zeroize also ASN.1 structures that hold keys.

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2013-11-13 14:16:34 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2013-11-27 11:41:43 +0100
commit: d4add8fb8207beb6c5d328ab706417b9b9611781 (patch)
tree: 066d9fce1d1b766ba0b9438a07dbfbac0d1b651a
parent: 6f091f48c5209a14a3115d17ec590178b3aef78d (diff)
download: gnutls-d4add8fb8207beb6c5d328ab706417b9b9611781.tar.gz
4 files changed, 32 insertions, 50 deletions
diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c
index 0a5e753eb8..d14e44e252 100644
--- a/lib/x509/key_decode.c
+++ b/lib/x509/key_decode.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2013 Red Hat
  *
  * Author: Nikos Mavrogiannopoulos
  *
diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c
index bbc766fd72..388e57776a 100644
--- a/lib/x509/key_encode.c
+++ b/lib/x509/key_encode.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2013 Red Hat
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -465,7 +466,7 @@ _gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params)
 
       cleanup:
 	if (ret < 0)
-		asn1_delete_structure(c2);
+		asn1_delete_structure2(c2, ASN1_DELETE_FLAG_ZEROIZE);
 
 	gnutls_pk_params_clear(&pk_params);
 	gnutls_pk_params_release(&pk_params);
@@ -554,8 +555,8 @@ _gnutls_asn1_encode_ecc(ASN1_TYPE * c2, gnutls_pk_params_st * params)
 	_gnutls_free_datum(&pubkey);
 	return 0;
 
-      cleanup:
-	asn1_delete_structure(c2);
+cleanup:
+	asn1_delete_structure2(c2, ASN1_DELETE_FLAG_ZEROIZE);
 	_gnutls_free_datum(&pubkey);
 
 	return ret;
@@ -635,7 +636,7 @@ _gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params)
 	return 0;
 
 cleanup:
-	asn1_delete_structure(c2);
+	asn1_delete_structure2(c2, ASN1_DELETE_FLAG_ZEROIZE);
 
 	return ret;
 }
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 72c5d09158..bf4b77637d 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -70,7 +70,7 @@ void gnutls_x509_privkey_deinit(gnutls_x509_privkey_t key)
 
 	gnutls_pk_params_clear(&key->params);
 	gnutls_pk_params_release(&key->params);
-	asn1_delete_structure(&key->key);
+	asn1_delete_structure2(&key->key, ASN1_DELETE_FLAG_ZEROIZE);
 	gnutls_free(key);
 }
 
@@ -222,7 +222,7 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key,
 	return pkey_asn;
 
       error:
-	asn1_delete_structure(&pkey_asn);
+	asn1_delete_structure2(&pkey_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	gnutls_pk_params_clear(&pkey->params);
 	gnutls_pk_params_release(&pkey->params);
 	return NULL;
@@ -324,7 +324,7 @@ _gnutls_privkey_decode_ecc_key(const gnutls_datum_t * raw_key,
 	return pkey_asn;
 
       error:
-	asn1_delete_structure(&pkey_asn);
+	asn1_delete_structure2(&pkey_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	gnutls_pk_params_clear(&pkey->params);
 	gnutls_pk_params_release(&pkey->params);
 	return NULL;
@@ -399,7 +399,7 @@ decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey)
 	return dsa_asn;
 
       error:
-	asn1_delete_structure(&dsa_asn);
+	asn1_delete_structure2(&dsa_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	gnutls_pk_params_clear(&pkey->params);
 	gnutls_pk_params_release(&pkey->params);
 	return NULL;
@@ -1776,7 +1776,7 @@ int gnutls_x509_privkey_fix(gnutls_x509_privkey_t key)
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	asn1_delete_structure(&key->key);
+	asn1_delete_structure2(&key->key, ASN1_DELETE_FLAG_ZEROIZE);
 
 	ret =
 	    _gnutls_asn1_encode_privkey(key->pk_algorithm, &key->key,
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index da0b94e25d..8dc04f7b7d 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -127,8 +127,6 @@ static int check_schema(const char *oid)
 inline static int
 _encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw)
 {
-	size_t size = 0;
-	uint8_t *data = NULL;
 	int ret;
 	ASN1_TYPE spk = ASN1_TYPE_EMPTY;
 
@@ -136,31 +134,13 @@ _encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw)
 	case GNUTLS_PK_RSA:
 	case GNUTLS_PK_EC:
 		ret =
-		    gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER,
-					       NULL, &size);
-		if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
-			gnutls_assert();
-			goto error;
-		}
-
-		data = gnutls_malloc(size);
-		if (data == NULL) {
-			gnutls_assert();
-			ret = GNUTLS_E_MEMORY_ERROR;
-			goto error;
-		}
-
-
-		ret =
-		    gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER,
-					       data, &size);
+		    gnutls_x509_privkey_export2(pkey, GNUTLS_X509_FMT_DER,
+					        raw);
 		if (ret < 0) {
 			gnutls_assert();
 			goto error;
 		}
 
-		raw->data = data;
-		raw->size = size;
 		break;
 	case GNUTLS_PK_DSA:
 		/* DSAPublicKey == INTEGER */
@@ -185,7 +165,7 @@ _encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw)
 			goto error;
 		}
 
-		asn1_delete_structure(&spk);
+		asn1_delete_structure2(&spk, ASN1_DELETE_FLAG_ZEROIZE);
 		break;
 
 	default:
@@ -196,7 +176,7 @@ _encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw)
 	return 0;
 
       error:
-	gnutls_free(data);
+	asn1_delete_structure2(&spk, ASN1_DELETE_FLAG_ZEROIZE);
 	asn1_delete_structure(&spk);
 	return ret;
 
@@ -330,7 +310,7 @@ encode_to_private_key_info(gnutls_x509_privkey_t pkey,
 	return 0;
 
       error:
-	asn1_delete_structure(pkey_info);
+	asn1_delete_structure2(pkey_info, ASN1_DELETE_FLAG_ZEROIZE);
 	_gnutls_free_datum(&algo_params);
 	_gnutls_free_key_datum(&algo_privkey);
 	return result;
@@ -537,7 +517,7 @@ encode_to_pkcs8_key(schema_id schema, const gnutls_datum_t * der_key,
       error:
 	_gnutls_free_key_datum(&key);
 	_gnutls_free_datum(&tmp);
-	asn1_delete_structure(&pkcs8_asn);
+	asn1_delete_structure2(&pkcs8_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	return result;
 }
 
@@ -609,14 +589,14 @@ gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key,
 					    PEM_UNENCRYPTED_PKCS8,
 					    output_data, output_data_size);
 
-		asn1_delete_structure(&pkey_info);
+		asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE);
 	} else {
-		asn1_delete_structure(&pkey_info);	/* we don't need it */
+		asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE);	/* we don't need it */
 
 		ret =
 		    encode_to_pkcs8_key(schema, &tmp, password,
 					&pkcs8_asn);
-		_gnutls_free_datum(&tmp);
+		_gnutls_free_key_datum(&tmp);
 
 		if (ret < 0) {
 			gnutls_assert();
@@ -627,7 +607,7 @@ gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key,
 		    _gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8,
 					    output_data, output_data_size);
 
-		asn1_delete_structure(&pkcs8_asn);
+		asn1_delete_structure2(&pkcs8_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	}
 
 	return ret;
@@ -695,9 +675,9 @@ gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key,
 		    _gnutls_x509_export_int2(pkey_info, format,
 					     PEM_UNENCRYPTED_PKCS8, out);
 
-		asn1_delete_structure(&pkey_info);
+		asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE);
 	} else {
-		asn1_delete_structure(&pkey_info);	/* we don't need it */
+		asn1_delete_structure2(&pkey_info, ASN1_DELETE_FLAG_ZEROIZE);	/* we don't need it */
 
 		ret =
 		    encode_to_pkcs8_key(schema, &tmp, password,
@@ -713,7 +693,7 @@ gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key,
 		    _gnutls_x509_export_int2(pkcs8_asn, format, PEM_PKCS8,
 					     out);
 
-		asn1_delete_structure(&pkcs8_asn);
+		asn1_delete_structure2(&pkcs8_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	}
 
 	return ret;
@@ -776,7 +756,7 @@ read_pkcs_schema_params(schema_id * schema, const char *password,
 			goto error;
 		}
 
-		asn1_delete_structure(&pbes2_asn);
+		asn1_delete_structure2(&pbes2_asn, ASN1_DELETE_FLAG_ZEROIZE);
 
 		result = cipher_to_schema(enc_params->cipher);
 		if (result < 0) {
@@ -997,7 +977,7 @@ decode_pkcs8_key(const gnutls_datum_t * raw_key,
 		result = 0;
 
       error:
-	asn1_delete_structure(&pkcs8_asn);
+	asn1_delete_structure2(&pkcs8_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	return result;
 
 }
@@ -1198,8 +1178,8 @@ decode_private_key_info(const gnutls_datum_t * der,
 
 	result = 0;
 
-      error:
-	asn1_delete_structure(&pkcs8_asn);
+error:
+	asn1_delete_structure2(&pkcs8_asn, ASN1_DELETE_FLAG_ZEROIZE);
 
 	return result;
 
@@ -2298,7 +2278,7 @@ _gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data,
 		goto error;
 	}
 
-	asn1_delete_structure(&pkcs7_asn);
+	asn1_delete_structure2(&pkcs7_asn, ASN1_DELETE_FLAG_ZEROIZE);
 
 	*dec = tmp;
 
@@ -2306,7 +2286,7 @@ _gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data,
 
       error:
 	asn1_delete_structure(&pbes2_asn);
-	asn1_delete_structure(&pkcs7_asn);
+	asn1_delete_structure(&pkcs7_asn2, ASN1_DELETE_FLAG_ZEROIZE);
 	return result;
 }
 
@@ -2425,7 +2405,7 @@ _gnutls_pkcs7_encrypt_data(schema_id schema,
 	 */
 	result = _gnutls_x509_der_encode(pkcs7_asn, "", enc, 0);
 
-	asn1_delete_structure(&pkcs7_asn);
+	asn1_delete_structure2(&pkcs7_asn, ASN1_DELETE_FLAG_ZEROIZE);
 
 	if (result < 0) {
 		gnutls_assert();
@@ -2436,6 +2416,6 @@ _gnutls_pkcs7_encrypt_data(schema_id schema,
       error:
 	_gnutls_free_key_datum(&key);
 	_gnutls_free_datum(&tmp);
-	asn1_delete_structure(&pkcs7_asn);
+	asn1_delete_structure2(&pkcs7_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	return result;
 }
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2013-11-13 14:16:34 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2013-11-27 11:41:43 +0100
commit	d4add8fb8207beb6c5d328ab706417b9b9611781 (patch)
tree	066d9fce1d1b766ba0b9438a07dbfbac0d1b651a
parent	6f091f48c5209a14a3115d17ec590178b3aef78d (diff)
download	gnutls-d4add8fb8207beb6c5d328ab706417b9b9611781.tar.gz