Key zeroization fix for EVP_SealInit + added simple test

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7105)

diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index 50ea60235a9c994ee8307cc456a3921fdb4f17db..0fc84f301a5ca2a6c605f3f9b8c612ec079479c0 100644 (file)
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -21,6 +21,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 {
     unsigned char key[EVP_MAX_KEY_LENGTH];
     int i;
+    int rv = 0;
 
     if (type) {
         EVP_CIPHER_CTX_reset(ctx);
@@ -31,21 +32,27 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
         return 1;
     if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
         return 0;
+
     if (EVP_CIPHER_CTX_iv_length(ctx)
-        && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
-        return 0;
+            && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
+        goto err;
 
     if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
-        return 0;
+        goto err;
 
     for (i = 0; i < npubk; i++) {
         ekl[i] =
             EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx),
                                  pubk[i]);
-        if (ekl[i] <= 0)
-            return -1;
+        if (ekl[i] <= 0) {
+            rv = -1;
+            goto err;
+        }
     }
-    return npubk;
+    rv = npubk;
+err:
+    OPENSSL_cleanse(key, sizeof(key));
+    return rv;
 }
 
 int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)

diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index b7b78f5dd21cb84d90dd3c9a31f9fe53e49b9ba4..33a957f791d78c11de0ff1545bcd892b11c7a602 100644 (file)
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -356,6 +356,50 @@ end:
     return ret;
 }
 
+static int test_EVP_Enveloped(void)
+{
+    int ret = 0;
+    EVP_CIPHER_CTX *ctx = NULL;
+    EVP_PKEY *keypair = NULL;
+    unsigned char *kek = NULL;
+    unsigned char iv[EVP_MAX_IV_LENGTH];
+    static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
+    int len, kek_len, ciphertext_len, plaintext_len;
+    unsigned char ciphertext[32], plaintext[16];
+    const EVP_CIPHER *type = EVP_aes_256_cbc();
+
+    if (!TEST_ptr(keypair = load_example_rsa_key())
+            || !TEST_ptr(kek = OPENSSL_zalloc(EVP_PKEY_size(keypair)))
+            || !TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+            || !TEST_true(EVP_SealInit(ctx, type, &kek, &kek_len, iv,
+                                       &keypair, 1))
+            || !TEST_true(EVP_SealUpdate(ctx, ciphertext, &ciphertext_len,
+                                         msg, sizeof(msg)))
+            || !TEST_true(EVP_SealFinal(ctx, ciphertext + ciphertext_len,
+                                        &len)))
+        goto err;
+
+    ciphertext_len += len;
+
+    if (!TEST_true(EVP_OpenInit(ctx, type, kek, kek_len, iv, keypair))
+            || !TEST_true(EVP_OpenUpdate(ctx, plaintext, &plaintext_len,
+                                         ciphertext, ciphertext_len))
+            || !TEST_true(EVP_OpenFinal(ctx, plaintext + plaintext_len, &len)))
+        goto err;
+
+    plaintext_len += len;
+    if (!TEST_mem_eq(msg, sizeof(msg), plaintext, plaintext_len))
+        goto err;
+
+    ret = 1;
+err:
+    OPENSSL_free(kek);
+    EVP_PKEY_free(keypair);
+    EVP_CIPHER_CTX_free(ctx);
+    return ret;
+}
+
+
 static int test_EVP_DigestSignInit(void)
 {
     int ret = 0;
@@ -781,6 +825,7 @@ int setup_tests(void)
 {
     ADD_TEST(test_EVP_DigestSignInit);
     ADD_TEST(test_EVP_DigestVerifyInit);
+    ADD_TEST(test_EVP_Enveloped);
     ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
 #ifndef OPENSSL_NO_EC
     ADD_TEST(test_EVP_PKCS82PKEY);