Skip to content

Commit 96b399a

Browse files
boazsegevboazsegev
committed
WIP AES: Leak less data to stack
1 parent 672fb29 commit 96b399a

File tree

2 files changed

+222
-12
lines changed

2 files changed

+222
-12
lines changed

fio-stl.h

Lines changed: 111 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25604,6 +25604,10 @@ SFUNC void fio_aes128_gcm_enc(void *restrict mac,
2560425604
tag = fio___bswap128(tag);
2560525605
tag = _mm_xor_si128(tag, s);
2560625606
_mm_storeu_si128((__m128i *)mac, tag);
25607+
/* Clear sensitive data */
25608+
fio_secure_zero(rk, sizeof(rk));
25609+
fio_secure_zero(htbl, sizeof(htbl));
25610+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2560725611
}
2560825612

2560925613
SFUNC void fio_aes256_gcm_enc(void *restrict mac,
@@ -25747,6 +25751,10 @@ SFUNC void fio_aes256_gcm_enc(void *restrict mac,
2574725751
tag = fio___bswap128(tag);
2574825752
tag = _mm_xor_si128(tag, s);
2574925753
_mm_storeu_si128((__m128i *)mac, tag);
25754+
/* Clear sensitive data */
25755+
fio_secure_zero(rk, sizeof(rk));
25756+
fio_secure_zero(htbl, sizeof(htbl));
25757+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2575025758
}
2575125759

2575225760
SFUNC int fio_aes128_gcm_dec(void *restrict mac,
@@ -25849,8 +25857,14 @@ SFUNC int fio_aes128_gcm_dec(void *restrict mac,
2584925857
tag = _mm_xor_si128(tag, s);
2585025858
uint8_t computed_mac[16];
2585125859
_mm_storeu_si128((__m128i *)computed_mac, tag);
25852-
if (!fio_ct_is_eq(computed_mac, mac, 16))
25860+
if (!fio_ct_is_eq(computed_mac, mac, 16)) {
25861+
fio_secure_zero(computed_mac, sizeof(computed_mac));
25862+
fio_secure_zero(rk, sizeof(rk));
25863+
fio_secure_zero(htbl, sizeof(htbl));
25864+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2585325865
return -1;
25866+
}
25867+
fio_secure_zero(computed_mac, sizeof(computed_mac));
2585425868

2585525869
/* Decrypt - process 4 blocks at a time */
2585625870
while (len >= 64) {
@@ -25895,6 +25909,10 @@ SFUNC int fio_aes128_gcm_dec(void *restrict mac,
2589525909
for (size_t i = 0; i < len; ++i)
2589625910
p[i] ^= ks_bytes[i];
2589725911
}
25912+
/* Clear sensitive data */
25913+
fio_secure_zero(rk, sizeof(rk));
25914+
fio_secure_zero(htbl, sizeof(htbl));
25915+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2589825916
return 0;
2589925917
}
2590025918

@@ -25998,8 +26016,14 @@ SFUNC int fio_aes256_gcm_dec(void *restrict mac,
2599826016
tag = _mm_xor_si128(tag, s);
2599926017
uint8_t computed_mac[16];
2600026018
_mm_storeu_si128((__m128i *)computed_mac, tag);
26001-
if (!fio_ct_is_eq(computed_mac, mac, 16))
26019+
if (!fio_ct_is_eq(computed_mac, mac, 16)) {
26020+
fio_secure_zero(computed_mac, sizeof(computed_mac));
26021+
fio_secure_zero(rk, sizeof(rk));
26022+
fio_secure_zero(htbl, sizeof(htbl));
26023+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2600226024
return -1;
26025+
}
26026+
fio_secure_zero(computed_mac, sizeof(computed_mac));
2600326027

2600426028
/* Decrypt - process 4 blocks at a time */
2600526029
while (len >= 64) {
@@ -26044,6 +26068,10 @@ SFUNC int fio_aes256_gcm_dec(void *restrict mac,
2604426068
for (size_t i = 0; i < len; ++i)
2604526069
p[i] ^= ks_bytes[i];
2604626070
}
26071+
/* Clear sensitive data */
26072+
fio_secure_zero(rk, sizeof(rk));
26073+
fio_secure_zero(htbl, sizeof(htbl));
26074+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2604726075
return 0;
2604826076
}
2604926077

@@ -26497,6 +26525,11 @@ SFUNC void fio_aes128_gcm_enc(void *restrict mac,
2649726525
uint8x16_t s = fio___arm_aes128_encrypt(j0, rk);
2649826526
tag = veorq_u8(tag, s);
2649926527
vst1q_u8((uint8_t *)mac, tag);
26528+
26529+
/* Clear sensitive data */
26530+
fio_secure_zero(rk, sizeof(rk));
26531+
fio_secure_zero(htbl, sizeof(htbl));
26532+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2650026533
}
2650126534

