Cleanse data in send and receive ring buffers on release

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21311)

3 files changed, 19 insertions, 12 deletions

diff --git a/include/internal/ring_buf.h b/include/internal/ring_buf.h
index 69b8df2aa8..1d70439278 100644
--- a/include/internal/ring_buf.h
+++ b/include/internal/ring_buf.h
@@ -47,9 +47,12 @@ static ossl_inline int ring_buf_init(struct ring_buf *r)
     return 1;
 }
 
-static ossl_inline void ring_buf_destroy(struct ring_buf *r)
+static ossl_inline void ring_buf_destroy(struct ring_buf *r, int cleanse)
 {
-    OPENSSL_free(r->start);
+    if (cleanse)
+        OPENSSL_clear_free(r->start, r->alloc);
+    else
+        OPENSSL_free(r->start);
     r->start = NULL;
     r->alloc = 0;
 }
@@ -213,7 +216,8 @@ static ossl_inline void ring_buf_cpop_range(struct ring_buf *r,
         r->head_offset = r->ctail_offset;
 }
 
-static ossl_inline int ring_buf_resize(struct ring_buf *r, size_t num_bytes)
+static ossl_inline int ring_buf_resize(struct ring_buf *r, size_t num_bytes,
+                                       int cleanse)
 {
     struct ring_buf rnew = {0};
     const unsigned char *src = NULL;
@@ -251,9 +255,9 @@ static ossl_inline int ring_buf_resize(struct ring_buf *r, size_t num_bytes)
     }
 
     assert(rnew.head_offset == r->head_offset);
-    rnew.ctail_offset   = r->ctail_offset;
+    rnew.ctail_offset = r->ctail_offset;
 
-    OPENSSL_free(r->start);
+    ring_buf_destroy(r, cleanse);
     memcpy(r, &rnew, sizeof(*r));
     return 1;
 }
diff --git a/ssl/quic/quic_rstream.c b/ssl/quic/quic_rstream.c
index 80970b084f..0b3c870661 100644
--- a/ssl/quic/quic_rstream.c
+++ b/ssl/quic/quic_rstream.c
@@ -30,7 +30,7 @@ QUIC_RSTREAM *ossl_quic_rstream_new(QUIC_RXFC *rxfc,
         return NULL;
 
     ring_buf_init(&ret->rbuf);
-    if (!ring_buf_resize(&ret->rbuf, rbuf_size)) {
+    if (!ring_buf_resize(&ret->rbuf, rbuf_size, 0)) {
         OPENSSL_free(ret);
         return NULL;
     }
@@ -43,11 +43,14 @@ QUIC_RSTREAM *ossl_quic_rstream_new(QUIC_RXFC *rxfc,
 
 void ossl_quic_rstream_free(QUIC_RSTREAM *qrs)
 {
+    int cleanse;
+
     if (qrs == NULL)
         return;
 
+    cleanse = qrs->fl.cleanse;
     ossl_sframe_list_destroy(&qrs->fl);
-    ring_buf_destroy(&qrs->rbuf);
+    ring_buf_destroy(&qrs->rbuf, cleanse);
     OPENSSL_free(qrs);
 }
 
@@ -281,7 +284,7 @@ int ossl_quic_rstream_resize_rbuf(QUIC_RSTREAM *qrs, size_t rbuf_size)
     if (ossl_sframe_list_is_head_locked(&qrs->fl))
         return 0;
 
-    if (!ring_buf_resize(&qrs->rbuf, rbuf_size))
+    if (!ring_buf_resize(&qrs->rbuf, rbuf_size, qrs->fl.cleanse))
         return 0;
 
     return 1;
diff --git a/ssl/quic/quic_sstream.c b/ssl/quic/quic_sstream.c
index a4bf7b025d..b6cf311cfc 100644
--- a/ssl/quic/quic_sstream.c
+++ b/ssl/quic/quic_sstream.c
@@ -66,8 +66,8 @@ QUIC_SSTREAM *ossl_quic_sstream_new(size_t init_buf_size)
         return NULL;
 
     ring_buf_init(&qss->ring_buf);
-    if (!ring_buf_resize(&qss->ring_buf, init_buf_size)) {
-        ring_buf_destroy(&qss->ring_buf);
+    if (!ring_buf_resize(&qss->ring_buf, init_buf_size, 0)) {
+        ring_buf_destroy(&qss->ring_buf, 0);
         OPENSSL_free(qss);
         return NULL;
     }
@@ -84,7 +84,7 @@ void ossl_quic_sstream_free(QUIC_SSTREAM *qss)
 
     ossl_uint_set_destroy(&qss->new_set);
     ossl_uint_set_destroy(&qss->acked_set);
-    ring_buf_destroy(&qss->ring_buf);
+    ring_buf_destroy(&qss->ring_buf, qss->cleanse);
     OPENSSL_free(qss);
 }
 
@@ -356,7 +356,7 @@ static void qss_cull(QUIC_SSTREAM *qss)
 
 int ossl_quic_sstream_set_buffer_size(QUIC_SSTREAM *qss, size_t num_bytes)
 {
-    return ring_buf_resize(&qss->ring_buf, num_bytes);
+    return ring_buf_resize(&qss->ring_buf, num_bytes, qss->cleanse);
 }
 
 size_t ossl_quic_sstream_get_buffer_size(QUIC_SSTREAM *qss)