Skip to content

Commit 4c68523

Browse files
authored
Merge pull request #10872 from Frauschi/force_zero_pkcs12
Add missing ForceZero in PKCS#12
2 parents feb357d + bcd0805 commit 4c68523

1 file changed

Lines changed: 20 additions & 4 deletions

File tree

wolfcrypt/src/pkcs12.c

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -610,6 +610,7 @@ static int wc_PKCS12_create_mac(WC_PKCS12* pkcs12, byte* data, word32 dataSz,
610610
ret = kLen; /* same as digest size */
611611

612612
exit_mac:
613+
ForceZero(key, sizeof(key));
613614
ForceZero(unicodePasswd, MAX_UNICODE_SZ);
614615
WC_FREE_VAR_EX(unicodePasswd, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
615616
WC_FREE_VAR_EX(hmac, pkcs12->heap, DYNAMIC_TYPE_HMAC);
@@ -1355,6 +1356,7 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw,
13551356
WC_DerCertList* certList = NULL;
13561357
WC_DerCertList* tailList = NULL;
13571358
byte* buf = NULL;
1359+
word32 bufSz = 0;
13581360
word32 i, oid;
13591361
word32 algId;
13601362
word32 contentSz = 0;
@@ -1466,6 +1468,7 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw,
14661468
if (buf == NULL) {
14671469
ERROR_OUT(MEMORY_E, exit_pk12par);
14681470
}
1471+
bufSz = (word32)size;
14691472
XMEMCPY(buf, data + idx, (size_t)size);
14701473

14711474
if ((ret = DecryptContent(buf, (word32)size, psw, pswSz)) < 0) {
@@ -1780,8 +1783,12 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw,
17801783
}
17811784

17821785
/* free temporary buffer */
1783-
XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1784-
buf = NULL;
1786+
if (buf != NULL) {
1787+
ForceZero(buf, bufSz);
1788+
XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1789+
buf = NULL;
1790+
bufSz = 0;
1791+
}
17851792

17861793
ci = ci->next;
17871794
WOLFSSL_MSG("Done Parsing PKCS12 Content Info Container");
@@ -1816,8 +1823,11 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw,
18161823
XFREE(*pkey, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
18171824
*pkey = NULL;
18181825
}
1819-
XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1820-
buf = NULL;
1826+
if (buf != NULL) {
1827+
ForceZero(buf, bufSz);
1828+
XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
1829+
buf = NULL;
1830+
}
18211831

18221832
wc_FreeCertList(certList, pkcs12->heap);
18231833
}
@@ -2713,9 +2723,11 @@ static int PKCS12_create_safe(WC_PKCS12* pkcs12, byte* certCi, word32 certCiSz,
27132723

27142724
ret = wc_PKCS12_encrypt_content(pkcs12, rng, safeData, &safeDataSz,
27152725
innerData, innerDataSz, 0, pass, (int)passSz, iter, WC_PKCS12_DATA);
2726+
ForceZero(innerData, innerDataSz);
27162727
XFREE(innerData, pkcs12->heap, DYNAMIC_TYPE_PKCS);
27172728
if (ret < 0 ) {
27182729
WOLFSSL_MSG("Error setting data type for safe contents");
2730+
ForceZero(safeData, safeDataSz);
27192731
XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
27202732
return ret;
27212733
}
@@ -2724,11 +2736,13 @@ static int PKCS12_create_safe(WC_PKCS12* pkcs12, byte* certCi, word32 certCiSz,
27242736
ret = GetSequence(safeData, &idx, &length, safeDataSz);
27252737
if (ret < 0) {
27262738
WOLFSSL_MSG("Error getting first sequence of safe");
2739+
ForceZero(safeData, safeDataSz);
27272740
XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
27282741
return ret;
27292742
}
27302743

27312744
ret = GetSafeContent(pkcs12, safeData, &idx, safeDataSz);
2745+
ForceZero(safeData, safeDataSz);
27322746
XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
27332747
if (ret < 0) {
27342748
WOLFSSL_MSG("Unable to create safe contents");
@@ -2799,6 +2813,7 @@ WC_PKCS12* wc_PKCS12_create(char* pass, word32 passSz, char* name,
27992813
certCi = PKCS12_create_cert_content(pkcs12, nidCert, ca, cert, certSz,
28002814
&certCiSz, &rng, pass, passSz, iter);
28012815
if (certCi == NULL) {
2816+
ForceZero(keyCi, keyCiSz);
28022817
XFREE(keyCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
28032818
wc_PKCS12_free(pkcs12);
28042819
wc_FreeRng(&rng);
@@ -2808,6 +2823,7 @@ WC_PKCS12* wc_PKCS12_create(char* pass, word32 passSz, char* name,
28082823
/**** create safe and Content Info ****/
28092824
ret = PKCS12_create_safe(pkcs12, certCi, certCiSz, keyCi, keyCiSz, &rng,
28102825
pass, passSz, iter);
2826+
ForceZero(keyCi, keyCiSz);
28112827
XFREE(keyCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
28122828
XFREE(certCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
28132829
if (ret != 0) {

0 commit comments

Comments
 (0)