2650226535
SFUNC void fio_aes256_gcm_enc(void *restrict mac,
@@ -26633,6 +26666,11 @@ SFUNC void fio_aes256_gcm_enc(void *restrict mac,
2663326666
uint8x16_t s = fio___arm_aes256_encrypt(j0, rk);
2663426667
tag = veorq_u8(tag, s);
2663526668
vst1q_u8((uint8_t *)mac, tag);
26669+
26670+
/* Clear sensitive data */
26671+
fio_secure_zero(rk, sizeof(rk));
26672+
fio_secure_zero(htbl, sizeof(htbl));
26673+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2663626674
}
2663726675

2663826676
SFUNC int fio_aes128_gcm_dec(void *restrict mac,
@@ -26730,8 +26768,14 @@ SFUNC int fio_aes128_gcm_dec(void *restrict mac,
2673026768
tag = veorq_u8(tag, s);
2673126769
uint8_t computed_mac[16];
2673226770
vst1q_u8(computed_mac, tag);
26733-
if (!fio_ct_is_eq(computed_mac, mac, 16))
26771+
if (!fio_ct_is_eq(computed_mac, mac, 16)) {
26772+
fio_secure_zero(computed_mac, sizeof(computed_mac));
26773+
fio_secure_zero(rk, sizeof(rk));
26774+
fio_secure_zero(htbl, sizeof(htbl));
26775+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2673426776
return -1;
26777+
}
26778+
fio_secure_zero(computed_mac, sizeof(computed_mac));
2673526779

2673626780
/* Decrypt - process 4 blocks at a time */
2673726781
while (len >= 64) {
@@ -26776,6 +26820,11 @@ SFUNC int fio_aes128_gcm_dec(void *restrict mac,
2677626820
for (size_t i = 0; i < len; ++i)
2677726821
p[i] ^= ks_bytes[i];
2677826822
}
26823+
26824+
/* Clear sensitive data */
26825+
fio_secure_zero(rk, sizeof(rk));
26826+
fio_secure_zero(htbl, sizeof(htbl));
26827+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2677926828
return 0;
2678026829
}
2678126830

@@ -26874,8 +26923,14 @@ SFUNC int fio_aes256_gcm_dec(void *restrict mac,
2687426923
tag = veorq_u8(tag, s);
2687526924
uint8_t computed_mac[16];
2687626925
vst1q_u8(computed_mac, tag);
26877-
if (!fio_ct_is_eq(computed_mac, mac, 16))
26926+
if (!fio_ct_is_eq(computed_mac, mac, 16)) {
26927+
fio_secure_zero(computed_mac, sizeof(computed_mac));
26928+
fio_secure_zero(rk, sizeof(rk));
26929+
fio_secure_zero(htbl, sizeof(htbl));
26930+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2687826931
return -1;
26932+
}
26933+
fio_secure_zero(computed_mac, sizeof(computed_mac));
2687926934

2688026935
/* Decrypt - process 4 blocks at a time */
2688126936
while (len >= 64) {
@@ -26920,6 +26975,10 @@ SFUNC int fio_aes256_gcm_dec(void *restrict mac,
2692026975
for (size_t i = 0; i < len; ++i)
2692126976
p[i] ^= ks_bytes[i];
2692226977
}
26978+
/* Clear sensitive data */
26979+
fio_secure_zero(rk, sizeof(rk));
26980+
fio_secure_zero(htbl, sizeof(htbl));
26981+
fio_secure_zero(j0_bytes, sizeof(j0_bytes));
2692326982
return 0;
2692426983
}
2692526984

@@ -27450,6 +27509,13 @@ SFUNC void fio_aes128_gcm_enc(void *restrict mac,
2745027509
fio_u2buf64_be((uint8_t *)mac + 8, tag[1]);
2745127510
for (int i = 0; i < 16; ++i)
2745227511
((uint8_t *)mac)[i] ^= keystream[i];
27512+
/* Clear sensitive data */
27513+
fio_secure_zero(rk, sizeof(rk));
27514+
fio_secure_zero(&htbl, sizeof(htbl));
27515+
fio_secure_zero(j0, sizeof(j0));
27516+
fio_secure_zero(counter, sizeof(counter));
27517+
fio_secure_zero(keystream, sizeof(keystream));
27518+
fio_secure_zero(tag, sizeof(tag));
2745327519
}
2745427520

