From 1ed9fafccc37bcc78c12d20d586842ee7c7cd8a6 Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Mon, 3 Sep 2018 11:39:50 +1000 Subject: [PATCH] RSA padding Zeroization fixes Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7090) (cherry picked from commit 82eba370daeb6d80b01b521d9e2963451487f0cb) --- crypto/rsa/rsa_oaep.c | 33 +++++++++++++++++++-------------- crypto/rsa/rsa_pss.c | 4 ++-- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index f3135198a3..df08a2f53e 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -43,10 +43,12 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const unsigned char *param, int plen, const EVP_MD *md, const EVP_MD *mgf1md) { + int rv = 0; int i, emlen = tlen - 1; unsigned char *db, *seed; - unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE]; - int mdlen; + unsigned char *dbmask = NULL; + unsigned char seedmask[EVP_MAX_MD_SIZE]; + int mdlen, dbmask_len = 0; if (md == NULL) md = EVP_sha1(); @@ -72,40 +74,41 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, db = to + mdlen + 1; if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) - return 0; + goto err; memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1); db[emlen - flen - mdlen - 1] = 0x01; memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); if (RAND_bytes(seed, mdlen) <= 0) - return 0; + goto err; + #ifdef PKCS_TESTVECT memcpy(seed, "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f", 20); #endif - dbmask = OPENSSL_malloc(emlen - mdlen); + dbmask_len = emlen - mdlen; + dbmask = OPENSSL_malloc(dbmask_len); if (dbmask == NULL) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } - if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) + if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0) goto err; - for (i = 0; i < emlen - mdlen; i++) + for (i = 0; i < dbmask_len; i++) db[i] ^= dbmask[i]; - if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) + if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0) goto err; for (i = 0; i < mdlen; i++) seed[i] ^= seedmask[i]; - - OPENSSL_free(dbmask); - return 1; + rv = 1; err: - OPENSSL_free(dbmask); - return 0; + OPENSSL_cleanse(seedmask, sizeof(seedmask)); + OPENSSL_clear_free(dbmask, dbmask_len); + return rv; } int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, @@ -247,6 +250,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_OAEP_DECODING_ERROR); cleanup: + OPENSSL_cleanse(seed, sizeof(seed)); OPENSSL_clear_free(db, dblen); OPENSSL_clear_free(em, num); return mlen; @@ -289,6 +293,7 @@ int PKCS1_MGF1(unsigned char *mask, long len, } rv = 0; err: + OPENSSL_cleanse(md, sizeof(md)); EVP_MD_CTX_free(c); return rv; } diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index f8143387c8..4a1e599ed5 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -242,7 +242,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, err: EVP_MD_CTX_free(ctx); - OPENSSL_free(salt); + OPENSSL_clear_free(salt, sLen); return ret; -- 2.25.1