, (word32)encryptedOutSz);
1056410565
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1056510566
wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
1056610567
return ret;
@@ -10575,6 +10576,8 @@ int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1057510576
encryptedContent = (byte*)XMALLOC((word32)encryptedOutSz, pkcs7->heap,
1057610577
DYNAMIC_TYPE_PKCS7);
1057710578
if (encryptedContent == NULL) {
10579+
if (plain != NULL)
10580+
ForceZero(plain, (word32)encryptedOutSz);
1057810581
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1057910582
wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
1058010583
return MEMORY_E;
@@ -10591,6 +10594,8 @@ int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1059110594

1059210595
if (contentEncAlgoSz == 0) {
1059310596
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
10597+
if (plain != NULL)
10598+
ForceZero(plain, (word32)encryptedOutSz);
1059410599
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1059510600
wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
1059610601
return BAD_FUNC_ARG;
@@ -10630,6 +10635,8 @@ int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1063010635
encryptedContent = (byte*)XMALLOC(streamSz, pkcs7->heap,
1063110636
DYNAMIC_TYPE_PKCS7);
1063210637
if (encryptedContent == NULL) {
10638+
if (plain != NULL)
10639+
ForceZero(plain, (word32)encryptedOutSz);
1063310640
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1063410641
wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
1063510642
return MEMORY_E;
@@ -10676,6 +10683,8 @@ int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1067610683
) {
1067710684
WOLFSSL_MSG("Pkcs7_encrypt output buffer too small");
1067810685
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
10686+
if (plain != NULL)
10687+
ForceZero(plain, (word32)encryptedOutSz);
1067910688
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
1068010689
wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
1068110690
return BUFFER_E;
@@ -10739,6 +10748,8 @@ int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1073910748
if (ret != 0) {
1074010749
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1074110750

10751+
if (plain != NULL)
10752+
ForceZero(plain, (word32)encryptedOutSz);
1074210753
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1074310754

1074410755
wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
@@ -10785,6 +10796,8 @@ int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1078510796
idx += encryptedOutSz;
1078610797
}
1078710798

10799+
if (plain != NULL)
10800+
ForceZero(plain, (word32)encryptedOutSz);
1078810801
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1078910802

1079010803
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
@@ -14411,6 +14424,7 @@ int wc_PKCS7_EncodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* output,
1441114424
encryptedContent = (byte*)XMALLOC((word32)encryptedAllocSz, pkcs7->heap,
1441214425
DYNAMIC_TYPE_PKCS7);
1441314426
if (encryptedContent == NULL) {
14427+
ForceZero(plain, (word32)encryptedAllocSz);
1441414428
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1441514429
wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
1441614430
XFREE(aadBuffer, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -14424,6 +14438,7 @@ int wc_PKCS7_EncodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* output,
1442414438
(int)pkcs7->cekSz, nonce, (int)nonceSz, aadBuffer, aadBufferSz,
1442514439
authTag, sizeof(authTag), plain, encryptedOutSz, encryptedContent);
1442614440

14441+
ForceZero(plain, (word32)encryptedAllocSz);
1442714442
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1442814443
plain = NULL;
1442914444

@@ -15461,13 +15476,15 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1546115476
ret = wc_PKCS7_PadData(pkcs7->content, pkcs7->contentSz, plain,
1546215477
(word32)encryptedOutSz, (word32)blockSz);
1546315478
if (ret < 0) {
15479+
ForceZero(plain, (word32)encryptedOutSz);
1546415480
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1546515481
return ret;
1546615482
}
1546715483

1546815484
encryptedContent = (byte*)XMALLOC((word32)encryptedOutSz, pkcs7->heap,
1546915485
DYNAMIC_TYPE_PKCS7);
1547015486
if (encryptedContent == NULL) {
15487+
ForceZero(plain, (word32)encryptedOutSz);
1547115488
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1547215489
return MEMORY_E;
1547315490
}
@@ -15481,6 +15498,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1548115498
oidBlkType, ivOctetStringSz + blockSz);
1548215499
if (contentEncAlgoSz == 0) {
1548315500
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15501+
ForceZero(plain, (word32)encryptedOutSz);
1548415502
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1548515503
return BAD_FUNC_ARG;
1548615504
}
@@ -15490,6 +15508,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1549015508
ret = wc_PKCS7_GenerateBlock(pkcs7, NULL, tmpIv, (word32)blockSz);
1549115509
if (ret != 0) {
1549215510
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15511+
ForceZero(plain, (word32)encryptedOutSz);
1549315512
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1549415513
return ret;
1549515514
}
@@ -15499,6 +15518,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1549915518
NULL, 0, NULL, 0, plain, encryptedOutSz, encryptedContent);
1550015519
if (ret != 0) {
1550115520
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15521+
ForceZero(plain, (word32)encryptedOutSz);
1550215522
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1550315523
return ret;
1550415524
}
@@ -15516,6 +15536,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1551615536

1551715537
if (pkcs7->unprotectedAttribs == NULL) {
1551815538
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15539+
ForceZero(plain, (word32)encryptedOutSz);
1551915540
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1552015541
return BAD_FUNC_ARG;
1552115542
}
@@ -15525,6 +15546,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1552515546
pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1552615547
if (attribs == NULL) {
1552715548
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15549+
ForceZero(plain, (word32)encryptedOutSz);
1552815550
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1552915551
return MEMORY_E;
1553015552
}
@@ -15541,6 +15563,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1554115563
if (flatAttribs == NULL) {
1554215564
XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1554315565
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15566+
ForceZero(plain, (word32)encryptedOutSz);
1554415567
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1554515568
return MEMORY_E;
1554615569
}
@@ -15550,6 +15573,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1555015573
if (ret != 0) {
1555115574
XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1555215575
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15576+
ForceZero(plain, (word32)encryptedOutSz);
1555315577
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1555415578
XFREE(flatAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1555515579
return ret;
@@ -15590,6 +15614,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1559015614
XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1559115615
XFREE(flatAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1559215616
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15617+
ForceZero(plain, (word32)encryptedOutSz);
1559315618
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1559415619
return BUFFER_E;
1559515620
}
@@ -15631,6 +15656,7 @@ int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz)
1563115656
XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1563215657
XFREE(flatAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1563315658
XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
15659+
ForceZero(plain, (word32)encryptedOutSz);
1563415660
XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1563515661

1563615662
return idx;

0 commit comments

Comments
 (0)