If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack
buffer is used to compute the final output, which is left un-zeroed
prior to return, allowing the potential leak of key data. Ensure that,
if the stack variable is used, it gets cleared prior to return.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23173)
for (i = 0; i < iter; ++i)
store64(target + sizeof(c->h[i]) * i, c->h[i]);
- if (target != md)
+ if (target != md) {
memcpy(md, target, c->outlen);
+ OPENSSL_cleanse(target, sizeof(outbuffer));
+ }
OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX));
return 1;
for (i = 0; i < iter; ++i)
store32(target + sizeof(c->h[i]) * i, c->h[i]);
- if (target != md)
+ if (target != md) {
memcpy(md, target, c->outlen);
+ OPENSSL_cleanse(target, sizeof(outbuffer));
+ }
OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX));
return 1;