Clear sensitive data in ED25519_sign
authorDr. Stephen Henson <steve@openssl.org>
Thu, 25 May 2017 13:53:32 +0000 (14:53 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 30 May 2017 19:38:21 +0000 (20:38 +0100)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3503)

crypto/ec/curve25519.c

index 7258033..77f5494 100644 (file)
@@ -4599,7 +4599,9 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
   uint8_t hram[SHA512_DIGEST_LENGTH];
   SHA512_CTX hash_ctx;
 
-  SHA512(private_key, 32, az);
+  SHA512_Init(&hash_ctx);
+  SHA512_Update(&hash_ctx, private_key, 32);
+  SHA512_Final(az, &hash_ctx);
 
   az[0] &= 248;
   az[31] &= 63;
@@ -4623,6 +4625,10 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
   x25519_sc_reduce(hram);
   sc_muladd(out_sig + 32, hram, az, nonce);
 
+  OPENSSL_cleanse(&hash_ctx, sizeof(hash_ctx));
+  OPENSSL_cleanse(nonce, sizeof(nonce));
+  OPENSSL_cleanse(az, sizeof(az));
+
   return 1;
 }