From d8bb9b7b9116e04dba8d998620738d8983ee15de Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Mon, 1 Jan 2024 09:25:03 -0500 Subject: [PATCH] cleanse stack variable in blake2[b|s] finalization If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack buffer is used to compute the final output, which is left un-zeroed prior to return, allowing the potential leak of key data. Ensure that, if the stack variable is used, it gets cleared prior to return. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/23173) (cherry picked from commit 8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6) --- providers/implementations/digests/blake2b_prov.c | 4 +++- providers/implementations/digests/blake2s_prov.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c index 1917990c446..32cae0c294e 100644 --- a/providers/implementations/digests/blake2b_prov.c +++ b/providers/implementations/digests/blake2b_prov.c @@ -395,8 +395,10 @@ int ossl_blake2b_final(unsigned char *md, BLAKE2B_CTX *c) for (i = 0; i < iter; ++i) store64(target + sizeof(c->h[i]) * i, c->h[i]); - if (target != md) + if (target != md) { memcpy(md, target, c->outlen); + OPENSSL_cleanse(target, sizeof(outbuffer)); + } OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX)); return 1; diff --git a/providers/implementations/digests/blake2s_prov.c b/providers/implementations/digests/blake2s_prov.c index a9a8f9d048a..e43f78aaa73 100644 --- a/providers/implementations/digests/blake2s_prov.c +++ b/providers/implementations/digests/blake2s_prov.c @@ -314,8 +314,10 @@ int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c) for (i = 0; i < iter; ++i) store32(target + sizeof(c->h[i]) * i, c->h[i]); - if (target != md) + if (target != md) { memcpy(md, target, c->outlen); + OPENSSL_cleanse(target, sizeof(outbuffer)); + } OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX)); return 1; -- 2.47.3