diff options
author | Neil Horman <nhorman@openssl.org> | 2024-01-01 09:25:03 -0500 |
---|---|---|
committer | Neil Horman <nhorman@openssl.org> | 2024-01-03 12:56:15 -0500 |
commit | d64242fb13d98677a8aaf38adce09f9d92ede166 (patch) | |
tree | 590a0755f7e54c9db1b4588208b7e180e8848a6b | |
parent | 2e2b1c69d60c8e2c7a0fd683e76463fb2e75d4e1 (diff) |
cleanse stack variable in blake2[b|s] finalization
If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack
buffer is used to compute the final output, which is left un-zeroed
prior to return, allowing the potential leak of key data. Ensure that,
if the stack variable is used, it gets cleared prior to return.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23173)
(cherry picked from commit 8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6)
-rw-r--r-- | providers/implementations/digests/blake2b_prov.c | 4 | ||||
-rw-r--r-- | providers/implementations/digests/blake2s_prov.c | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c index 11271e1b59..c7bfbab1f6 100644 --- a/providers/implementations/digests/blake2b_prov.c +++ b/providers/implementations/digests/blake2b_prov.c @@ -323,8 +323,10 @@ int ossl_blake2b_final(unsigned char *md, BLAKE2B_CTX *c) for (i = 0; i < iter; ++i) store64(target + sizeof(c->h[i]) * i, c->h[i]); - if (target != md) + if (target != md) { memcpy(md, target, c->outlen); + OPENSSL_cleanse(target, sizeof(outbuffer)); + } OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX)); return 1; diff --git a/providers/implementations/digests/blake2s_prov.c b/providers/implementations/digests/blake2s_prov.c index a9a8f9d048..e43f78aaa7 100644 --- a/providers/implementations/digests/blake2s_prov.c +++ b/providers/implementations/digests/blake2s_prov.c @@ -314,8 +314,10 @@ int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c) for (i = 0; i < iter; ++i) store32(target + sizeof(c->h[i]) * i, c->h[i]); - if (target != md) + if (target != md) { memcpy(md, target, c->outlen); + OPENSSL_cleanse(target, sizeof(outbuffer)); + } OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX)); return 1; |