force local wc_nnn hash struct variables to zeros

[gojimmypi]

Description

Related to the #5948 ED25519 failure, this update forces the local SHA struct values to all zeros before using them. This is typically only important to hash hardware acceleration where existing HW state may be stored in the ctx and otherwise have potentially bad data if not properly initialized or worse: copied from another SHA ctx that may have active hardware acceleration computation state values.

Recall only one given HW acceleration computation can be in process at a given time on the ESP32. Although the ESP32-C3 does seem to have the ability for concurrent HW encryption, that's beyond the scope of this PR and in any case we'd still need a properly initialized variable anyhow.

Note this PR is not a substitute for proper SHA ctx self validation to check for creation from a copy as noted in #5948 (comment), and is not meant to be a final fix to #5948 . A separate PR will be created soon.

There's a small performance hit when assigning zeros at every use. I'm open to suggestions if this should only be applied for relevant platforms, such as the Espressif ESP32 with Hardware Acceleration. I chose to do it all the time as a Best Practice to have variables always safely initialized.

Fixes zd# n/a

Testing

How did you test? Ran the wolfcrypt test for both embedded ESP32 and Linux.

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[dgarske]

Jim please consider properly fixing the initialization it in each of the hash init routines. Some of these already do a memset and this is now duplicated. Also the ForceZero should be memset.

[dgarske]

Just use XMEMSET here please. The ForceZero is possible not as fast and is only required in places where there might be secrets that need cleared after use. This is just ensuring the data is zero'd, there shouldn't be any secrets left behind. Also this now duplicates work already done in some of the init functions. If using memset the compiler could optimize away the duplicate (not if ForceZero is used).

[dgarske]

This will have performance implications. My preference is to fix it in wc_InitMd5.

[gojimmypi]

I've reverted the changes to hash.c and moved the memory zeroize, now with XMEMSET instead of ForceZero into the respective inits.

[gojimmypi]

duplicates work already done in some of the init functions

@dgarske regarding this topic,: Although the ESP32 SHA tests pass, the RSA fails when the apparently duplicate XMEMSET here which should be ok to omit, as it is also here in the call to InitSha256. Clearly there's more research to be done.

[dgarske]

Same

[gojimmypi]

moved to md5.c

[dgarske]

Same

[gojimmypi]

moved to sha256.c

[dgarske]

Same

[gojimmypi]

moved to sha256.c

[dgarske]

Same

[gojimmypi]

moved to sha512.c

[dgarske]

Same

[gojimmypi]

moved to sha3c

[dgarske]

Same

[gojimmypi]

moved to sha3c

[dgarske]

Same

[gojimmypi]

moved to sha3c

[dgarske]

Same

[gojimmypi]

moved to sha3c

[dgarske]

Same

[gojimmypi]

moved to sha3c

[gojimmypi]

Reverted hash.c and moved XMEMSET into various files for initializtions. I'll squash merge after review if desired.

Rechecked with wolftest:

make[2]: Leaving directory '/mnt/c/temp/wolfssl_PR6068_test'
make[1]: Leaving directory '/mnt/c/temp/wolfssl_PR6068_test'
------------------------------------------------------------------------------
 wolfSSL version 5.5.4
------------------------------------------------------------------------------
error    test passed!
MEMORY   test passed!
base64   test passed!
asn      test passed!
RANDOM   test passed!
MD5      test passed!
SHA      test passed!
SHA-224  test passed!
SHA-256  test passed!
SHA-384  test passed!
SHA-512  test passed!
SHA-3    test passed!
Hash     test passed!
HMAC-MD5 test passed!
HMAC-SHA test passed!
HMAC-SHA224 test passed!
HMAC-SHA256 test passed!
HMAC-SHA384 test passed!
HMAC-SHA512 test passed!
HMAC-SHA3   test passed!
HMAC-KDF    test passed!
TLSv1.3 KDF test passed!
GMAC     test passed!
Chacha   test passed!
POLY1305 test passed!
ChaCha20-Poly1305 AEAD test passed!
AES      test passed!
AES192   test passed!
AES256   test passed!
AES-GCM  test passed!
RSA      test passed!
DH       test passed!
PWDBASED test passed!
ECC      test passed!
logging  test passed!
time test passed!
mutex    test passed!
memcb    test passed!
Test complete
stack used = 2097152
total   Allocs   =      1079
total   Deallocs =      1079
total   Bytes    =   2948064
peak    Bytes    =     59930
current Bytes    =         0
Exiting main with return code: 0

[dgarske]

This is redundant. Already done in wc_InitSha512_224_ex -> InitSha512_Family.

[gojimmypi]

agreed. good catch. updated.

[dgarske]

Thanks Jim. FYI: I will squash this on merge.

[wolfSSL-Bot]

Can one of the admins verify this patch?

[SparkiDev]

Missed wc_InitSha256_ex()

[gojimmypi]

@SparkiDev thanks for your review! Would you recommend that I do a XMEMSET in each of these?

I'm not entirely convinced it is a good idea for software-only hashes. The only reason I found this and started to do the initializations was due to undesired hardware encryption state data being copied into a new sha ctx instance.

Please advise. Thank you.

• Edit: Here's a code explorer view for conversation sake:

[SparkiDev]

If the PR is to memset the data structure when using hardware and they are the implementations for hardware, then yes.
If you can't find a common for each function, then it needs to be done in each.

[SparkiDev]

Missed wc_InitSha383_ex().

[gojimmypi]

I have a higher performance, less brute-force method of initialization in the works. Closing this PR; New PR will be created from my WIP ED25519_SHA2_fix Branch.

[gojimmypi]

For reference, the root cause of the ED25519 failures are noted in #5948 (comment) and fixed in #6287.

The root cause was the use of in-progress ctx copies during active SHA HW process.