Merge remote-tracking branch 'restricted/pr/669' into mbedtls-2.16-restricted

* restricted/pr/669: Zeroize local AES variables before exiting the function
2026-01-01 20:25:28 +01:00 · 2019-11-12 10:43:57 +00:00 · 2019-11-12 10:43:57 +00:00 · baf23000e1
commit baf23000e1
parent 3f1c68a1e2 f18de50b49
2 changed files with 32 additions and 0 deletions
--- a/8
+++ b/8
@ -8,6 +8,14 @@ Security
     blinded value, factor it (as it is smaller than RSA keys and not guaranteed
     to have only large prime factors), and then, by brute force, recover the
     key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
+   * Zeroize local variables in mbedtls_internal_aes_encrypt() and
+     mbedtls_internal_aes_decrypt() before exiting the function. The value of
+     these variables can be used to recover the last round key. To follow best
+     practice and to limit the impact of buffer overread vulnerabilities (like
+     Heartbleed) we need to zeroize them before exiting the function.
+     Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
+     Grant Hernandez, and Kevin Butler (University of Florida) and
+     Dave Tian (Purdue University).

 Bugfix
   * Remove redundant line for getting the bitlen of a bignum, since the variable