Page MenuHome GnuPG
Create Task
Maniphest T5597

First 8 bytes of cache item left in clear in memory after decryption.
Closed, ResolvedPublic
Actions

Description

_gcry_cipher_aeswrap_decrypt function in file cipher/cipher-aeswrap.c does not clean memory properly after decryption. The variable b is used to concatenate intermediate results during AES wrap decryption. At the end of the decryption it contains the constant 0xa6a6a6a6a6a6a6a6 and the first eight bytes of the cache item in clear. At the end of the decryption, the variable is not wiped thus it stay in clear in memory. This can be easy findable in memory since it is next to the constant. This is problematic when a passphrase is used for symmetric encryption since the function is called by the function agent_get_cache in the file agent/cache.c. The first eight bytes may be recovered from a memory dump after a decryption have been done previously with a passphrase in cache.

To reproduce de the behavior it is possible to compile libgcrypt examples in debug mode and run gdb on aeswrap sample binary. By issuing the following commands:

b gcry_cipher_decrypt
r
b *_gcry_cipher_aeswrap_decrypt+791
c
x/4x b

Details

Version
1.9.3

Revisions and Commits

rC libgcrypt
rC792f607c58c0 cipher: Clear AESWRAP scratch area immediately after use
rC69e2e498f6a1 cipher: Clear AESWRAP scratch area immediately after use
rCdf4fe02794bb cipher: Clear AESWRAP scratch area immediately after use

Related Objects

Event Timeline

spelissier created this task.Sep 13 2021, 11:04 AM
spelissier added a project: libgcrypt.Sep 13 2021, 11:47 AM
werner claimed this task.Sep 13 2021, 4:39 PM
werner triaged this task as High priority.
werner added a subscriber: werner.

Good catch. Thanks. This patch should fix the leak:

--- a/cipher/cipher-aeswrap.c
+++ b/cipher/cipher-aeswrap.c
@@ -187,6 +187,7 @@ _gcry_cipher_aeswrap_decrypt (gcry_cipher_hd_t c,
           memcpy (r+(i-1)*8, b+8, 8);
         }
    }
+  wipememory (b, 16);
 
   /* If an IV has been set we compare against this Alternative Initial
      Value; if it has not been set we compare against the standard IV.  */

You mentioned gpg-agent: This not really in danger because the key for the encryption is anyway stored in memory and easy to find. The whole idea here is to limit the space needed for mlock-ed memory and to be prepared for a time when we have a usable way to store in-process secrets.

werner added a comment.Sep 13 2021, 4:42 PM

And well, the context area of the handle is also wiped at gcry_cipher_close time. Thus any standard use of aeswrap (open,encrypt/decrypt,close) is not affected.

werner added a commit: rCdf4fe02794bb: cipher: Clear AESWRAP scratch area immediately after use.Sep 13 2021, 4:46 PM
werner added a commit: rC69e2e498f6a1: cipher: Clear AESWRAP scratch area immediately after use.Sep 13 2021, 4:50 PM
werner added a commit: rC792f607c58c0: cipher: Clear AESWRAP scratch area immediately after use.
werner changed the task status from Open to Testing.Sep 13 2021, 4:51 PM
thesamesam added a subscriber: thesamesam.Oct 29 2021, 7:57 PM
werner mentioned this in T5467: Release libgcrypt 1.8.9.Feb 7 2022, 10:01 AM
werner closed this task as Resolved.May 13 2022, 4:10 PM