Also zeroize entropy source

aws · Nov 1, 2024 · ac45c0f · ac45c0f
1 parent bc2a5c5
commit ac45c0f
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/crypto/fipsmodule/rand/new_rand.c b/crypto/fipsmodule/rand/new_rand.c
@@ -60,7 +60,7 @@ static void rand_thread_local_state_clear_all(void) __attribute__ ((destructor))
 
 // At process exit not all threads will be scheduled and proper exited. To
 // ensure no secret state is left, globally clear all thread-local states. This
-// is a FIPS-derived requirement: SSPs must be cleared.
+// is a FIPS-derived requirement, see ISO/IEC 19790-2012 7.9.7.
 //
 // This is problematic because a thread might be scheduled and return
 // randomness from a non-valid state. The linked application should obviously
@@ -72,13 +72,23 @@ static void rand_thread_local_state_clear_all(void) __attribute__ ((destructor))
 // generation can occur after a thread-local state has been locked. It also
 // ensures |rand_thread_local_state_free| cannot free any thread state while we
 // own the lock.
+//
+// When we a thread-local DRBGs is gated from returning output, we can
+// invoke the entropy source zeroization from |state->entropy_source|. The
+// entropy source implementation can assume that any returned seed is never
+// used to generate any randomness that is later returned to a consumer.
 static void rand_thread_local_state_clear_all(void) {
   CRYPTO_STATIC_MUTEX_lock_write(thread_local_states_list_lock_bss_get());
   for (struct rand_thread_local_state *state = *thread_states_list_head_bss_get();
     state != NULL; state = state->next) {
     CRYPTO_MUTEX_lock_write(&state->state_clear_lock);
     CTR_DRBG_clear(&state->drbg);
   }
+
+  for (struct rand_thread_local_state *state = *thread_states_list_head_bss_get();
+    state != NULL; state = state->next) {
+    state->entropy_source->methods->zeroize_thread(state->entropy_source);
+  }
 }
 
 static void thread_local_list_delete_node(
@@ -200,7 +210,7 @@ static int rand_ensure_valid_state(struct rand_thread_local_state *state) {
 // imply that an UBE occurred. It can also mean that no UBE detection is
 // supported or that UBE detection failed. In these cases, |state| must also be
 // randomized to ensure uniqueness. Any special future cases can be handled in
-// this function. 
+// this function.
 //
 // Return 1 if |state| must be randomized. 0 otherwise.
 static int rand_ensure_ctr_drbg_uniqueness(struct rand_thread_local_state *state) {