-
Notifications
You must be signed in to change notification settings - Fork 1k
Fix: WolfCrypt Fenrir - 12 fixes #10786
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -120,6 +120,7 @@ int wc_InitSha256_ex(wc_Sha256* sha, void* heap, int devId) | |
|
|
||
| (void)devId; /* no async for now */ | ||
| XMEMSET(sha, 0, sizeof(wc_Sha256)); | ||
| sha->ctx.cfd = -1; /* Sentinel value matching aes */ | ||
| sha->heap = heap; | ||
|
|
||
| return HashInit((void*)sha, CRYPTO_SHA2_256, NULL, 0); | ||
|
|
@@ -135,20 +136,14 @@ int wc_Sha256Update(wc_Sha256* sha, const byte* in, word32 sz) | |
| #ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP | ||
| /* keep full message to hash at end instead of incremental updates */ | ||
| if (sha->len < sha->used + sz) { | ||
| if (sha->msg == NULL) { | ||
| sha->msg = (byte*)XMALLOC(sha->used + sz, sha->heap, | ||
| DYNAMIC_TYPE_TMP_BUFFER); | ||
| } else { | ||
| byte* pt = (byte*)XREALLOC(sha->msg, sha->used + sz, sha->heap, | ||
| DYNAMIC_TYPE_TMP_BUFFER); | ||
| if (pt == NULL) { | ||
| return MEMORY_E; | ||
| } | ||
| sha->msg = pt; | ||
| } | ||
| if (sha->msg == NULL) { | ||
| byte* pt = (byte*)XREALLOC(sha->msg, sha->used + sz, sha->heap, | ||
| DYNAMIC_TYPE_TMP_BUFFER); | ||
| if (pt == NULL) { | ||
| return MEMORY_E; | ||
| } | ||
|
|
||
| sha->msg = pt; | ||
|
|
||
| sha->len = sha->used + sz; | ||
| } | ||
| XMEMCPY(sha->msg + sha->used, in, sz); | ||
|
|
@@ -173,14 +168,16 @@ int wc_Sha256Final(wc_Sha256* sha, byte* hash) | |
| #ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP | ||
| /* keep full message to hash at end instead of incremental updates */ | ||
| if ((ret = HashUpdate(sha, CRYPTO_SHA2_256, sha->msg, sha->used)) < 0) { | ||
| wc_Sha256Free(sha); | ||
| return ret; | ||
| } | ||
| XFREE(sha->msg, sha->heap, DYNAMIC_TYPE_TMP_BUFFER); | ||
| sha->msg = NULL; | ||
| #endif | ||
| ret = GetDigest(sha, CRYPTO_SHA2_256, hash); | ||
| if (ret != 0) { | ||
| return ret; | ||
| wc_Sha256Free(sha); | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟢 [Low] Adjacent error path in This if ((ret = HashUpdate(sha, CRYPTO_SHA2_256, sha->msg, sha->used)) < 0) {
return ret; /* session + sha->msg still leaked */
}returns without freeing the kernel session or
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
| return ret; | ||
| } | ||
|
|
||
| wc_Sha256Free(sha); | ||
|
|
@@ -198,9 +195,15 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash) | |
| { | ||
| int ret; | ||
| wc_Sha256 cpy; | ||
| wc_Sha256Copy(sha, &cpy); | ||
|
|
||
| if ((ret = HashUpdate(&cpy, CRYPTO_SHA2_256, cpy.msg, cpy.used)) == 0) { | ||
| XMEMSET(&cpy, 0, sizeof(cpy)); /* ZII */ | ||
| /* mark as having no /dev/crypto session yet so the wc_Sha256Free() | ||
| * in wc_Sha256Copy() does not close fd 0 (cfd == -1 is the | ||
| * "no session" sentinel, matching wc_AesInit()) */ | ||
| cpy.ctx.cfd = -1; | ||
| ret = wc_Sha256Copy(sha, &cpy); | ||
|
|
||
| if (ret == 0 && | ||
| (ret = HashUpdate(&cpy, CRYPTO_SHA2_256, cpy.msg, cpy.used)) == 0) { | ||
| /* help static analysis tools out */ | ||
| XMEMSET(hash, 0, WC_SHA256_DIGEST_SIZE); | ||
| ret = GetDigest(&cpy, CRYPTO_SHA2_256, hash); | ||
|
|
@@ -219,22 +222,36 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash) | |
|
|
||
| int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst) | ||
| { | ||
| int ret = 0; | ||
|
|
||
| if (src == NULL || dst == NULL) { | ||
| return BAD_FUNC_ARG; | ||
| } | ||
|
|
||
| wc_InitSha256_ex(dst, src->heap, 0); | ||
| #ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP | ||
| /* Sha256Free checks that ctx.cfd is >= 0*/ | ||
| wc_Sha256Free(dst); | ||
| if ((ret = wc_InitSha256_ex(dst, src->heap, 0)) != 0) { | ||
| return ret; | ||
| } | ||
| dst->len = src->len; | ||
| dst->used = src->used; | ||
| dst->msg = (byte*)XMALLOC(src->len, dst->heap, DYNAMIC_TYPE_TMP_BUFFER); | ||
|
Frauschi marked this conversation as resolved.
|
||
| if (dst->msg == NULL) { | ||
| wc_Sha256Free(dst); | ||
| return MEMORY_E; | ||
| } | ||
| XMEMCPY(dst->msg, src->msg, src->len); | ||
| #endif | ||
|
|
||
| return 0; | ||
| return ret; | ||
| #else | ||
| (void)src; | ||
| (void)dst; | ||
| (void)ret; | ||
|
|
||
| WOLFSSL_MSG("Compile with WOLFSSL_DEVCRYPTO_HASH_KEEP for this feature"); | ||
| return NOT_COMPILED_IN; | ||
| #endif | ||
| } | ||
|
|
||
| #endif /* !NO_SHA256 */ | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 [Med] Incomplete fix — the sibling
wc_fspsm_AesGcmDecryptstill leaks the HW lockThis added
wc_fspsm_hw_unlock()correctly closes finding 5418 here inwc_fspsm_AesGcmEncrypt, but the structurally identical alloc-failure branch inwc_fspsm_AesGcmDecrypt(line ~645) still does a barereturn MEMORY_E;afterwc_fspsm_hw_lock()succeeded — so it returns with the hardware lock held, which is the same leak/deadlock this PR is meant to eliminate.Please apply the same
wc_fspsm_hw_unlock()before thereturn MEMORY_E;in the Decrypt path.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed! I also checked the rest of the port directory for similar issues and one other missed unlock in renesas_tsip_util.c : 2462