quic: cleanse derived IV on setup failure

el_build_keyslot() derives the QUIC IV before the success path stores
*out_iv_len. If a later step fails, the error cleanup currently uses
*out_iv_len and ends up cleansing zero bytes.

Cleanse the caller buffer using the local iv_len instead so the
derived IV is cleared on all post-derivation failure paths.

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun  8 08:53:50 2026
(Merged from https://github.com/openssl/openssl/pull/31346)

diff --git a/ssl/quic/quic_record_shared.c b/ssl/quic/quic_record_shared.c
index ccc6f2901bf7d58a332485c657865a4de5137e47..05d4d00b138bdc77c7bb3302fd96423902d4481d 100644 (file)
--- a/ssl/quic/quic_record_shared.c
+++ b/ssl/quic/quic_record_shared.c
@@ -169,7 +169,7 @@ err:
     EVP_CIPHER_CTX_free(cctx);
     EVP_CIPHER_free(cipher);
     OPENSSL_cleanse(key, sizeof(key));
-    OPENSSL_cleanse(out_iv, *out_iv_len);
+    OPENSSL_cleanse(out_iv, iv_len);
     return 0;
 }