Break out code that sets/wipes the raw buffer into separate functions

zpostfacto · zpostfacto · commit 1838b62e8fd0 · 2022-06-08T10:56:12.000-07:00
This is so that derived classes can use them more easily.  (Specifically, to
be able to set the raw buffer without the virtual Wipe() being called.)

Also: WIPE NEEDS TO SECURELY WIPE, not just free the buffer!

P4:7307228
diff --git a/src/common/keypair.cpp b/src/common/keypair.cpp
@@ -391,7 +391,11 @@ bool CCryptoKeyBase::LoadFromAndWipeBuffer( void *pBuffer, size_t cBytes )
 
 CCryptoKeyBase_RawBuffer::~CCryptoKeyBase_RawBuffer()
 {
-	Wipe();
+	// Note that we don't call virtual Wipe() here.  We're in a
+	// destructor, so it would just call our own Wipe(),
+	// anyway, but that relies on a relatively subtle aspect
+	// ot C++ destructor semantics, and this is more clear.
+	InternalWipeRawDataBuffer();
 }
 
 bool CCryptoKeyBase_RawBuffer::IsValid() const
@@ -408,7 +412,12 @@ uint32 CCryptoKeyBase_RawBuffer::GetRawData( void *pData ) const
 
 bool CCryptoKeyBase_RawBuffer::SetRawData( const void *pData, size_t cbData )
 {
-	Wipe();
+	return InternalSetRawDataBuffer( pData, cbData );
+}
+
+bool CCryptoKeyBase_RawBuffer::InternalSetRawDataBuffer( const void *pData, size_t cbData )
+{
+	InternalWipeRawDataBuffer();
 	m_pData = (uint8*)malloc( cbData );
 	if ( !m_pData )
 		return false;
@@ -418,9 +427,15 @@ bool CCryptoKeyBase_RawBuffer::SetRawData( const void *pData, size_t cbData )
 }
 
 void CCryptoKeyBase_RawBuffer::Wipe()
+{
+	InternalWipeRawDataBuffer();
+}
+
+void CCryptoKeyBase_RawBuffer::InternalWipeRawDataBuffer()
 {
 	if ( m_pData )
 	{
+		SecureZeroMemory( m_pData, m_cbData );
 		free( m_pData );
 		m_pData = nullptr;
 	}
diff --git a/src/common/keypair.h b/src/common/keypair.h
@@ -126,6 +126,8 @@ class CCryptoKeyBase_RawBuffer : public CCryptoKeyBase
 
 protected:
 	virtual bool SetRawData( const void *pData, size_t cbData ) override;
+	void InternalWipeRawDataBuffer();
+	bool InternalSetRawDataBuffer( const void *pData, size_t cbData );
 	inline CCryptoKeyBase_RawBuffer( ECryptoKeyType keyType ) : CCryptoKeyBase( keyType ), m_pData( nullptr ), m_cbData( 0 ) {}
 
 	uint8 *m_pData;

Original file line number	Diff line number	Diff line change
`@@ -391,7 +391,11 @@ bool CCryptoKeyBase::LoadFromAndWipeBuffer( void *pBuffer, size_t cBytes )`
`391`	`391`
`392`	`392`	`CCryptoKeyBase_RawBuffer::~CCryptoKeyBase_RawBuffer()`
`393`	`393`	`{`
`394`		`- Wipe();`
	`394`	`+ // Note that we don't call virtual Wipe() here. We're in a`
	`395`	`+ // destructor, so it would just call our own Wipe(),`
	`396`	`+ // anyway, but that relies on a relatively subtle aspect`
	`397`	`+ // ot C++ destructor semantics, and this is more clear.`
	`398`	`+ InternalWipeRawDataBuffer();`
`395`	`399`	`}`
`396`	`400`
`397`	`401`	`bool CCryptoKeyBase_RawBuffer::IsValid() const`
`@@ -408,7 +412,12 @@ uint32 CCryptoKeyBase_RawBuffer::GetRawData( void *pData ) const`
`408`	`412`
`409`	`413`	`bool CCryptoKeyBase_RawBuffer::SetRawData( const void *pData, size_t cbData )`
`410`	`414`	`{`
`411`		`- Wipe();`
	`415`	`+ return InternalSetRawDataBuffer( pData, cbData );`
	`416`	`+}`
	`417`	`+`
	`418`	`+bool CCryptoKeyBase_RawBuffer::InternalSetRawDataBuffer( const void *pData, size_t cbData )`
	`419`	`+{`
	`420`	`+ InternalWipeRawDataBuffer();`
`412`	`421`	`m_pData = (uint8*)malloc( cbData );`
`413`	`422`	`if ( !m_pData )`
`414`	`423`	`return false;`
`@@ -418,9 +427,15 @@ bool CCryptoKeyBase_RawBuffer::SetRawData( const void *pData, size_t cbData )`
`418`	`427`	`}`
`419`	`428`
`420`	`429`	`void CCryptoKeyBase_RawBuffer::Wipe()`
	`430`	`+{`
	`431`	`+ InternalWipeRawDataBuffer();`
	`432`	`+}`
	`433`	`+`
	`434`	`+void CCryptoKeyBase_RawBuffer::InternalWipeRawDataBuffer()`
`421`	`435`	`{`
`422`	`436`	`if ( m_pData )`
`423`	`437`	`{`
	`438`	`+ SecureZeroMemory( m_pData, m_cbData );`
`424`	`439`	`free( m_pData );`
`425`	`440`	`m_pData = nullptr;`
`426`	`441`	`}`