From a73c303339d4b539c8c45f0f28baf91840ff1903 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Sat, 13 Jun 2026 22:57:20 +0800
Subject: [PATCH] Clean cipher local vars

---
 CMakeLists.txt          |  2 +-
 include/gmssl/version.h |  2 +-
 src/aes_modes.c         | 16 ++++++++++++++++
 src/sm4_gcm.c           | 18 +++++++++++++++---
 4 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index ea8f1d15..30b33c6f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -768,7 +768,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1035")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1036")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index fe075b82..170c87f6 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -19,7 +19,7 @@ extern "C" {
 
 // Also update CPACK_PACKAGE_VERSION in CMakeLists.txt
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1035"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1036"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/src/aes_modes.c b/src/aes_modes.c
index 7243b985..08c1110a 100644
--- a/src/aes_modes.c
+++ b/src/aes_modes.c
@@ -153,6 +153,7 @@ static void aes_ctr32_encrypt(const AES_KEY *key, uint8_t ctr[16], const uint8_t
 		out += len;
 		inlen -= len;
 	}
+	gmssl_secure_clear(block, sizeof(block));
 }
 
 int aes_gcm_encrypt(const AES_KEY *key, const uint8_t *iv, size_t ivlen,
@@ -188,6 +189,10 @@ int aes_gcm_encrypt(const AES_KEY *key, const uint8_t *iv, size_t ivlen,
 
 	ghash(H, aad, aadlen, out, inlen, H);
 	gmssl_memxor(tag, T, H, taglen);
+
+	gmssl_secure_clear(H, sizeof(H));
+	gmssl_secure_clear(Y, sizeof(Y));
+	gmssl_secure_clear(T, sizeof(T));
 	return 1;
 }
 
@@ -202,6 +207,11 @@ int aes_gcm_decrypt(const AES_KEY *key, const uint8_t *iv, size_t ivlen,
 	uint8_t Y[16];
 	uint8_t T[16];
 
+	if (taglen > AES_GCM_MAX_TAG_SIZE) {
+		error_print();
+		return -1;
+	}
+
 	aes_encrypt(key, H, H);
 
 	if (ivlen == 12) {
@@ -216,6 +226,9 @@ int aes_gcm_decrypt(const AES_KEY *key, const uint8_t *iv, size_t ivlen,
 	aes_encrypt(key, Y, T);
 	gmssl_memxor(T, T, H, taglen);
 	if (gmssl_secure_memcmp(T, tag, taglen) != 0) {
+		gmssl_secure_clear(H, sizeof(H));
+		gmssl_secure_clear(Y, sizeof(Y));
+		gmssl_secure_clear(T, sizeof(T));
 		error_print();
 		return -1;
 	}
@@ -223,5 +236,8 @@ int aes_gcm_decrypt(const AES_KEY *key, const uint8_t *iv, size_t ivlen,
 	ctr32_incr(Y);
 	aes_ctr32_encrypt(key, Y, in, inlen, out);
 
+	gmssl_secure_clear(H, sizeof(H));
+	gmssl_secure_clear(Y, sizeof(Y));
+	gmssl_secure_clear(T, sizeof(T));
 	return 1;
 }
diff --git a/src/sm4_gcm.c b/src/sm4_gcm.c
index 6064fe46..1a73b58d 100644
--- a/src/sm4_gcm.c
+++ b/src/sm4_gcm.c
@@ -69,6 +69,9 @@ int sm4_gcm_encrypt(const SM4_KEY *key, const uint8_t *iv, size_t ivlen,
 	ghash(H, aad, aadlen, out, inlen, H);
 	gmssl_memxor(tag, T, H, taglen);
 
+	gmssl_secure_clear(H, sizeof(H));
+	gmssl_secure_clear(Y, sizeof(Y));
+	gmssl_secure_clear(T, sizeof(T));
 	return 1;
 }
 
@@ -112,6 +115,9 @@ int sm4_gcm_decrypt(const SM4_KEY *key, const uint8_t *iv, size_t ivlen,
 	sm4_encrypt(key, Y, T);
 	gmssl_memxor(T, T, H, taglen);
 	if (gmssl_secure_memcmp(T, tag, taglen) != 0) {
+		gmssl_secure_clear(H, sizeof(H));
+		gmssl_secure_clear(Y, sizeof(Y));
+		gmssl_secure_clear(T, sizeof(T));
 		error_print();
 		return -1;
 	}
@@ -119,6 +125,9 @@ int sm4_gcm_decrypt(const SM4_KEY *key, const uint8_t *iv, size_t ivlen,
 	ctr32_incr(Y);
 	sm4_ctr32_encrypt(key, Y, in, inlen, out);
 
+	gmssl_secure_clear(H, sizeof(H));
+	gmssl_secure_clear(Y, sizeof(Y));
+	gmssl_secure_clear(T, sizeof(T));
 	return 1;
 }
 
@@ -227,6 +236,7 @@ int sm4_gcm_encrypt_finish(SM4_GCM_CTX *ctx, uint8_t *out, size_t *outlen)
 	memcpy(out + *outlen, mac, ctx->taglen);
 	*outlen += ctx->taglen;
 
+	gmssl_secure_clear(mac, sizeof(mac));
 	return 1;
 }
 
@@ -311,7 +321,8 @@ int sm4_gcm_decrypt_update(SM4_GCM_CTX *ctx, const uint8_t *in, size_t inlen, ui
 			return -1;
 		}
 		*outlen += len;
-		memcpy(ctx->mac, in + inlen, GHASH_SIZE);
+		memset(ctx->mac, 0, GHASH_SIZE);
+		memcpy(ctx->mac, in + inlen, ctx->taglen);
 	}
 
 	ctx->encedlen += datalen;
@@ -332,16 +343,17 @@ int sm4_gcm_decrypt_finish(SM4_GCM_CTX *ctx, uint8_t *out, size_t *outlen)
 	}
 	ghash_finish(&ctx->mac_ctx, mac);
 	if (sm4_ctr32_encrypt_finish(&ctx->enc_ctx, out, outlen) != 1) {
+		gmssl_secure_clear(mac, sizeof(mac));
 		error_print();
 		return -1;
 	}
 
 	gmssl_memxor(mac, mac, ctx->Y, ctx->taglen);
 	if (gmssl_secure_memcmp(mac, ctx->mac, ctx->taglen) != 0) {
+		gmssl_secure_clear(mac, sizeof(mac));
 		error_print();
 		return -1;
 	}
-	memset(ctx->mac, 0, GHASH_SIZE);
-	ctx->maclen = 0;
+	gmssl_secure_clear(mac, sizeof(mac));
 	return 1;
 }