From 6d576c9646fec898d938232d03aaad7c048e6aa1 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 30 Jun 2022 17:06:11 +0200
Subject: [PATCH] Call setbuf when reading or writing files: programs

After opening a file containing sensitive data, call mbedtls_setbuf() to
disable buffering. This way, we don't expose sensitive data to a memory
disclosure vulnerability in a buffer outside our control.

This commit adds a call to mbedtls_setbuf() after each call to fopen(),
but only in sample programs that were calling mbedtls_platform_zeroize().
Don't bother protecting stdio buffers in programs where application buffers
weren't protected.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/aes/crypt_and_hash.c         |  4 ++++
 programs/psa/key_ladder_demo.c        | 13 +++++++++++++
 programs/ssl/ssl_test_common_source.c |  4 ++++
 programs/ssl/ssl_test_lib.h           |  1 +
 4 files changed, 22 insertions(+)

diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index 74ea88c3ca..fa874b240a 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -171,6 +171,10 @@ int main( int argc, char *argv[] )
         goto exit;
     }
 
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf( fin, NULL );
+    mbedtls_setbuf( fout, NULL );
+
     /*
      * Read the Cipher and MD from the command line
      */
diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c
index cad875e015..13037190dd 100644
--- a/programs/psa/key_ladder_demo.c
+++ b/programs/psa/key_ladder_demo.c
@@ -56,6 +56,7 @@
 #include <stdio.h>
 #include <string.h>
 
+#include "mbedtls/platform.h" // for mbedtls_setbuf
 #include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
 
 #include <psa/crypto.h>
@@ -177,6 +178,8 @@ static psa_status_t save_key( psa_key_id_t key,
                                key_data, sizeof( key_data ),
                                &key_size ) );
     SYS_CHECK( ( key_file = fopen( output_file_name, "wb" ) ) != NULL );
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf( key_file, NULL );
     SYS_CHECK( fwrite( key_data, 1, key_size, key_file ) == key_size );
     SYS_CHECK( fclose( key_file ) == 0 );
     key_file = NULL;
@@ -231,6 +234,8 @@ static psa_status_t import_key_from_file( psa_key_usage_t usage,
     unsigned char extra_byte;
 
     SYS_CHECK( ( key_file = fopen( key_file_name, "rb" ) ) != NULL );
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf( key_file, NULL );
     SYS_CHECK( ( key_size = fread( key_data, 1, sizeof( key_data ),
                                    key_file ) ) != 0 );
     if( fread( &extra_byte, 1, 1, key_file ) != 0 )
@@ -372,6 +377,8 @@ static psa_status_t wrap_data( const char *input_file_name,
 
     /* Find the size of the data to wrap. */
     SYS_CHECK( ( input_file = fopen( input_file_name, "rb" ) ) != NULL );
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf( input_file, NULL );
     SYS_CHECK( fseek( input_file, 0, SEEK_END ) == 0 );
     SYS_CHECK( ( input_position = ftell( input_file ) ) != -1 );
 #if LONG_MAX > SIZE_MAX
@@ -418,6 +425,8 @@ static psa_status_t wrap_data( const char *input_file_name,
 
     /* Write the output. */
     SYS_CHECK( ( output_file = fopen( output_file_name, "wb" ) ) != NULL );
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf( output_file, NULL );
     SYS_CHECK( fwrite( &header, 1, sizeof( header ),
                        output_file ) == sizeof( header ) );
     SYS_CHECK( fwrite( buffer, 1, ciphertext_size,
@@ -453,6 +462,8 @@ static psa_status_t unwrap_data( const char *input_file_name,
 
     /* Load and validate the header. */
     SYS_CHECK( ( input_file = fopen( input_file_name, "rb" ) ) != NULL );
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf( input_file, NULL );
     SYS_CHECK( fread( &header, 1, sizeof( header ),
                       input_file ) == sizeof( header ) );
     if( memcmp( &header.magic, WRAPPED_DATA_MAGIC,
@@ -509,6 +520,8 @@ static psa_status_t unwrap_data( const char *input_file_name,
 
     /* Write the output. */
     SYS_CHECK( ( output_file = fopen( output_file_name, "wb" ) ) != NULL );
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf( output_file, NULL );
     SYS_CHECK( fwrite( buffer, 1, plaintext_size,
                        output_file ) == plaintext_size );
     SYS_CHECK( fclose( output_file ) == 0 );
diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c
index 0e66895dbd..23237d1a23 100644
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@@ -101,6 +101,10 @@ void nss_keylog_export( void *p_expkey,
             goto exit;
         }
 
+        /* Ensure no stdio buffering of secrets, as such buffers cannot be
+         * wiped. */
+        mbedtls_setbuf( f, NULL );
+
         if( fwrite( nss_keylog_line, 1, len, f ) != len )
         {
             fclose( f );
diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h
index f0d0c3b895..d2354bbd42 100644
--- a/programs/ssl/ssl_test_lib.h
+++ b/programs/ssl/ssl_test_lib.h
@@ -35,6 +35,7 @@
 #define mbedtls_fprintf    fprintf
 #define mbedtls_snprintf   snprintf
 #define mbedtls_exit            exit
+#define mbedtls_setbuf     setbuf
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif