Key zeroization fix for EVP_SealInit + added simple test

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7105)
2025-02-17 14:32:04 +08:00 · 2018-09-06 08:34:45 +10:00 · 2018-09-06 08:34:45 +10:00 · 2eb2b4f3a1
commit 2eb2b4f3a1
parent 544648a8e0
2 changed files with 58 additions and 6 deletions
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@ -21,6 +21,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 {
    unsigned char key[EVP_MAX_KEY_LENGTH];
    int i;
+    int rv = 0;

    if (type) {
        EVP_CIPHER_CTX_reset(ctx);
@ -31,21 +32,27 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
        return 1;
    if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
        return 0;
+
    if (EVP_CIPHER_CTX_iv_length(ctx)
-        && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
-        return 0;
+            && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
+        goto err;

    if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
-        return 0;
+        goto err;

    for (i = 0; i < npubk; i++) {
        ekl[i] =
            EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx),
                                 pubk[i]);
-        if (ekl[i] <= 0)
-            return -1;
+        if (ekl[i] <= 0) {
+            rv = -1;
+            goto err;
+        }
    }
-    return npubk;
+    rv = npubk;
+err:
+    OPENSSL_cleanse(key, sizeof(key));
+    return rv;
 }

 int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@ -356,6 +356,50 @@ end:
    return ret;
 }

+static int test_EVP_Enveloped(void)
+{
+    int ret = 0;
+    EVP_CIPHER_CTX *ctx = NULL;
+    EVP_PKEY *keypair = NULL;
+    unsigned char *kek = NULL;
+    unsigned char iv[EVP_MAX_IV_LENGTH];
+    static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
+    int len, kek_len, ciphertext_len, plaintext_len;
+    unsigned char ciphertext[32], plaintext[16];
+    const EVP_CIPHER *type = EVP_aes_256_cbc();
+
+    if (!TEST_ptr(keypair = load_example_rsa_key())
+            || !TEST_ptr(kek = OPENSSL_zalloc(EVP_PKEY_size(keypair)))
+            || !TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+            || !TEST_true(EVP_SealInit(ctx, type, &kek, &kek_len, iv,
+                                       &keypair, 1))
+            || !TEST_true(EVP_SealUpdate(ctx, ciphertext, &ciphertext_len,
+                                         msg, sizeof(msg)))
+            || !TEST_true(EVP_SealFinal(ctx, ciphertext + ciphertext_len,
+                                        &len)))
+        goto err;
+
+    ciphertext_len += len;
+
+    if (!TEST_true(EVP_OpenInit(ctx, type, kek, kek_len, iv, keypair))
+            || !TEST_true(EVP_OpenUpdate(ctx, plaintext, &plaintext_len,
+                                         ciphertext, ciphertext_len))
+            || !TEST_true(EVP_OpenFinal(ctx, plaintext + plaintext_len, &len)))
+        goto err;
+
+    plaintext_len += len;
+    if (!TEST_mem_eq(msg, sizeof(msg), plaintext, plaintext_len))
+        goto err;
+
+    ret = 1;
+err:
+    OPENSSL_free(kek);
+    EVP_PKEY_free(keypair);
+    EVP_CIPHER_CTX_free(ctx);
+    return ret;
+}
+
+
 static int test_EVP_DigestSignInit(void)
 {
    int ret = 0;
@ -781,6 +825,7 @@ int setup_tests(void)
 {
    ADD_TEST(test_EVP_DigestSignInit);
    ADD_TEST(test_EVP_DigestVerifyInit);
+    ADD_TEST(test_EVP_Enveloped);
    ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
 #ifndef OPENSSL_NO_EC
    ADD_TEST(test_EVP_PKCS82PKEY);