2745527521
SFUNC void fio_aes256_gcm_enc(void *restrict mac,
@@ -27515,6 +27581,13 @@ SFUNC void fio_aes256_gcm_enc(void *restrict mac,
2751527581
fio_u2buf64_be((uint8_t *)mac + 8, tag[1]);
2751627582
for (int i = 0; i < 16; ++i)
2751727583
((uint8_t *)mac)[i] ^= keystream[i];
27584+
/* Clear sensitive data */
27585+
fio_secure_zero(rk, sizeof(rk));
27586+
fio_secure_zero(&htbl, sizeof(htbl));
27587+
fio_secure_zero(j0, sizeof(j0));
27588+
fio_secure_zero(counter, sizeof(counter));
27589+
fio_secure_zero(keystream, sizeof(keystream));
27590+
fio_secure_zero(tag, sizeof(tag));
2751827591
}
2751927592

2752027593
SFUNC int fio_aes128_gcm_dec(void *restrict mac,
@@ -27560,8 +27633,17 @@ SFUNC int fio_aes128_gcm_dec(void *restrict mac,
2756027633
for (int i = 0; i < 16; ++i)
2756127634
computed_mac[i] ^= keystream[i];
2756227635

27563-
if (!fio_ct_is_eq(computed_mac, mac, 16))
27636+
if (!fio_ct_is_eq(computed_mac, mac, 16)) {
27637+
fio_secure_zero(computed_mac, sizeof(computed_mac));
27638+
fio_secure_zero(rk, sizeof(rk));
27639+
fio_secure_zero(&htbl, sizeof(htbl));
27640+
fio_secure_zero(j0, sizeof(j0));
27641+
fio_secure_zero(counter, sizeof(counter));
27642+
fio_secure_zero(keystream, sizeof(keystream));
27643+
fio_secure_zero(tag, sizeof(tag));
2756427644
return -1;
27645+
}
27646+
fio_secure_zero(computed_mac, sizeof(computed_mac));
2756527647

2756627648
FIO_MEMCPY(counter, j0, 16);
2756727649
while (len >= 16) {
@@ -27581,6 +27663,13 @@ SFUNC int fio_aes128_gcm_dec(void *restrict mac,
2758127663
for (size_t i = 0; i < len; ++i)
2758227664
p[i] ^= keystream[i];
2758327665
}
27666+
/* Clear sensitive data */
27667+
fio_secure_zero(rk, sizeof(rk));
27668+
fio_secure_zero(&htbl, sizeof(htbl));
27669+
fio_secure_zero(j0, sizeof(j0));
27670+
fio_secure_zero(counter, sizeof(counter));
27671+
fio_secure_zero(keystream, sizeof(keystream));
27672+
fio_secure_zero(tag, sizeof(tag));
2758427673
return 0;
2758527674
}
2758627675

@@ -27627,8 +27716,17 @@ SFUNC int fio_aes256_gcm_dec(void *restrict mac,
2762727716
for (int i = 0; i < 16; ++i)
2762827717
computed_mac[i] ^= keystream[i];
2762927718

27630-
if (!fio_ct_is_eq(computed_mac, mac, 16))
27719+
if (!fio_ct_is_eq(computed_mac, mac, 16)) {
27720+
fio_secure_zero(computed_mac, sizeof(computed_mac));
27721+
fio_secure_zero(rk, sizeof(rk));
27722+
fio_secure_zero(&htbl, sizeof(htbl));
27723+
fio_secure_zero(j0, sizeof(j0));
27724+
fio_secure_zero(counter, sizeof(counter));
27725+
fio_secure_zero(keystream, sizeof(keystream));
27726+
fio_secure_zero(tag, sizeof(tag));
2763127727
return -1;
27728+
}
27729+
fio_secure_zero(computed_mac, sizeof(computed_mac));
2763227730

2763327731
FIO_MEMCPY(counter, j0, 16);
2763427732
while (len >= 16) {
@@ -27648,6 +27746,13 @@ SFUNC int fio_aes256_gcm_dec(void *restrict mac,
2764827746
for (size_t i = 0; i < len; ++i)
2764927747
p[i] ^= keystream[i];
2765027748
}
27749+
/* Clear sensitive data */
27750+
fio_secure_zero(rk, sizeof(rk));
27751+
fio_secure_zero(&htbl, sizeof(htbl));
27752+
fio_secure_zero(j0, sizeof(j0));
27753+
fio_secure_zero(counter, sizeof(counter));
27754+
fio_secure_zero(keystream, sizeof(keystream));
27755+
fio_secure_zero(tag, sizeof(tag));
2765127756
return 0;
2765227757
}
2765327758

0 commit comments

Comments
 (0)