Add OPENSSL_cleanse to zero stack secrets before return (#3227)

prasden · justsmth · web-flow · commit 3f7f9a5b8325 · 2026-05-09T00:25:16.000Z
### Issues:
Addresses: P409219367

### Description of changes: 
Several functions store sensitive key material in stack buffers but do
not zero them before returning. This pull request adds `OPENSSL_cleanse`
calls to ensure these buffers are zeroed before function exits or
returns in HPKE key derivation, ECDH shared secret computation, EC key
derivation, PEM decoding, and PBKDF2 iteration to avoid residual secrets
in memory.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Co-authored-by: Justin W Smith &lt;103147162+justsmth@users.noreply.github.com&gt;
diff --git a/crypto/ecdh_extra/ecdh_extra.c b/crypto/ecdh_extra/ecdh_extra.c
@@ -27,18 +27,18 @@ int ECDH_compute_key(void *out, size_t out_len, const EC_POINT *pub_key,
                      const EC_KEY *priv_key,
                      void *(*kdf)(const void *in, size_t inlen, void *out,
                                   size_t *out_len)) {
-
+  int ret = -1;
   uint8_t buf[EC_MAX_BYTES];
   size_t buf_len = sizeof(buf);
 
   if (!ECDH_compute_shared_secret(buf, &buf_len, pub_key, priv_key)) {
-    return -1;
+    goto end;
   }
 
   if (kdf != NULL) {
     if (kdf(buf, buf_len, out, &out_len) == NULL) {
       OPENSSL_PUT_ERROR(ECDH, ECDH_R_KDF_FAILED);
-      return -1;
+      goto end;
     }
   } else {
     // no KDF, just copy as much as we can
@@ -50,8 +50,11 @@ int ECDH_compute_key(void *out, size_t out_len, const EC_POINT *pub_key,
 
   if (out_len > INT_MAX) {
     OPENSSL_PUT_ERROR(ECDH, ERR_R_OVERFLOW);
-    return -1;
+    goto end;
   }
 
-  return (int)out_len;
+  ret = (int)out_len;
+end:
+  OPENSSL_cleanse(buf, sizeof(buf));
+  return ret;
 }
diff --git a/crypto/fipsmodule/evp/p_ec.c b/crypto/fipsmodule/evp/p_ec.c
@@ -88,6 +88,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,
 
 static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key,
                           size_t *keylen) {
+  int ret = 0;
   const EC_POINT *pubkey = NULL;
   EC_KEY *eckey;
   uint8_t buf[EC_MAX_BYTES];
@@ -115,7 +116,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key,
   // Note: This is an internal function which will not update
   // the service indicator.
   if (!ECDH_compute_shared_secret(buf, &buflen, pubkey, eckey)) {
-      return 0;
+      goto end;
   }
 
   if (buflen < *keylen) {
@@ -127,7 +128,11 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key,
   // referenced from the higher level function |EVP_PKEY_derive|. |EC_KEY| is
   // is the only possible key that can do derivations.
   ECDH_verify_service_indicator(eckey);
-  return 1;
+  ret = 1;
+
+end:
+  OPENSSL_cleanse(buf, sizeof(buf));
+  return ret;
 }
 
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
diff --git a/crypto/fipsmodule/pbkdf/pbkdf.c b/crypto/fipsmodule/pbkdf/pbkdf.c
@@ -7,6 +7,7 @@
 #include <string.h>
 
 #include <openssl/hmac.h>
+#include <openssl/mem.h>
 
 #include "../../internal.h"
 #include "../service_indicator/internal.h"
@@ -21,6 +22,7 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
   uint32_t i = 1;
   HMAC_CTX hctx;
   HMAC_CTX_init(&hctx);
+  uint8_t digest_tmp[EVP_MAX_MD_SIZE];
 
   // We have to avoid the underlying SHA services updating the indicator
   // state, so we lock the state here.
@@ -43,7 +45,6 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
     i_buf[3] = (uint8_t)(i & 0xff);
 
     // Compute U_1.
-    uint8_t digest_tmp[EVP_MAX_MD_SIZE];
     if (!HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL) ||
         !HMAC_Update(&hctx, salt, salt_len) ||
         !HMAC_Update(&hctx, i_buf, 4) ||
@@ -87,6 +88,7 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
   ret = 1;
 
 err:
+  OPENSSL_cleanse(digest_tmp, sizeof(digest_tmp));
   FIPS_service_indicator_unlock_state();
   HMAC_CTX_cleanup(&hctx);
   if (ret) {
diff --git a/crypto/hpke/hpke.c b/crypto/hpke/hpke.c
@@ -13,6 +13,7 @@
 #include <openssl/err.h>
 #include <openssl/evp_errors.h>
 #include <openssl/hkdf.h>
+#include <openssl/mem.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
@@ -126,11 +127,13 @@ static int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md,
   uint8_t suite_id[5] = {'K', 'E', 'M', kem_id >> 8, kem_id & 0xff};
   uint8_t prk[EVP_MAX_MD_SIZE];
   size_t prk_len;
-  return hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, suite_id,
+  int ret = hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, suite_id,
                               sizeof(suite_id), "eae_prk", dh, dh_len) &&
          hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len, suite_id,
                              sizeof(suite_id), "shared_secret", kem_context,
                              kem_context_len);
+  OPENSSL_cleanse(prk, sizeof(prk));
+  return ret;
 }
 
 static int x25519_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key,
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
@@ -722,11 +722,13 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
   *header = headerB->data;
   *data = (unsigned char *)dataB->data;
   *len = bl;
+  OPENSSL_cleanse(buf, sizeof(buf));
   OPENSSL_free(nameB);
   OPENSSL_free(headerB);
   OPENSSL_free(dataB);
   return 1;
 err:
+  OPENSSL_cleanse(buf, sizeof(buf));
   BUF_MEM_free(nameB);
   BUF_MEM_free(headerB);
   BUF_MEM_free(dataB);
