Zeorize some secret values in SLH_DSA

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)

diff --git a/crypto/slh_dsa/slh_fors.c b/crypto/slh_dsa/slh_fors.c
index 7eb12b071723e71400576abb9b812e2c7e05a94b..499a5ff0676914b6104114b578101248b3de69bc 100644 (file)
--- a/crypto/slh_dsa/slh_fors.c
+++ b/crypto/slh_dsa/slh_fors.c
@@ -9,6 +9,7 @@
 
 #include <assert.h>
 #include <string.h>
+#include <openssl/crypto.h>
 #include "slh_dsa_local.h"
 
 /* k = 14, 17, 22, 33, 35 (number of trees) */
@@ -74,6 +75,7 @@ static int slh_fors_node(SLH_DSA_CTX *ctx, const uint8_t *sk_seed,
                          const uint8_t *pk_seed, SLH_ADRS adrs, uint32_t node_id,
                          uint32_t height, uint8_t *node)
 {
+    int ret = 0;
     SLH_ADRS_FUNC_DECLARE(ctx, adrsf);
     uint8_t sk[SLH_MAX_N], lnode[SLH_MAX_N], rnode[SLH_MAX_N];
     uint32_t n = ctx->params->n;
@@ -83,8 +85,9 @@ static int slh_fors_node(SLH_DSA_CTX *ctx, const uint8_t *sk_seed,
             return 0;
         adrsf->set_tree_height(adrs, 0);
         adrsf->set_tree_index(adrs, node_id);
-        if (!ctx->hash_func->F(&ctx->hash_ctx, pk_seed, adrs, sk, n, node))
-            return 0;
+        ret = ctx->hash_func->F(&ctx->hash_ctx, pk_seed, adrs, sk, n, node);
+        OPENSSL_cleanse(sk, n);
+        return ret;
     } else {
         if (!slh_fors_node(ctx, sk_seed, pk_seed, adrs, 2 * node_id, height - 1,
                            lnode)

diff --git a/crypto/slh_dsa/slh_wots.c b/crypto/slh_dsa/slh_wots.c
index 9d3912623a970140cf66dbfa9bd65a79af2cc9c8..a0b2766745c1f43213404c6d30b8a28b88a39582 100644 (file)
--- a/crypto/slh_dsa/slh_wots.c
+++ b/crypto/slh_dsa/slh_wots.c
@@ -9,6 +9,7 @@
 
 #include <assert.h>
 #include <string.h>
+#include <openssl/crypto.h>
 #include "slh_dsa_local.h"
 
 /* For the parameter sets defined there is only one w value */
@@ -128,13 +129,14 @@ int ossl_slh_wots_pk_gen(SLH_DSA_CTX *ctx,
                          const uint8_t *sk_seed, const uint8_t *pk_seed,
                          SLH_ADRS adrs, uint8_t *pk_out)
 {
+    int ret = 0;
     SLH_HASH_FUNC_DECLARE(ctx, hashf, hctx);
     SLH_ADRS_FUNC_DECLARE(ctx, adrsf);
     SLH_HASH_FN_DECLARE(hashf, PRF);
     SLH_ADRS_FN_DECLARE(adrsf, set_chain_address);
     SLH_ADRS_DECLARE(sk_adrs);
     SLH_ADRS_DECLARE(wots_pk_adrs);
-    size_t i, len;
+    size_t i, len = 0;
     size_t n = ctx->params->n;
     uint8_t tmp[SLH_WOTS_LEN_MAX * SLH_MAX_N], *ptmp = tmp;
     uint8_t sk[32];
@@ -147,11 +149,11 @@ int ossl_slh_wots_pk_gen(SLH_DSA_CTX *ctx,
     for (i = 0; i < len; ++i) {
         set_chain_address(sk_adrs, i);
         if (!PRF(hctx, pk_seed, sk_seed, sk_adrs, sk))
-            return 0;
+            goto end;
 
         set_chain_address(adrs, i);
         if (!slh_wots_chain(ctx, sk, 0, NIBBLE_MASK, pk_seed, adrs, ptmp))
-            return 0;
+            goto end;
         ptmp += n;
     }
 
@@ -159,7 +161,11 @@ int ossl_slh_wots_pk_gen(SLH_DSA_CTX *ctx,
     adrsf->copy(wots_pk_adrs, adrs);
     adrsf->set_type_and_clear(wots_pk_adrs, SLH_ADRS_TYPE_WOTS_PK);
     adrsf->copy_keypair_address(wots_pk_adrs, adrs);
-    return hashf->T(hctx, pk_seed, wots_pk_adrs, tmp, len, pk_out);
+    ret = hashf->T(hctx, pk_seed, wots_pk_adrs, tmp, len, pk_out);
+end:
+    OPENSSL_cleanse(tmp, sizeof(tmp));
+    OPENSSL_cleanse(sk, n);
+    return ret;
 }
 
 /**
@@ -182,6 +188,7 @@ int ossl_slh_wots_sign(SLH_DSA_CTX *ctx, const uint8_t *msg,
                        const uint8_t *sk_seed, const uint8_t *pk_seed,
                        SLH_ADRS adrs, uint8_t *sig, size_t sig_len)
 {
+    int ret = 0;
     SLH_HASH_FUNC_DECLARE(ctx, hashf, hctx);
     SLH_ADRS_FUNC_DECLARE(ctx, adrsf);
     SLH_HASH_FN_DECLARE(hashf, PRF);
@@ -212,16 +219,19 @@ int ossl_slh_wots_sign(SLH_DSA_CTX *ctx, const uint8_t *msg,
         set_chain_address(sk_adrs, i);
         /* compute chain i secret */
         if (!PRF(hctx, pk_seed, sk_seed, sk_adrs, sk))
-            return 0;
+            goto err;
         set_chain_address(adrs, i);
         /* compute chain i signature */
         if (!slh_wots_chain(ctx, sk, 0, msg_and_csum_nibbles[i],
                             pk_seed, adrs, psig))
-            return 0;
+            goto err;
         psig += n;
     }
     assert(sig_len == (size_t)(psig - sig));
-    return 1;
+    ret = 1;
+err:
+    OPENSSL_cleanse(sk, n);
+    return ret;
 }
 
 /**