Fixes for protecting buffers containing sensitive data

For OpenSSL BIGNUMs containing sensitive private key material, use
BN_secure_new() to allocate the BIGNUM on OpenSSLs secure heap. Also
clean any buffers that might contain sensitive data before freeing them.

Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>

Author: jschmidb

src/ica_api.c

@@ -1182,62 +1182,76 @@ unsigned int ica_rsa_mod_expo(ica_adapter_handle_t adapter_handle,
 unsigned int ica_rsa_crt_key_check(ica_rsa_key_crt_t *rsa_key)
 {
 	int pq_comp;
-	int keyfmt = 1;
 	BIGNUM *bn_p;
 	BIGNUM *bn_q;
 	BIGNUM *bn_invq;
 	BN_CTX *ctx;
 	unsigned char *tmp_buf = NULL;
+	unsigned int rc;
 
 #ifdef ICA_FIPS
 	if (fips >> 1)
 		return EACCES;
 #endif /* ICA_FIPS */
 
 	/* check if p > q  */
-	pq_comp = memcmp( (rsa_key->p + 8), (rsa_key->q), rsa_key->key_length/2);
-	if (pq_comp < 0) /* unprivileged key format */
-		keyfmt = 0;
-
-	if (!keyfmt) {
-		/* swap p and q */
-		tmp_buf = calloc(1, rsa_key->key_length/2);
-		if (!tmp_buf)
-			return ENOMEM;
-		memcpy(tmp_buf, rsa_key->p + 8, rsa_key->key_length/2);
-		memcpy(rsa_key->p + 8, rsa_key->q, rsa_key->key_length/2);
-		memcpy(rsa_key->q, tmp_buf, rsa_key->key_length/2);
-
-		/* swap dp and dq */
-		memcpy(tmp_buf, rsa_key->dp + 8, rsa_key->key_length/2);
-		memcpy(rsa_key->dp + 8, rsa_key->dq, rsa_key->key_length/2);
-		memcpy(rsa_key->dq, tmp_buf, rsa_key->key_length/2);
-
-		/* calculate new qInv */
-		bn_p = BN_new();
-		bn_q = BN_new();
-		bn_invq = BN_new();
-		ctx = BN_CTX_new();
-
-		BN_bin2bn(rsa_key->p, rsa_key->key_length/2+8, bn_p);
-		BN_bin2bn(rsa_key->q, rsa_key->key_length/2, bn_q);
-
-		/* qInv = (1/q) mod p */
-		BN_mod_inverse(bn_invq, bn_q, bn_p, ctx);
-		memset(tmp_buf, 0, rsa_key->key_length/2);
-		BN_bn2binpad(bn_invq, tmp_buf, rsa_key->key_length/2);
-		memcpy(rsa_key->qInverse + 8, tmp_buf, rsa_key->key_length/2);
-
-		free(tmp_buf);
-
-		BN_CTX_free(ctx);
-		BN_clear_free(bn_p);
-		BN_clear_free(bn_q);
-		BN_clear_free(bn_invq);
-
-		return 1;
+	pq_comp = memcmp( (rsa_key->p + 8), (rsa_key->q), rsa_key->key_length / 2);
+	if (pq_comp >= 0) /* privileged key format, p and q ok */
+		return 0;
+
+	/* unprivileged key format: swap p and q */
+	tmp_buf = calloc(1, rsa_key->key_length / 2);
+	if (!tmp_buf)
+		return ENOMEM;
+
+	bn_p = BN_secure_new();
+	bn_q = BN_secure_new();
+	bn_invq = BN_secure_new();
+	ctx = BN_CTX_new();
+	if (!bn_p || !bn_q || !bn_invq || !ctx) {
+		rc = ENOMEM;
+		goto done;
 	}
-	return 0;
+
+	/* swap p and q */
+	memcpy(tmp_buf, rsa_key->p + 8, rsa_key->key_length / 2);
+	memcpy(rsa_key->p + 8, rsa_key->q, rsa_key->key_length / 2);
+	memcpy(rsa_key->q, tmp_buf, rsa_key->key_length / 2);
+
+	/* swap dp and dq */
+	memcpy(tmp_buf, rsa_key->dp + 8, rsa_key->key_length / 2);
+	memcpy(rsa_key->dp + 8, rsa_key->dq, rsa_key->key_length / 2);
+	memcpy(rsa_key->dq, tmp_buf, rsa_key->key_length / 2);
+
+	if (BN_bin2bn(rsa_key->p, rsa_key->key_length / 2 + 8, bn_p) == NULL ||
+		BN_bin2bn(rsa_key->q, rsa_key->key_length / 2, bn_q) == NULL) {
+		rc = EFAULT;
+		goto done;
+	}
+
+	/* qInv = (1/q) mod p */
+	if (BN_mod_inverse(bn_invq, bn_q, bn_p, ctx) == NULL) {
+		rc = EFAULT;
+		goto done;
+	}
+	memset(tmp_buf, 0, rsa_key->key_length / 2);
+	if (BN_bn2binpad(bn_invq, tmp_buf, rsa_key->key_length / 2) <= 0) {
+		rc = EFAULT;
+		goto done;
+	}
+	memcpy(rsa_key->qInverse + 8, tmp_buf, rsa_key->key_length / 2);
+
+	rc = 1;
+
+done:
+	OPENSSL_cleanse(tmp_buf, rsa_key->key_length / 2);
+	free(tmp_buf);
+	BN_CTX_free(ctx);
+	BN_clear_free(bn_p);
+	BN_clear_free(bn_q);
+	BN_clear_free(bn_invq);
+
+	return rc;
 }
 
 unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
@@ -1273,7 +1287,9 @@ unsigned int ica_rsa_crt(ica_adapter_handle_t adapter_handle,
 	rb.outputdata = output_data;
 	rb.outputdatalength = rsa_key->key_length;
 
-	ica_rsa_crt_key_check(rsa_key);
+	rc = ica_rsa_crt_key_check(rsa_key);
+	if (rc > 1)
+		return rc;
 
 	rb.np_prime = rsa_key->p;
 	rb.nq_prime = rsa_key->q;

src/s390_ecc.c

@@ -169,10 +169,11 @@ static EVP_PKEY *make_pkey(int nid, const unsigned char *p, size_t plen)
 		goto err;
 	}
 
-	bn_priv = BN_bin2bn(p, plen, NULL);
-	if (bn_priv == NULL) {
+	bn_priv = BN_secure_new();
+	if (bn_priv == NULL)
+		goto err;
+	if (BN_bin2bn(p, plen, bn_priv) == NULL)
 		goto err;
-	}
 
 	if (!EC_POINT_mul(group, point, bn_priv, NULL, NULL, NULL)) {
 		goto err;
@@ -235,7 +236,7 @@ static EVP_PKEY *make_pkey(int nid, const unsigned char *p, size_t plen)
 err:
 	EC_POINT_free(point);
 	EC_GROUP_free(group);
-	BN_free(bn_priv);
+	BN_clear_free(bn_priv);
 
 #if !OPENSSL_VERSION_PREREQ(3, 0)
 	// because we use EVP_PKEY_set1_EC_KEY above, free the ec_key here.
@@ -1268,7 +1269,11 @@ static unsigned int provide_pubkey(const ICA_EC_KEY *privkey, unsigned char *X,
 	}
 
 	/* Get (D) as BIGNUM */
-	if ((bn_d = BN_bin2bn(privkey->D, privlen, NULL)) == NULL) {
+	bn_d = BN_secure_new();
+	if (bn_d == NULL)
+		return ENOMEM;
+	if (BN_bin2bn(privkey->D, privlen, bn_d) == NULL) {
+		BN_clear_free(bn_d);
 		return EFAULT;
 	}
 
@@ -1716,7 +1721,7 @@ struct {				\
 #undef DEF_PARAM
 
 	unsigned long fc;
-	size_t off, counter = 0;
+	size_t off;
 	int rc;
 
 	memset(&param, 0, sizeof(param));
@@ -1743,6 +1748,7 @@ struct {				\
 		if (k == NULL) {
 #ifdef ICA_FIPS
 			if (fips & ICA_FIPS_MODE) {
+				size_t counter = 0;
 				fc |= 0x80; /* deterministic signature */
 				do {
 					/* If the random number is not invertible, s390_kdsa will
@@ -1802,6 +1808,7 @@ struct {				\
 		if (k == NULL) {
 #ifdef ICA_FIPS
 			if (fips & ICA_FIPS_MODE) {
+				size_t counter = 0;
 				fc |= 0x80; /* deterministic signature */
 				do {
 					if (RAND_bytes(param.P384.rand + off, sizeof(param.P384.rand) - off) != 1) {
@@ -1855,6 +1862,7 @@ struct {				\
 		if (k == NULL) {
 #ifdef ICA_FIPS
 			if (fips & ICA_FIPS_MODE) {
+				size_t counter = 0;
 				fc |= 0x80; /* deterministic signature */
 				do {
 					if (RAND_bytes(param.P521.rand + off, sizeof(param.P521.rand) - off) != 1) {
@@ -2268,7 +2276,7 @@ static int eckeygen_cpacf(ICA_EC_KEY *key)
 	int rv, numbytes;
 
 	ctx = BN_CTX_new();
-	priv = BN_new();
+	priv = BN_secure_new();
 	ord = BN_new();
 
 	if (ctx == NULL || priv == NULL || ord == NULL) {
@@ -2321,7 +2329,7 @@ static int eckeygen_cpacf(ICA_EC_KEY *key)
 		if (ctx != NULL)
 			BN_CTX_free(ctx);
 		if (priv != NULL)
-			BN_free(priv);
+			BN_clear_free(priv);
 		if (ord != NULL)
 			BN_free(ord);
 
