More forceful clearing of stack memory with keys

gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/crypto/sha1-internal.c

@@ -224,7 +224,7 @@ void SHA1Transform(u32 state[5], const unsigned char buffer[64])
 	/* Wipe variables */
 	a = b = c = d = e = 0;
 #ifdef SHA1HANDSOFF
-	os_memset(block, 0, 64);
+	forced_memzero(block, 64);
 #endif
 }
 
@@ -300,7 +300,7 @@ void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
 	os_memset(context->buffer, 0, 64);
 	os_memset(context->state, 0, 20);
 	os_memset(context->count, 0, 8);
-	os_memset(finalcount, 0, 8);
+	forced_memzero(finalcount, sizeof(finalcount));
 }
 
 /* ===== end - public domain SHA1 implementation ===== */

src/crypto/sha1-prf.c

@@ -61,7 +61,7 @@ int sha1_prf(const u8 *key, size_t key_len, const char *label,
 		}
 		counter++;
 	}
-	os_memset(hash, 0, sizeof(hash));
+	forced_memzero(hash, sizeof(hash));
 
 	return 0;
 }

src/crypto/sha1-tlsprf.c

@@ -92,10 +92,10 @@ int tls_prf_sha1_md5(const u8 *secret, size_t secret_len, const char *label,
 		SHA1_pos++;
 	}
 
-	os_memset(A_MD5, 0, MD5_MAC_LEN);
-	os_memset(P_MD5, 0, MD5_MAC_LEN);
-	os_memset(A_SHA1, 0, SHA1_MAC_LEN);
-	os_memset(P_SHA1, 0, SHA1_MAC_LEN);
+	forced_memzero(A_MD5, MD5_MAC_LEN);
+	forced_memzero(P_MD5, MD5_MAC_LEN);
+	forced_memzero(A_SHA1, SHA1_MAC_LEN);
+	forced_memzero(P_SHA1, SHA1_MAC_LEN);
 
 	return 0;
 }

src/crypto/sha1-tprf.c

@@ -66,7 +66,7 @@ int sha1_t_prf(const u8 *key, size_t key_len, const char *label,
 		len[0] = SHA1_MAC_LEN;
 	}
 
-	os_memset(hash, 0, SHA1_MAC_LEN);
+	forced_memzero(hash, SHA1_MAC_LEN);
 
 	return 0;
 }

src/crypto/sha1.c

@@ -86,7 +86,8 @@ int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
 	_addr[1] = mac;
 	_len[1] = SHA1_MAC_LEN;
 	ret = sha1_vector(2, _addr, _len, mac);
-	os_memset(k_pad, 0, sizeof(k_pad));
+	forced_memzero(k_pad, sizeof(k_pad));
+	forced_memzero(tk, sizeof(tk));
 	return ret;
 }
 

src/crypto/sha256-kdf.c

@@ -69,7 +69,7 @@ int hmac_sha256_kdf(const u8 *secret, size_t secret_len,
 
 		if (iter == 255) {
 			os_memset(out, 0, outlen);
-			os_memset(T, 0, SHA256_MAC_LEN);
+			forced_memzero(T, SHA256_MAC_LEN);
 			return -1;
 		}
 		iter++;
@@ -77,11 +77,11 @@ int hmac_sha256_kdf(const u8 *secret, size_t secret_len,
 		if (hmac_sha256_vector(secret, secret_len, 4, addr, len, T) < 0)
 		{
 			os_memset(out, 0, outlen);
-			os_memset(T, 0, SHA256_MAC_LEN);
+			forced_memzero(T, SHA256_MAC_LEN);
 			return -1;
 		}
 	}
 
-	os_memset(T, 0, SHA256_MAC_LEN);
+	forced_memzero(T, SHA256_MAC_LEN);
 	return 0;
 }

src/crypto/sha256-prf.c

@@ -102,7 +102,7 @@ int sha256_prf_bits(const u8 *key, size_t key_len, const char *label,
 		buf[pos - 1] &= mask;
 	}
 
-	os_memset(hash, 0, sizeof(hash));
+	forced_memzero(hash, sizeof(hash));
 
 	return 0;
 }

src/crypto/sha384-kdf.c

@@ -69,7 +69,7 @@ int hmac_sha384_kdf(const u8 *secret, size_t secret_len,
 
 		if (iter == 255) {
 			os_memset(out, 0, outlen);
-			os_memset(T, 0, SHA384_MAC_LEN);
+			forced_memzero(T, SHA384_MAC_LEN);
 			return -1;
 		}
 		iter++;
@@ -77,11 +77,11 @@ int hmac_sha384_kdf(const u8 *secret, size_t secret_len,
 		if (hmac_sha384_vector(secret, secret_len, 4, addr, len, T) < 0)
 		{
 			os_memset(out, 0, outlen);
-			os_memset(T, 0, SHA384_MAC_LEN);
+			forced_memzero(T, SHA384_MAC_LEN);
 			return -1;
 		}
 	}
 
-	os_memset(T, 0, SHA384_MAC_LEN);
+	forced_memzero(T, SHA384_MAC_LEN);
 	return 0;
 }

src/crypto/sha384-prf.c

@@ -102,7 +102,7 @@ int sha384_prf_bits(const u8 *key, size_t key_len, const char *label,
 		buf[pos - 1] &= mask;
 	}
 
-	os_memset(hash, 0, sizeof(hash));
+	forced_memzero(hash, sizeof(hash));
 
 	return 0;
 }

src/crypto/sha512-kdf.c

@@ -69,7 +69,7 @@ int hmac_sha512_kdf(const u8 *secret, size_t secret_len,
 
 		if (iter == 255) {
 			os_memset(out, 0, outlen);
-			os_memset(T, 0, SHA512_MAC_LEN);
+			forced_memzero(T, SHA512_MAC_LEN);
 			return -1;
 		}
 		iter++;
@@ -77,11 +77,11 @@ int hmac_sha512_kdf(const u8 *secret, size_t secret_len,
 		if (hmac_sha512_vector(secret, secret_len, 4, addr, len, T) < 0)
 		{
 			os_memset(out, 0, outlen);
-			os_memset(T, 0, SHA512_MAC_LEN);
+			forced_memzero(T, SHA512_MAC_LEN);
 			return -1;
 		}
 	}
 
-	os_memset(T, 0, SHA512_MAC_LEN);
+	forced_memzero(T, SHA512_MAC_LEN);
 	return 0;
 }

src/crypto/sha512-prf.c

@@ -102,7 +102,7 @@ int sha512_prf_bits(const u8 *key, size_t key_len, const char *label,
 		buf[pos - 1] &= mask;
 	}
 
-	os_memset(hash, 0, sizeof(hash));
+	forced_memzero(hash, sizeof(hash));
 
 	return 0;
 }

src/crypto/tls_openssl.c

@@ -3999,7 +3999,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 				    _out, skip + out_len) == 0) {
 		ret = 0;
 	}
-	os_memset(master_key, 0, sizeof(master_key));
+	forced_memzero(master_key, sizeof(master_key));
 	os_free(rnd);
 	if (ret == 0)
 		os_memcpy(out, _out + skip, out_len);

src/crypto/tls_wolfssl.c

@@ -2044,7 +2044,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 				       _out, skip + out_len);
 	}
 
-	os_memset(master_key, 0, master_key_len);
+	forced_memzero(master_key, master_key_len);
 	if (ret == 0)
 		os_memcpy(out, _out + skip, out_len);
 	bin_clear_free(tmp_out, skip + out_len);