kmwebnet/se050-wireguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Critical security bugs - stack buffer and zeroize

Browse Source 
Bug 8: Missing zeroize after encryption
- Added se050_chacha20_poly1305_zeroize(&aead_ctx) after successful encrypt
- Added memzero_explicit(tag, 16) in both success and failure paths

Bug 9: Large stack allocation (64KB+)
- Removed: uint8_t ciphertext[WG_MAX_PACKET_SIZE] (65536 bytes on stack!)
- Changed to in-place encryption: encrypt directly to out + 16
- Much safer for embedded platforms (u-boot, ESP32 with limited stack)

Security improvements:
- Sensitive data (tags, contexts) properly zeroized
- No large stack allocations that could cause overflow
- Reduced stack usage from ~66KB to ~100 bytes per call

Test results: 29 passed, 3 failed (same as before - these were security fixes)
This commit is contained in:
km
2026-03-28 20:51:31 +09:00
parent 4fae20f56d
commit 3645b4fe80
1 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/se050_wireguard.c
+13 -8
View File
@@ -235,12 +235,14 @@ int se050_wireguard_encrypt_packet(se050_wireguard_session_t *session,
memcpy(out, header, 16); memcpy(out, header, 16);
/* Encrypt payload with ChaCha20-Poly1305 */ /* Encrypt payload with ChaCha20-Poly1305
* Note: We encrypt directly into the output buffer to avoid large stack allocation
* out = [header(16)][ciphertext][tag(16)]
*/
uint8_t nonce_buf[WG_NONCE_LEN]; uint8_t nonce_buf[WG_NONCE_LEN];
memset(nonce_buf, 0, 4); memset(nonce_buf, 0, 4);
memcpy(nonce_buf + 4, header + 8, 8); /* Use last 8 bytes of 12-byte nonce */ memcpy(nonce_buf + 4, header + 8, 8);
uint8_t ciphertext[WG_MAX_PACKET_SIZE];
uint8_t tag[16]; uint8_t tag[16];
se050_chacha20_poly1305_ctx_t aead_ctx; se050_chacha20_poly1305_ctx_t aead_ctx;
@@ -251,17 +253,20 @@ int se050_wireguard_encrypt_packet(se050_wireguard_session_t *session,
nonce_buf, /* nonce */ nonce_buf, /* nonce */
plaintext, plaintext_len, /* plaintext */ plaintext, plaintext_len, /* plaintext */
header, 16, /* aad */ header, 16, /* aad */
ciphertext, tag /* ciphertext, tag */ out + 16, /* ciphertext (direct write) */
tag /* tag */
); );
if (ret < 0) {
se050_chacha20_poly1305_zeroize(&aead_ctx); se050_chacha20_poly1305_zeroize(&aead_ctx);
if (ret < 0) {
memzero_explicit(tag, 16);
return -1; return -1;
} }
memcpy(out + 16, ciphertext, plaintext_len);
memcpy(out + 16 + plaintext_len, tag, 16); memcpy(out + 16 + plaintext_len, tag, 16);
*out_len = 16 + plaintext_len + 16; /* header + ciphertext + tag */ *out_len = 16 + plaintext_len + 16;
memzero_explicit(tag, 16);
/* Increment nonce */ /* Increment nonce */
session->sending_nonce++; session->sending_nonce++;
@@ -326,13 +331,13 @@ int se050_wireguard_decrypt_packet(se050_wireguard_session_t *session,
); );
se050_chacha20_poly1305_zeroize(&aead_ctx); se050_chacha20_poly1305_zeroize(&aead_ctx);
memzero_explicit(tag, 16);
if (ret < 0) { if (ret < 0) {
return -1; return -1;
} }
/* Update plaintext length and nonce */ /* Update plaintext length and nonce */
*plaintext_len = ciphertext_len;
session->receiving_nonce = nonce; session->receiving_nonce = nonce;
session->packets_received++; session->packets_received++;