From: Neil Horman <nhorman@openssl.org>
Date: Mon, 1 Jan 2024 14:25:03 +0000 (-0500)
Subject: cleanse stack variable in blake2[b|s] finalization
X-Git-Tag: openssl-3.2.1~57
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d8bb9b7b9116e04dba8d998620738d8983ee15de;p=thirdparty%2Fopenssl.git

cleanse stack variable in blake2[b|s] finalization

If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack
buffer is used to compute the final output, which is left un-zeroed
prior to return, allowing the potential leak of key data.  Ensure that,
if the stack variable is used, it gets cleared prior to return.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23173)

(cherry picked from commit 8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6)
---

diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c
index 1917990c446..32cae0c294e 100644
--- a/providers/implementations/digests/blake2b_prov.c
+++ b/providers/implementations/digests/blake2b_prov.c
@@ -395,8 +395,10 @@ int ossl_blake2b_final(unsigned char *md, BLAKE2B_CTX *c)
     for (i = 0; i < iter; ++i)
         store64(target + sizeof(c->h[i]) * i, c->h[i]);
 
-    if (target != md)
+    if (target != md) {
         memcpy(md, target, c->outlen);
+        OPENSSL_cleanse(target, sizeof(outbuffer));
+    }
 
     OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX));
     return 1;
diff --git a/providers/implementations/digests/blake2s_prov.c b/providers/implementations/digests/blake2s_prov.c
index a9a8f9d048a..e43f78aaa73 100644
--- a/providers/implementations/digests/blake2s_prov.c
+++ b/providers/implementations/digests/blake2s_prov.c
@@ -314,8 +314,10 @@ int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c)
     for (i = 0; i < iter; ++i)
         store32(target + sizeof(c->h[i]) * i, c->h[i]);
 
-    if (target != md)
+    if (target != md) {
         memcpy(md, target, c->outlen);
+        OPENSSL_cleanse(target, sizeof(outbuffer));
+    }
 
     OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX));
     return 1;