From: Dr. Stephen Henson <steve@openssl.org>
Date: Thu, 25 May 2017 13:53:32 +0000 (+0100)
Subject: Clear sensitive data in ED25519_sign
X-Git-Tag: OpenSSL_1_1_1-pre1~1408
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=04dec1ab34df70c1588d42cc394e8fa8b5f3191c;p=oweals%2Fopenssl.git

Clear sensitive data in ED25519_sign

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3503)
---

diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c
index 72580334ff..77f5494036 100644
--- a/crypto/ec/curve25519.c
+++ b/crypto/ec/curve25519.c
@@ -4599,7 +4599,9 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
   uint8_t hram[SHA512_DIGEST_LENGTH];
   SHA512_CTX hash_ctx;
 
-  SHA512(private_key, 32, az);
+  SHA512_Init(&hash_ctx);
+  SHA512_Update(&hash_ctx, private_key, 32);
+  SHA512_Final(az, &hash_ctx);
 
   az[0] &= 248;
   az[31] &= 63;
@@ -4623,6 +4625,10 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
   x25519_sc_reduce(hram);
   sc_muladd(out_sig + 32, hram, az, nonce);
 
+  OPENSSL_cleanse(&hash_ctx, sizeof(hash_ctx));
+  OPENSSL_cleanse(nonce, sizeof(nonce));
+  OPENSSL_cleanse(az, sizeof(az));
+
   return 1;
 }