From 374804bd0973e8af05046caecc40e6b906d1a375 Mon Sep 17 00:00:00 2001 From: Pauli Date: Wed, 5 Sep 2018 07:50:17 +1000 Subject: [PATCH] Key zeroization fix for EVP_SealInit. Manual backport from master. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7116) --- crypto/evp/p_seal.c | 21 ++++++++++++------- test/evp_extra_test.c | 48 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 61 insertions(+), 8 deletions(-) diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index faa246483b..6f026e7c4f 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,6 +21,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, { unsigned char key[EVP_MAX_KEY_LENGTH]; int i; + int rv = 0; if (type) { EVP_CIPHER_CTX_reset(ctx); @@ -31,21 +32,27 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, return 1; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) return 0; + if (EVP_CIPHER_CTX_iv_length(ctx) - && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) - return 0; + && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) + goto err; if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) - return 0; + goto err; for (i = 0; i < npubk; i++) { ekl[i] = EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx), pubk[i]); - if (ekl[i] <= 0) - return (-1); + if (ekl[i] <= 0) { + rv = -1; + goto err; + } } - return (npubk); + rv = npubk; +err: + OPENSSL_cleanse(key, sizeof(key)); + return rv; } /*- MACRO diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 9217f3ae51..bc02fad4f2 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,7 @@ #include #include +#include #include #include #include @@ -326,6 +327,46 @@ static int test_d2i_AutoPrivateKey(const unsigned char *input, return ret; } +static int test_EVP_Enveloped(void) +{ + int ret = 0; + EVP_CIPHER_CTX *ctx = NULL; + EVP_PKEY *keypair = NULL; + unsigned char *kek = NULL; + int kek_len; + unsigned char iv[EVP_MAX_IV_LENGTH]; + static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 }; + int len, ciphertext_len, plaintext_len; + unsigned char ciphertext[32], plaintext[16]; + const EVP_CIPHER *type = EVP_aes_256_cbc(); + + if ((keypair = load_example_rsa_key()) == NULL + || (kek = OPENSSL_zalloc(EVP_PKEY_size(keypair))) == NULL + || (ctx = EVP_CIPHER_CTX_new()) == NULL + || !EVP_SealInit(ctx, type, &kek, &kek_len, iv, &keypair, 1) + || !EVP_SealUpdate(ctx, ciphertext, &ciphertext_len, + msg, sizeof(msg)) + || !EVP_SealFinal(ctx, ciphertext + ciphertext_len, &len)) + goto err; + + ciphertext_len += len; + if (!EVP_OpenInit(ctx, type, kek, kek_len, iv, keypair) + || !EVP_OpenUpdate(ctx, plaintext, &plaintext_len, + ciphertext, ciphertext_len) + || !EVP_OpenFinal(ctx, plaintext + plaintext_len, &len) + || (plaintext_len += len) != sizeof(msg) + || memcmp(msg, plaintext, sizeof(msg)) != 0) + goto err; + + ret = 1; + +err: + OPENSSL_free(kek); + EVP_PKEY_free(keypair); + EVP_CIPHER_CTX_free(ctx); + return ret; +} + #ifndef OPENSSL_NO_EC /* Tests loading a bad key in PKCS8 format */ static int test_EVP_PKCS82PKEY(void) @@ -386,6 +427,11 @@ int main(void) return 1; } + if (!test_EVP_Enveloped()) { + fprintf(stderr, "test_EVP_Enveloped failed\n"); + return 1; + } + #ifndef OPENSSL_NO_EC if (!test_d2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC)) { -- 2.25.1