From: slontis Date: Thu, 7 Nov 2024 10:01:27 +0000 (+1100) Subject: Zeorize some secret values in SLH_DSA X-Git-Tag: openssl-3.5.0-alpha1~192 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce3acbd07e4c3ea83ca7fb3629e8a0de3c8d7d8a;p=thirdparty%2Fopenssl.git Zeorize some secret values in SLH_DSA Reviewed-by: Paul Dale Reviewed-by: Viktor Dukhovni Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/25882) --- diff --git a/crypto/slh_dsa/slh_fors.c b/crypto/slh_dsa/slh_fors.c index 7eb12b07172..499a5ff0676 100644 --- a/crypto/slh_dsa/slh_fors.c +++ b/crypto/slh_dsa/slh_fors.c @@ -9,6 +9,7 @@ #include #include +#include #include "slh_dsa_local.h" /* k = 14, 17, 22, 33, 35 (number of trees) */ @@ -74,6 +75,7 @@ static int slh_fors_node(SLH_DSA_CTX *ctx, const uint8_t *sk_seed, const uint8_t *pk_seed, SLH_ADRS adrs, uint32_t node_id, uint32_t height, uint8_t *node) { + int ret = 0; SLH_ADRS_FUNC_DECLARE(ctx, adrsf); uint8_t sk[SLH_MAX_N], lnode[SLH_MAX_N], rnode[SLH_MAX_N]; uint32_t n = ctx->params->n; @@ -83,8 +85,9 @@ static int slh_fors_node(SLH_DSA_CTX *ctx, const uint8_t *sk_seed, return 0; adrsf->set_tree_height(adrs, 0); adrsf->set_tree_index(adrs, node_id); - if (!ctx->hash_func->F(&ctx->hash_ctx, pk_seed, adrs, sk, n, node)) - return 0; + ret = ctx->hash_func->F(&ctx->hash_ctx, pk_seed, adrs, sk, n, node); + OPENSSL_cleanse(sk, n); + return ret; } else { if (!slh_fors_node(ctx, sk_seed, pk_seed, adrs, 2 * node_id, height - 1, lnode) diff --git a/crypto/slh_dsa/slh_wots.c b/crypto/slh_dsa/slh_wots.c index 9d3912623a9..a0b2766745c 100644 --- a/crypto/slh_dsa/slh_wots.c +++ b/crypto/slh_dsa/slh_wots.c @@ -9,6 +9,7 @@ #include #include +#include #include "slh_dsa_local.h" /* For the parameter sets defined there is only one w value */ @@ -128,13 +129,14 @@ int ossl_slh_wots_pk_gen(SLH_DSA_CTX *ctx, const uint8_t *sk_seed, const uint8_t *pk_seed, SLH_ADRS adrs, uint8_t *pk_out) { + int ret = 0; SLH_HASH_FUNC_DECLARE(ctx, hashf, hctx); SLH_ADRS_FUNC_DECLARE(ctx, adrsf); SLH_HASH_FN_DECLARE(hashf, PRF); SLH_ADRS_FN_DECLARE(adrsf, set_chain_address); SLH_ADRS_DECLARE(sk_adrs); SLH_ADRS_DECLARE(wots_pk_adrs); - size_t i, len; + size_t i, len = 0; size_t n = ctx->params->n; uint8_t tmp[SLH_WOTS_LEN_MAX * SLH_MAX_N], *ptmp = tmp; uint8_t sk[32]; @@ -147,11 +149,11 @@ int ossl_slh_wots_pk_gen(SLH_DSA_CTX *ctx, for (i = 0; i < len; ++i) { set_chain_address(sk_adrs, i); if (!PRF(hctx, pk_seed, sk_seed, sk_adrs, sk)) - return 0; + goto end; set_chain_address(adrs, i); if (!slh_wots_chain(ctx, sk, 0, NIBBLE_MASK, pk_seed, adrs, ptmp)) - return 0; + goto end; ptmp += n; } @@ -159,7 +161,11 @@ int ossl_slh_wots_pk_gen(SLH_DSA_CTX *ctx, adrsf->copy(wots_pk_adrs, adrs); adrsf->set_type_and_clear(wots_pk_adrs, SLH_ADRS_TYPE_WOTS_PK); adrsf->copy_keypair_address(wots_pk_adrs, adrs); - return hashf->T(hctx, pk_seed, wots_pk_adrs, tmp, len, pk_out); + ret = hashf->T(hctx, pk_seed, wots_pk_adrs, tmp, len, pk_out); +end: + OPENSSL_cleanse(tmp, sizeof(tmp)); + OPENSSL_cleanse(sk, n); + return ret; } /** @@ -182,6 +188,7 @@ int ossl_slh_wots_sign(SLH_DSA_CTX *ctx, const uint8_t *msg, const uint8_t *sk_seed, const uint8_t *pk_seed, SLH_ADRS adrs, uint8_t *sig, size_t sig_len) { + int ret = 0; SLH_HASH_FUNC_DECLARE(ctx, hashf, hctx); SLH_ADRS_FUNC_DECLARE(ctx, adrsf); SLH_HASH_FN_DECLARE(hashf, PRF); @@ -212,16 +219,19 @@ int ossl_slh_wots_sign(SLH_DSA_CTX *ctx, const uint8_t *msg, set_chain_address(sk_adrs, i); /* compute chain i secret */ if (!PRF(hctx, pk_seed, sk_seed, sk_adrs, sk)) - return 0; + goto err; set_chain_address(adrs, i); /* compute chain i signature */ if (!slh_wots_chain(ctx, sk, 0, msg_and_csum_nibbles[i], pk_seed, adrs, psig)) - return 0; + goto err; psig += n; } assert(sig_len == (size_t)(psig - sig)); - return 1; + ret = 1; +err: + OPENSSL_cleanse(sk, n); + return ret; } /**