From 30dd34166845e9c6dd25a36682400e4e3a485065 Mon Sep 17 00:00:00 2001
From: inoguchi <>
Date: Sun, 16 Feb 2020 14:33:04 +0000
Subject: Avoid leak for tmp.x25519

Changed to use local variable to hold malloc address rather than directly
set to S3I(s)->tmp.x25519, and set that private_key pointer to
S3I(s)->tmp.x25519 after all the "goto err;".

Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear().

ok jsing@ tb@
---
 src/lib/libssl/s3_lib.c   |  5 ++++-
 src/lib/libssl/ssl_srvr.c | 11 +++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 2832ef4a93..dfd5893a2f 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.190 2020/01/30 17:09:23 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.191 2020/02/16 14:33:04 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1563,6 +1563,7 @@ ssl3_free(SSL *s)
 
 	DH_free(S3I(s)->tmp.dh);
 	EC_KEY_free(S3I(s)->tmp.ecdh);
+	freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
 
 	tls13_key_share_free(S3I(s)->hs_tls13.key_share);
 	tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
@@ -1596,6 +1597,8 @@ ssl3_clear(SSL *s)
 	EC_KEY_free(S3I(s)->tmp.ecdh);
 	S3I(s)->tmp.ecdh = NULL;
 	S3I(s)->tmp.ecdh_nid = NID_undef;
+	freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
+	S3I(s)->tmp.x25519 = NULL;
 
 	freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len);
 	S3I(s)->hs.sigalgs = NULL;
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 843d2ee249..e55b6beed1 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.71 2020/01/30 16:25:09 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.72 2020/02/16 14:33:04 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1408,7 +1408,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
 static int
 ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
 {
-	uint8_t *public_key = NULL;
+	uint8_t *public_key = NULL, *private_key = NULL;
 	int curve_id;
 	CBB ecpoint;
 	int ret = -1;
@@ -1418,11 +1418,11 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
 		SSLerror(s, ERR_R_INTERNAL_ERROR);
 		goto err;
 	}
-	if ((S3I(s)->tmp.x25519 = malloc(X25519_KEY_LENGTH)) == NULL)
+	if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
 		goto err;
 	if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
 		goto err;
-	X25519_keypair(public_key, S3I(s)->tmp.x25519);
+	X25519_keypair(public_key, private_key);
 
 	/* Serialize public key. */
 	if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
@@ -1441,10 +1441,13 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
 	if (!CBB_flush(cbb))
 		goto err;
 
+	S3I(s)->tmp.x25519 = private_key;
+	private_key = NULL;
 	ret = 1;
 
  err:
 	free(public_key);
+	freezero(private_key, X25519_KEY_LENGTH);
 
 	return (ret);
 }
-- 
cgit v1.2.3-55-g6feb