diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2018-09-06 08:34:45 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2018-09-06 08:34:45 +1000 |
commit | 2eb2b4f3a12d0b8807447913a3b16f21104c701b (patch) | |
tree | 41fac347e54c9de1120b89eee0baf14a5bdd2beb /crypto | |
parent | 544648a8e07612449460ebc0e608a226fde38e67 (diff) |
Key zeroization fix for EVP_SealInit + added simple test
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7105)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/evp/p_seal.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index 50ea60235a..0fc84f301a 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -21,6 +21,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, { unsigned char key[EVP_MAX_KEY_LENGTH]; int i; + int rv = 0; if (type) { EVP_CIPHER_CTX_reset(ctx); @@ -31,21 +32,27 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, return 1; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) return 0; + if (EVP_CIPHER_CTX_iv_length(ctx) - && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) - return 0; + && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) + goto err; if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) - return 0; + goto err; for (i = 0; i < npubk; i++) { ekl[i] = EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx), pubk[i]); - if (ekl[i] <= 0) - return -1; + if (ekl[i] <= 0) { + rv = -1; + goto err; + } } - return npubk; + rv = npubk; +err: + OPENSSL_cleanse(key, sizeof(key)); + return rv; } int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) |