sys/hashes/pbkdf2: wipe local variables, prevents leaks.

Wipe temporary buffers and sha256 contexts so that no remnants of the password is left on the stack This ensures that the password is not leaked if some function reads the stack afterwards.
2024-12-29 04:50:03 +01:00 · 2019-09-13 12:33:28 +02:00 · 2019-09-13 12:33:28 +02:00 · bc8ce928d4
commit bc8ce928d4
parent 62667848c4
2 changed files with 16 additions and 0 deletions
--- a/sys/Makefile.dep
+++ b/sys/Makefile.dep
@ -732,6 +732,10 @@ ifneq (,$(filter random,$(USEMODULE)))
  USEMODULE += luid
 endif

+ifneq (,$(filter hashes,$(USEMODULE)))
+  USEMODULE += crypto
+endif
+
 ifneq (,$(filter asymcute,$(USEMODULE)))
  USEMODULE += sock_udp
  USEMODULE += sock_util
--- a/sys/hashes/pbkdf2.c
+++ b/sys/hashes/pbkdf2.c
@ -22,6 +22,7 @@

 #include "hashes/sha256.h"
 #include "hashes/pbkdf2.h"
+#include "crypto/helper.h"

 static void inplace_xor_scalar(uint8_t *bytes, size_t len, uint8_t c)
 {
@ -75,6 +76,8 @@ void pbkdf2_sha256(const uint8_t *password, size_t password_len,

        inplace_xor_scalar(processed_pass, sizeof(processed_pass), 0x36 ^ 0x5C);
        sha256_update(&outer, processed_pass, sizeof(processed_pass));
+
+        crypto_secure_wipe(&processed_pass, sizeof(processed_pass));
    }

    memset(output, 0, SHA256_DIGEST_LENGTH);
@ -96,5 +99,14 @@ void pbkdf2_sha256(const uint8_t *password, size_t password_len,
        sha256_final(&outer_copy, tmp_digest);

        inplace_xor_digests(output, tmp_digest);
+
+        if (iterations == 0) {
+            crypto_secure_wipe(&inner_copy, sizeof(inner_copy));
+            crypto_secure_wipe(&outer_copy, sizeof(outer_copy));
+        }
    }
+
+    crypto_secure_wipe(&inner, sizeof(inner));
+    crypto_secure_wipe(&outer, sizeof(outer));
+    crypto_secure_wipe(&tmp_digest, sizeof(tmp_digest));
 }