Skip to content

fix: zero stdin password buffer in req#268

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/zero-stdin-password-buffer
Open

fix: zero stdin password buffer in req#268
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/zero-stdin-password-buffer

Conversation

@MarkAtwood

Copy link
Copy Markdown

Bug

In wolfCLU_requestSetup (src/x509/clu_request_setup.c), the local stack buffer byte pass[MAX_PASSWORD_SIZE] (256 bytes) holds a password read from stdin via wolfCLU_GetStdinPassword. After the password is consumed by wolfCLU_pKeyPEMtoPriKeyEnc, the buffer goes out of scope without being cleared, leaving the plaintext password on the stack (recoverable via core dump or later stack reuse).

Fix

Add wolfCLU_ForceZero(pass, MAX_PASSWORD_SIZE) after the buffer's last use, before it leaves scope. This matches the existing secure-clear convention already used elsewhere in the codebase (e.g. src/pkey/clu_rsa.c, src/tools/clu_rand.c, src/x509/clu_x509_sign.c).

How verified

  • Compiled the patched translation unit against a prebuilt --enable-all wolfSSL: gcc -c src/x509/clu_request_setup.c exits 0.
  • objdump -dr on the object confirms a new relocation call to wolfCLU_ForceZero that was absent before the change; object size grew by the added call.

Reported by static analysis (Fenrir finding 744). A sibling uncleared buffer (function-level password[], finding 663) is tracked separately and left out of scope here.

Copilot AI review requested due to automatic review settings July 9, 2026 23:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds an explicit secure wipe of the stack password buffer in wolfCLU_requestSetup to prevent plaintext passwords lingering in memory after use.

Changes:

  • Securely zeroes pass via wolfCLU_ForceZero() after the password is consumed.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +1107 to 1110
wolfCLU_ForceZero(pass, MAX_PASSWORD_SIZE);
}
else {
ret = wolfCLU_pKeyPEMtoPriKeyEnc(keyOutBio, pkey, DES3b,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants