Zero the round keys on AES_set_{en,de}crypt_key() function entry.

This avoids leaving previous round keys around on failure, or leaving parts
of previous round keys behind if reused with a smaller key size.

ok tb@

1 files changed, 5 insertions, 1 deletions

diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c
index f9b2cfd9dd..6ac1983968 100644
--- a/src/lib/libcrypto/aes/aes.c
+++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes.c,v 1.15 2025/09/08 12:46:38 jsing Exp $ */
+/* $OpenBSD: aes.c,v 1.16 2025/09/08 12:50:02 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -88,6 +88,8 @@ aes_rounds_for_key_length(int bits)
 int
 AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
 {
+        explicit_bzero(key->rd_key, sizeof(key->rd_key));
+
         if (userKey == NULL || key == NULL)
                 return -1;
         if ((key->rounds = aes_rounds_for_key_length(bits)) <= 0)
@@ -100,6 +102,8 @@ LCRYPTO_ALIAS(AES_set_encrypt_key);
 int
 AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
 {
+        explicit_bzero(key->rd_key, sizeof(key->rd_key));
+
         if (userKey == NULL || key == NULL)
                 return -1;
         if ((key->rounds = aes_rounds_for_key_length(bits)) <= 0)