Commit 57ad2156 authored Jul 31, 2017 by Bernd Edlinger

Fix an information leak in the RSA padding check code.


The memory blocks contain secret data and must be
cleared before returning to the system heap.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4063)

parent 52928331

crypto/rsa/rsa_oaep.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -237,10 +237,14 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
		RSA_R_OAEP_DECODING_ERROR);
		cleanup:
		if (db != NULL)
		if (db != NULL) {
		OPENSSL_cleanse(db, dblen);
		OPENSSL_free(db);
		if (em != NULL)
		}
		if (em != NULL) {
		OPENSSL_cleanse(em, num);
		OPENSSL_free(em);
		}
		return mlen;
		}

crypto/rsa/rsa_pk1.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -264,8 +264,10 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
		memcpy(to, em + msg_index, mlen);

		err:
		if (em != NULL)
		if (em != NULL) {
		OPENSSL_cleanse(em, num);
		OPENSSL_free(em);
		}
		if (mlen == -1)
		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
		RSA_R_PKCS_DECODING_ERROR);