From 82eba370daeb6d80b01b521d9e2963451487f0cb Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Mon, 3 Sep 2018 11:39:50 +1000 Subject: [PATCH] RSA padding Zeroization fixes Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7090) --- crypto/rsa/rsa_oaep.c | 34 +++++++++++++++++++--------------- crypto/rsa/rsa_pss.c | 4 ++-- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index dfea063454..f13c6fc9e5 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -43,10 +43,12 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const unsigned char *param, int plen, const EVP_MD *md, const EVP_MD *mgf1md) { + int rv = 0; int i, emlen = tlen - 1; unsigned char *db, *seed; - unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE]; - int mdlen; + unsigned char *dbmask = NULL; + unsigned char seedmask[EVP_MAX_MD_SIZE]; + int mdlen, dbmask_len = 0; if (md == NULL) md = EVP_sha1(); @@ -72,35 +74,35 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, db = to + mdlen + 1; if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) - return 0; + goto err; memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1); db[emlen - flen - mdlen - 1] = 0x01; memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); if (RAND_bytes(seed, mdlen) <= 0) - return 0; + goto err; - dbmask = OPENSSL_malloc(emlen - mdlen); + dbmask_len = emlen - mdlen; + dbmask = OPENSSL_malloc(dbmask_len); if (dbmask == NULL) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } - if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0) + if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0) goto err; - for (i = 0; i < emlen - mdlen; i++) + for (i = 0; i < dbmask_len; i++) db[i] ^= dbmask[i]; - if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0) + if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0) goto err; for (i = 0; i < mdlen; i++) seed[i] ^= seedmask[i]; - - OPENSSL_free(dbmask); - return 1; + rv = 1; err: - OPENSSL_free(dbmask); - return 0; + OPENSSL_cleanse(seedmask, sizeof(seedmask)); + OPENSSL_clear_free(dbmask, dbmask_len); + return rv; } int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, @@ -242,6 +244,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_OAEP_DECODING_ERROR); cleanup: + OPENSSL_cleanse(seed, sizeof(seed)); OPENSSL_clear_free(db, dblen); OPENSSL_clear_free(em, num); return mlen; @@ -284,6 +287,7 @@ int PKCS1_MGF1(unsigned char *mask, long len, } rv = 0; err: + OPENSSL_cleanse(md, sizeof(md)); EVP_MD_CTX_free(c); return rv; } diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 4484ff28a3..26d5f36f1f 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -244,7 +244,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, err: EVP_MD_CTX_free(ctx); - OPENSSL_free(salt); + OPENSSL_clear_free(salt, sLen); return ret; -- 2.25.1