@@ -2541,15 +2549,21 @@ unsigned int eckeygen_sw(ICA_EC_KEY *key)
 EVP_PKEY *icakey2pkey(const ICA_EC_KEY *icakey, int *is_public_key)
 {
 	EVP_PKEY *pkey = NULL;
-	BIGNUM *bn_D, *bn_X, *bn_Y;
+	BIGNUM *bn_D, *bn_X = NULL, *bn_Y = NULL;
 
 	if (icakey == NULL)
 		return NULL;
 
 	/* Check if any key parts available */
-	bn_D = BN_bin2bn(icakey->D, privlen_from_nid(icakey->nid), NULL);
+	bn_D = BN_secure_new();
+	if (bn_D == NULL)
+		return NULL;
+	if (BN_bin2bn(icakey->D, privlen_from_nid(icakey->nid), bn_D) == NULL)
+		goto done;
 	bn_X = BN_bin2bn(icakey->X, privlen_from_nid(icakey->nid), NULL);
 	bn_Y = BN_bin2bn(icakey->Y, privlen_from_nid(icakey->nid), NULL);
+	if (!bn_X || !bn_Y)
+		goto done;
 	if (BN_is_zero(bn_D) && BN_is_zero(bn_X) && BN_is_zero(bn_Y))
 		goto done;
 
@@ -2567,7 +2581,7 @@ EVP_PKEY *icakey2pkey(const ICA_EC_KEY *icakey, int *is_public_key)
 done:
 	BN_free(bn_X);
 	BN_free(bn_Y);
-	BN_free(bn_D);
+	BN_clear_free(bn_D);
 	return pkey;
 }
 

src/s390_rsa.c

@@ -232,6 +232,13 @@ unsigned int rsa_key_generate_mod_expo(ica_adapter_handle_t deviceHandle,
 		goto err;
 	}
 
+	n = BN_secure_new();
+	d = BN_secure_new();
+	if (!n || !d) {
+		rc = ENOMEM;
+		goto err;
+	}
+
 	if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n) ||
 		!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &d)) {
 		rc = EFAULT;
@@ -270,8 +277,8 @@ unsigned int rsa_key_generate_mod_expo(ica_adapter_handle_t deviceHandle,
 #if !OPENSSL_VERSION_PREREQ(3, 0)
 	RSA_free(rsa);
 #else
-	BN_free(n);
-	BN_free(d);
+	BN_clear_free(n);
+	BN_clear_free(d);
 	EVP_PKEY_free(pkey);
 #endif
 
@@ -337,6 +344,17 @@ unsigned int rsa_key_generate_crt(ica_adapter_handle_t deviceHandle,
 		goto err;
 	}
 
+	n = BN_secure_new();
+	p = BN_secure_new();
+	q = BN_secure_new();
+	dmp1 = BN_secure_new();
+	dmq1 = BN_secure_new();
+	iqmp = BN_secure_new();
+	if (!n || !p || !q || !dmp1 || !dmq1 || !iqmp) {
+		rc = ENOMEM;
+		goto err;
+	}
+
 	if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n) ||
 		!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &p) ||
 		!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &q) ||
@@ -425,12 +443,12 @@ unsigned int rsa_key_generate_crt(ica_adapter_handle_t deviceHandle,
 #if !OPENSSL_VERSION_PREREQ(3, 0)
 	RSA_free(rsa);
 #else
-	BN_free(n);
-	BN_free(p);
-	BN_free(q);
-	BN_free(dmp1);
-	BN_free(dmq1);
-	BN_free(iqmp);
+	BN_clear_free(n);
+	BN_clear_free(p);
+	BN_clear_free(q);
+	BN_clear_free(dmp1);
+	BN_clear_free(dmq1);
+	BN_clear_free(iqmp);
 	EVP_PKEY_free(pkey);
 #endif
 

test/rsa_key_check_test.c

@@ -41,7 +41,7 @@ int main(int argc, char **argv)
 
 		gettimeofday(&start, NULL);
 		rc = ica_rsa_crt_key_check(&crt_key);
-		if(rc){
+		if (rc > 1) {
 			V_(printf("ica_rsa_crt_key_check failed!\n"));
 		}