Clear sensitive data in ED25519_sign

Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3503)
author: Dr. Stephen Henson <steve@openssl.org> 2017-05-25 15:53:32 +0200
committer: Dr. Stephen Henson <steve@openssl.org> 2017-05-30 21:38:21 +0200
commit: 04dec1ab34df70c1588d42cc394e8fa8b5f3191c (patch)
tree: dd0836450820cef5aa57d1b217265d3d3f9cf3e4 /crypto/ec
parent: Add Ed25519 documentation (diff)
download: openssl-04dec1ab34df70c1588d42cc394e8fa8b5f3191c.tar.xz
openssl-04dec1ab34df70c1588d42cc394e8fa8b5f3191c.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c
index 72580334ff..77f5494036 100644
--- a/crypto/ec/curve25519.c
+++ b/crypto/ec/curve25519.c
@@ -4599,7 +4599,9 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
   uint8_t hram[SHA512_DIGEST_LENGTH];
   SHA512_CTX hash_ctx;
 
-  SHA512(private_key, 32, az);
+  SHA512_Init(&hash_ctx);
+  SHA512_Update(&hash_ctx, private_key, 32);
+  SHA512_Final(az, &hash_ctx);
 
   az[0] &= 248;
   az[31] &= 63;
@@ -4623,6 +4625,10 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
   x25519_sc_reduce(hram);
   sc_muladd(out_sig + 32, hram, az, nonce);
 
+  OPENSSL_cleanse(&hash_ctx, sizeof(hash_ctx));
+  OPENSSL_cleanse(nonce, sizeof(nonce));
+  OPENSSL_cleanse(az, sizeof(az));
+
   return 1;
 }
author	Dr. Stephen Henson <steve@openssl.org>	2017-05-25 15:53:32 +0200
committer	Dr. Stephen Henson <steve@openssl.org>	2017-05-30 21:38:21 +0200
commit	04dec1ab34df70c1588d42cc394e8fa8b5f3191c (patch)
tree	dd0836450820cef5aa57d1b217265d3d3f9cf3e4 /crypto/ec
parent	Add Ed25519 documentation (diff)
download	openssl-04dec1ab34df70c1588d42cc394e8fa8b5f3191c.tar.xz openssl-04dec1ab34df70c1588d42cc394e8fa8b5f3191c.zip