From 0b23e36dfa750e5a98824fc469f69a27c5f25d3b Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 8 Sep 2025 12:50:02 +0000
Subject: Zero the round keys on AES_set_{en,de}crypt_key() function entry.

This avoids leaving previous round keys around on failure, or leaving parts
of previous round keys behind if reused with a smaller key size.

ok tb@
---
 src/lib/libcrypto/aes/aes.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c
index f9b2cfd9dd..6ac1983968 100644
--- a/src/lib/libcrypto/aes/aes.c
+++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes.c,v 1.15 2025/09/08 12:46:38 jsing Exp $ */
+/* $OpenBSD: aes.c,v 1.16 2025/09/08 12:50:02 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -88,6 +88,8 @@ aes_rounds_for_key_length(int bits)
 int
 AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
 {
+	explicit_bzero(key->rd_key, sizeof(key->rd_key));
+
 	if (userKey == NULL || key == NULL)
 		return -1;
 	if ((key->rounds = aes_rounds_for_key_length(bits)) <= 0)
@@ -100,6 +102,8 @@ LCRYPTO_ALIAS(AES_set_encrypt_key);
 int
 AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
 {
+	explicit_bzero(key->rd_key, sizeof(key->rd_key));
+
 	if (userKey == NULL || key == NULL)
 		return -1;
 	if ((key->rounds = aes_rounds_for_key_length(bits)) <= 0)
-- 
cgit v1.2.3-55-g6feb