From e670db0183079b5f6325ce2abd9d785e0f966890 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 31 Jul 2017 20:52:43 +0200 Subject: [PATCH] Fix an information leak in the RSA padding check code. The memory blocks contain secret data and must be cleared before returning to the system heap. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/4062) --- crypto/rsa/rsa_oaep.c | 6 +++--- crypto/rsa/rsa_pk1.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index d583d236ee..d4de71dfde 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -117,7 +117,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, int plen, const EVP_MD *md, const EVP_MD *mgf1md) { - int i, dblen, mlen = -1, one_index = 0, msg_index; + int i, dblen = 0, mlen = -1, one_index = 0, msg_index; unsigned int good, found_one_byte; const unsigned char *maskedseed, *maskeddb; /* @@ -234,8 +234,8 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_OAEP_DECODING_ERROR); cleanup: - OPENSSL_free(db); - OPENSSL_free(em); + OPENSSL_clear_free(db, dblen); + OPENSSL_clear_free(em, num); return mlen; } diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 5bc91c46d5..aeeb32c2dc 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -235,7 +235,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, memcpy(to, em + msg_index, mlen); err: - OPENSSL_free(em); + OPENSSL_clear_free(em, num); if (mlen == -1) RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR); -- 2.34.1