Skip to content

fix: zeroize req password buffers#272

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/zeroize-req-passwords
Open

fix: zeroize req password buffers#272
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/zeroize-req-passwords

Conversation

@MarkAtwood

Copy link
Copy Markdown

Bug

wolfCLU_requestSetup in src/x509/clu_request_setup.c reads a key-encryption password into stack buffers (password[MAX_PASSWORD_SIZE] via -passout, and a pass[MAX_PASSWORD_SIZE] stdin buffer) but never zeroizes them. The secret is left on the stack at every return path — the normal exit and the -help early return (reachable when -passout precedes -help). Sibling functions in this codebase already scrub such buffers with wolfCLU_ForceZero (see src/pkcs/clu_pkcs8.c:290, src/pkcs/clu_pkcs12.c:237).

Fix

Call wolfCLU_ForceZero(buf, MAX_PASSWORD_SIZE) on each secret buffer before it goes out of scope:

  • password before the normal return ret
  • password before the -help early return WOLFCLU_SUCCESS
  • the stdin pass buffer before it leaves its block

wolfCLU_ForceZero is a project-provided helper declared in the already-included wolfclu/clu_header_main.h; no new include or dependency.

Verification

Compiled the patched translation unit clean against a full-featured wolfSSL install: gcc -c src/x509/clu_request_setup.c ... -Wall exits 0, and nm confirms the object now references wolfCLU_ForceZero.

Reported by static analysis (Fenrir finding 663).

Copilot AI review requested due to automatic review settings July 9, 2026 23:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Closes a security issue where wolfCLU_requestSetup left key-encryption passwords resident in stack buffers on normal and early-return paths by explicitly zeroizing those buffers before returning.

Changes:

  • Zeroize the password stack buffer on the -help early return path.
  • Zeroize the stdin pass buffer after use.
  • Zeroize the password stack buffer on the normal exit path.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants