diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2013-11-13 11:11:25 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2013-11-27 11:41:43 +0100 |
commit | 08cddacdc42434665c8f085b77391bf73acdc45c (patch) | |
tree | 5919b880d86a1373822fe855f3224c8f11fba25b /lib | |
parent | 4cd22fecf1ff33d64a99d1d2dce4f25e4ae0fc76 (diff) | |
download | gnutls-08cddacdc42434665c8f085b77391bf73acdc45c.tar.gz |
overwrite temp buffers of private keys.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gnutls_datum.h | 8 | ||||
-rw-r--r-- | lib/gnutls_int.h | 14 | ||||
-rw-r--r-- | lib/gnutls_mem.h | 15 | ||||
-rw-r--r-- | lib/gnutls_mpi.c | 46 | ||||
-rw-r--r-- | lib/x509/key_encode.c | 250 | ||||
-rw-r--r-- | lib/x509/privkey.c | 16 | ||||
-rw-r--r-- | lib/x509/privkey_pkcs8.c | 29 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 6 |
8 files changed, 160 insertions, 224 deletions
diff --git a/lib/gnutls_datum.h b/lib/gnutls_datum.h index 91293e6516..78e86f02a2 100644 --- a/lib/gnutls_datum.h +++ b/lib/gnutls_datum.h @@ -23,6 +23,8 @@ #ifndef GNUTLS_DATUM_H #define GNUTLS_DATUM_H +# include <gnutls_int.h> + int _gnutls_set_datum(gnutls_datum_t * dat, const void *data, size_t data_size); @@ -40,20 +42,16 @@ void _gnutls_free_datum(gnutls_datum_t * dat) dat->size = 0; } -#ifdef ENABLE_FIPS140 inline static void _gnutls_zfree_datum(gnutls_datum_t * dat) { if (dat->data != NULL) { - memset(dat->data, 0, dat->size); + zeroize_key(dat->data, dat->size); gnutls_free(dat->data); } dat->data = NULL; dat->size = 0; } -#else -# define _gnutls_zfree_datum _gnutls_free_datum -#endif #endif diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index af18ace869..21d2fc938b 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1053,18 +1053,4 @@ inline static size_t max_user_send_size(gnutls_session_t session, return max; } -#define zrelease_mpi_key(mpi) if (*mpi!=NULL) { \ - _gnutls_mpi_clear(*mpi); \ - _gnutls_mpi_release(mpi); \ - } - -#ifdef ENABLE_FIPS140 -# define zeroize_temp_key(x, size) memset(x, 0, size) -# define zrelease_temp_mpi_key zrelease_mpi_key -#else -# define zeroize_temp_key(x, size) -# define zrelease_temp_mpi_key(mpi) _gnutls_mpi_release(mpi) -#endif - - #endif /* GNUTLS_INT_H */ diff --git a/lib/gnutls_mem.h b/lib/gnutls_mem.h index 41fb88d9d0..657d59aa83 100644 --- a/lib/gnutls_mem.h +++ b/lib/gnutls_mem.h @@ -37,4 +37,19 @@ svoid *gnutls_secure_calloc(size_t nmemb, size_t size); void *_gnutls_calloc(size_t nmemb, size_t size); char *_gnutls_strdup(const char *); +#define zrelease_mpi_key(mpi) if (*mpi!=NULL) { \ + _gnutls_mpi_clear(*mpi); \ + _gnutls_mpi_release(mpi); \ + } + +#define zeroize_key(x, size) memset(x, 0, size) + +#ifdef ENABLE_FIPS140 +# define zeroize_temp_key zeroize_key +# define zrelease_temp_mpi_key zrelease_mpi_key +#else +# define zeroize_temp_key(x, size) +# define zrelease_temp_mpi_key(mpi) _gnutls_mpi_release(mpi) +#endif + #endif /* GNUTLS_MEM_H */ diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c index 1451e76fa8..aad82a0b0d 100644 --- a/lib/gnutls_mpi.c +++ b/lib/gnutls_mpi.c @@ -251,9 +251,9 @@ _gnutls_mpi_dprint_size(const bigint_t a, gnutls_datum_t * dest, * from asn1 structs. Combines the read and mpi_scan * steps. */ -int -_gnutls_x509_read_int(ASN1_TYPE node, const char *value, - bigint_t * ret_mpi) +static int +__gnutls_x509_read_int(ASN1_TYPE node, const char *value, + bigint_t * ret_mpi, int overwrite) { int result; uint8_t *tmpstr = NULL; @@ -280,6 +280,9 @@ _gnutls_x509_read_int(ASN1_TYPE node, const char *value, } result = _gnutls_mpi_scan(ret_mpi, tmpstr, tmpstr_size); + + if (overwrite) + zeroize_key(tmpstr, tmpstr_size); gnutls_free(tmpstr); if (result < 0) { @@ -290,11 +293,25 @@ _gnutls_x509_read_int(ASN1_TYPE node, const char *value, return 0; } +int +_gnutls_x509_read_int(ASN1_TYPE node, const char *value, + bigint_t * ret_mpi) +{ + return __gnutls_x509_read_int(node, value, ret_mpi, 0); +} + +int +_gnutls_x509_read_key_int(ASN1_TYPE node, const char *value, + bigint_t * ret_mpi) +{ + return __gnutls_x509_read_int(node, value, ret_mpi, 1); +} + /* Writes the specified integer into the specified node. */ -int -_gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi, - int lz) +static int +__gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi, + int lz, int overwrite) { uint8_t *tmpstr; size_t s_len; @@ -329,6 +346,9 @@ _gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi, } result = asn1_write_value(node, value, tmpstr, s_len); + + if (overwrite) + zeroize_key(tmpstr, s_len); gnutls_free(tmpstr); @@ -339,3 +359,17 @@ _gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi, return 0; } + +int +_gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi, + int lz) +{ + return __gnutls_x509_write_int(node, value, mpi, lz, 0); +} + +int +_gnutls_x509_write_key_int(ASN1_TYPE node, const char *value, bigint_t mpi, + int lz) +{ + return __gnutls_x509_write_int(node, value, mpi, lz, 1); +} diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c index b22c1b860a..bbc766fd72 100644 --- a/lib/x509/key_encode.c +++ b/lib/x509/key_encode.c @@ -343,82 +343,23 @@ _gnutls_x509_write_dsa_pubkey(gnutls_pk_params_st * params, static int _gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params) { - int result; + int result, ret; uint8_t null = '\0'; gnutls_pk_params_st pk_params; - gnutls_datum_t m, e, d, p, q, u, exp1, exp2; + /* we do copy the parameters into a new structure to run _gnutls_pk_fixup, + * i.e., regenerate some parameters in case they were broken */ gnutls_pk_params_init(&pk_params); - memset(&m, 0, sizeof(m)); - memset(&p, 0, sizeof(p)); - memset(&q, 0, sizeof(q)); - memset(&p, 0, sizeof(p)); - memset(&u, 0, sizeof(u)); - memset(&e, 0, sizeof(e)); - memset(&d, 0, sizeof(d)); - memset(&exp1, 0, sizeof(exp1)); - memset(&exp2, 0, sizeof(exp2)); - - result = _gnutls_pk_params_copy(&pk_params, params); - if (result < 0) { + ret = _gnutls_pk_params_copy(&pk_params, params); + if (ret < 0) { gnutls_assert(); - return result; + return ret; } - result = + ret = _gnutls_pk_fixup(GNUTLS_PK_RSA, GNUTLS_EXPORT, &pk_params); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - /* retrieve as data */ - - result = _gnutls_mpi_dprint_lz(pk_params.params[0], &m); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz(pk_params.params[1], &e); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz(pk_params.params[2], &d); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz(pk_params.params[3], &p); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz(pk_params.params[4], &q); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz(pk_params.params[5], &u); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz(pk_params.params[6], &exp1); - if (result < 0) { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz(pk_params.params[7], &exp2); - if (result < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } @@ -436,102 +377,98 @@ _gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params) (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPrivateKey", c2)) != ASN1_SUCCESS) { gnutls_assert(); - result = _gnutls_asn2err(result); + ret = _gnutls_asn2err(result); goto cleanup; } /* Write PRIME */ - if ((result = asn1_write_value(*c2, "modulus", - m.data, m.size)) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_int(*c2, "modulus", + params->params[RSA_MODULUS], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = asn1_write_value(*c2, "publicExponent", - e.data, e.size)) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_int(*c2, "publicExponent", + params->params[RSA_PUB], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = asn1_write_value(*c2, "privateExponent", - d.data, d.size)) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_key_int(*c2, "privateExponent", + params->params[RSA_PRIV], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = asn1_write_value(*c2, "prime1", - p.data, p.size)) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_key_int(*c2, "prime1", + params->params[RSA_PRIME1], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = asn1_write_value(*c2, "prime2", - q.data, q.size)) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_key_int(*c2, "prime2", + params->params[RSA_PRIME2], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = asn1_write_value(*c2, "coefficient", - u.data, u.size)) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_key_int(*c2, "coefficient", + params->params[RSA_COEF], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; } - if ((result = asn1_write_value(*c2, "exponent1", - exp1.data, - exp1.size)) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_key_int(*c2, "exponent1", + params->params[RSA_E1], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = asn1_write_value(*c2, "exponent2", - exp2.data, - exp2.size)) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_key_int(*c2, "exponent2", + params->params[RSA_E2], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } if ((result = asn1_write_value(*c2, "otherPrimeInfos", NULL, 0)) != ASN1_SUCCESS) { gnutls_assert(); - result = _gnutls_asn2err(result); + ret = _gnutls_asn2err(result); goto cleanup; } if ((result = asn1_write_value(*c2, "version", &null, 1)) != ASN1_SUCCESS) { gnutls_assert(); - result = _gnutls_asn2err(result); + ret = _gnutls_asn2err(result); goto cleanup; } result = 0; cleanup: - if (result != 0) + if (ret < 0) asn1_delete_structure(c2); + gnutls_pk_params_clear(&pk_params); gnutls_pk_params_release(&pk_params); - - _gnutls_free_datum(&m); - _gnutls_free_datum(&d); - _gnutls_free_datum(&e); - _gnutls_free_datum(&p); - _gnutls_free_datum(&q); - _gnutls_free_datum(&u); - _gnutls_free_datum(&exp1); - _gnutls_free_datum(&exp2); - return result; } @@ -582,7 +519,7 @@ _gnutls_asn1_encode_ecc(ASN1_TYPE * c2, gnutls_pk_params_st * params) } ret = - _gnutls_x509_write_int(*c2, "privateKey", + _gnutls_x509_write_key_int(*c2, "privateKey", params->params[ECC_K], 1); if (ret < 0) { gnutls_assert(); @@ -630,48 +567,8 @@ _gnutls_asn1_encode_ecc(ASN1_TYPE * c2, gnutls_pk_params_st * params) static int _gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params) { - int result, i; - size_t size[DSA_PRIVATE_PARAMS], total; - uint8_t *p_data, *q_data, *g_data, *x_data, *y_data; - uint8_t *all_data = NULL, *p; - uint8_t null = '\0'; - - /* Read all the sizes */ - total = 0; - for (i = 0; i < DSA_PRIVATE_PARAMS; i++) { - _gnutls_mpi_print_lz(params->params[i], NULL, &size[i]); - total += size[i]; - } - - /* Encoding phase. - * allocate data enough to hold everything - */ - all_data = gnutls_malloc(total); - if (all_data == NULL) { - gnutls_assert(); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p = all_data; - p_data = p; - p += size[0]; - q_data = p; - p += size[1]; - g_data = p; - p += size[2]; - y_data = p; - p += size[3]; - x_data = p; - - _gnutls_mpi_print_lz(params->params[0], p_data, &size[0]); - _gnutls_mpi_print_lz(params->params[1], q_data, &size[1]); - _gnutls_mpi_print_lz(params->params[2], g_data, &size[2]); - _gnutls_mpi_print_lz(params->params[3], y_data, &size[3]); - _gnutls_mpi_print_lz(params->params[4], x_data, &size[4]); - - /* Ok. Now we have the data. Create the asn1 structures - */ + int result, ret; + const uint8_t null = '\0'; /* first make sure that no previously allocated data are leaked */ if (*c2 != ASN1_TYPE_EMPTY) { @@ -683,67 +580,64 @@ _gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params) (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPrivateKey", c2)) != ASN1_SUCCESS) { gnutls_assert(); - result = _gnutls_asn2err(result); - goto cleanup; + return _gnutls_asn2err(result); } /* Write PRIME */ - if ((result = - asn1_write_value(*c2, "p", p_data, - size[0])) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_int(*c2, "p", + params->params[DSA_P], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = - asn1_write_value(*c2, "q", q_data, - size[1])) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_int(*c2, "q", + params->params[DSA_Q], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = - asn1_write_value(*c2, "g", g_data, - size[2])) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_int(*c2, "g", + params->params[DSA_G], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = - asn1_write_value(*c2, "Y", y_data, - size[3])) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_int(*c2, "Y", + params->params[DSA_Y], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - if ((result = asn1_write_value(*c2, "priv", - x_data, size[4])) != ASN1_SUCCESS) { + ret = + _gnutls_x509_write_key_int(*c2, "priv", + params->params[DSA_X], 1); + if (ret < 0) { gnutls_assert(); - result = _gnutls_asn2err(result); goto cleanup; } - gnutls_free(all_data); - if ((result = asn1_write_value(*c2, "version", &null, 1)) != ASN1_SUCCESS) { gnutls_assert(); - result = _gnutls_asn2err(result); + ret = _gnutls_asn2err(result); goto cleanup; } return 0; - cleanup: +cleanup: asn1_delete_structure(c2); - gnutls_free(all_data); - return result; + return ret; } int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 0c94ac52b4..72c5d09158 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -163,14 +163,14 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, pkey->params.params_nr++; if ((result = - _gnutls_x509_read_int(pkey_asn, "privateExponent", + _gnutls_x509_read_key_int(pkey_asn, "privateExponent", &pkey->params.params[2])) < 0) { gnutls_assert(); goto error; } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_int(pkey_asn, "prime1", + if ((result = _gnutls_x509_read_key_int(pkey_asn, "prime1", &pkey->params.params[3])) < 0) { gnutls_assert(); @@ -178,7 +178,7 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_int(pkey_asn, "prime2", + if ((result = _gnutls_x509_read_key_int(pkey_asn, "prime2", &pkey->params.params[4])) < 0) { gnutls_assert(); @@ -186,7 +186,7 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_int(pkey_asn, "coefficient", + if ((result = _gnutls_x509_read_key_int(pkey_asn, "coefficient", &pkey->params.params[5])) < 0) { gnutls_assert(); @@ -194,7 +194,7 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_int(pkey_asn, "exponent1", + if ((result = _gnutls_x509_read_key_int(pkey_asn, "exponent1", &pkey->params.params[6])) < 0) { gnutls_assert(); @@ -202,7 +202,7 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_int(pkey_asn, "exponent2", + if ((result = _gnutls_x509_read_key_int(pkey_asn, "exponent2", &pkey->params.params[7])) < 0) { gnutls_assert(); @@ -313,7 +313,7 @@ _gnutls_privkey_decode_ecc_key(const gnutls_datum_t * raw_key, /* read the private key */ ret = - _gnutls_x509_read_int(pkey_asn, "privateKey", + _gnutls_x509_read_key_int(pkey_asn, "privateKey", &pkey->params.params[ECC_K]); if (ret < 0) { gnutls_assert(); @@ -388,7 +388,7 @@ decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) } pkey->params.params_nr++; - if ((result = _gnutls_x509_read_int(dsa_asn, "priv", + if ((result = _gnutls_x509_read_key_int(dsa_asn, "priv", &pkey->params.params[4])) < 0) { gnutls_assert(); diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 252742ea2e..140da472aa 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -264,7 +264,8 @@ encode_to_private_key_info(gnutls_x509_privkey_t pkey, result = asn1_write_value(*pkey_info, "privateKeyAlgorithm.parameters", algo_params.data, algo_params.size); - _gnutls_free_datum(&algo_params); + _gnutls_zfree_datum(&algo_params); + if (result != ASN1_SUCCESS) { gnutls_assert(); result = _gnutls_asn2err(result); @@ -283,7 +284,7 @@ encode_to_private_key_info(gnutls_x509_privkey_t pkey, result = asn1_write_value(*pkey_info, "privateKey", algo_privkey.data, algo_privkey.size); - _gnutls_free_datum(&algo_privkey); + _gnutls_zfree_datum(&algo_privkey); if (result != ASN1_SUCCESS) { gnutls_assert(); @@ -331,7 +332,7 @@ encode_to_private_key_info(gnutls_x509_privkey_t pkey, error: asn1_delete_structure(pkey_info); _gnutls_free_datum(&algo_params); - _gnutls_free_datum(&algo_privkey); + _gnutls_zfree_datum(&algo_privkey); return result; } @@ -527,14 +528,14 @@ encode_to_pkcs8_key(schema_id schema, const gnutls_datum_t * der_key, } _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); + _gnutls_zfree_datum(&key); *out = pkcs8_asn; return 0; error: - _gnutls_free_datum(&key); + _gnutls_zfree_datum(&key); _gnutls_free_datum(&tmp); asn1_delete_structure(&pkcs8_asn); return result; @@ -688,7 +689,7 @@ gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key, if (((flags & GNUTLS_PKCS_PLAIN) || password == NULL) && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) { - _gnutls_free_datum(&tmp); + _gnutls_zfree_datum(&tmp); ret = _gnutls_x509_export_int2(pkey_info, format, @@ -701,7 +702,7 @@ gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key, ret = encode_to_pkcs8_key(schema, &tmp, password, &pkcs8_asn); - _gnutls_free_datum(&tmp); + _gnutls_zfree_datum(&tmp); if (ret < 0) { gnutls_assert(); @@ -927,7 +928,7 @@ static int decrypt_pkcs8_key(const gnutls_datum_t * raw_key, } result = decode_private_key_info(&tmp, pkey); - _gnutls_free_datum(&tmp); + _gnutls_zfree_datum(&tmp); if (result < 0) { /* We've gotten this far. In the real world it's almost certain @@ -1016,7 +1017,8 @@ _decode_pkcs8_rsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) } pkey->key = _gnutls_privkey_decode_pkcs1_rsa_key(&tmp, pkey); - _gnutls_free_datum(&tmp); + _gnutls_zfree_datum(&tmp); + if (pkey->key == NULL) { gnutls_assert(); goto error; @@ -1043,7 +1045,8 @@ _decode_pkcs8_ecc_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) } pkey->key = _gnutls_privkey_decode_ecc_key(&tmp, pkey); - _gnutls_free_datum(&tmp); + _gnutls_zfree_datum(&tmp); + if (pkey->key == NULL) { ret = GNUTLS_E_PARSING_ERROR; gnutls_assert(); @@ -1073,7 +1076,7 @@ _decode_pkcs8_dsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) ret = _gnutls_x509_read_der_int(tmp.data, tmp.size, &pkey->params.params[4]); - _gnutls_free_datum(&tmp); + _gnutls_zfree_datum(&tmp); if (ret < 0) { gnutls_assert(); @@ -2391,7 +2394,7 @@ _gnutls_pkcs7_encrypt_data(schema_id schema, } _gnutls_free_datum(&tmp); - _gnutls_free_datum(&key); + _gnutls_zfree_datum(&key); /* Now write the rest of the pkcs-7 stuff. */ @@ -2431,7 +2434,7 @@ _gnutls_pkcs7_encrypt_data(schema_id schema, error: - _gnutls_free_datum(&key); + _gnutls_zfree_datum(&key); _gnutls_free_datum(&tmp); asn1_delete_structure(&pkcs7_asn); return result; diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 04930dd1dd..62f30e84c5 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -276,6 +276,12 @@ int _gnutls_x509_read_int(ASN1_TYPE node, const char *value, bigint_t * ret_mpi); int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi, int lz); + +int _gnutls_x509_read_key_int(ASN1_TYPE node, const char *value, + bigint_t * ret_mpi); +int _gnutls_x509_write_key_int(ASN1_TYPE node, const char *value, bigint_t mpi, + int lz); + int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value, uint32_t num); |