Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPENSSL_clear_free instead of OPENSSL_free #10406

Closed
ManSoSec opened this issue Nov 10, 2019 · 2 comments
Closed

OPENSSL_clear_free instead of OPENSSL_free #10406

ManSoSec opened this issue Nov 10, 2019 · 2 comments
Labels
good first issue Bite size change that could be a good start help wanted triaged: bug The issue/pr is/fixes a bug

Comments

@ManSoSec
Copy link

It seems OPENSSL_clear_free needs to be called instead of OPENSSL_free here:

openssl/crypto/sm2/sm2_sign.c

Line 475 in 1903a9b

OPENSSL_free(der);

As it has done here:

openssl/crypto/ec/ecdsa_ossl.c

Line 347 in 1903a9b

OPENSSL_clear_free(der, derlen);

@ManSoSec ManSoSec added the issue: bug report The issue was opened to report a bug label Nov 10, 2019
@romen
Copy link
Member

romen commented Nov 11, 2019

In the verify path nothing is secret, so actually we should use free instead of clear_free also in the ecdsa part!

@mattcaswell
Copy link
Member

mattcaswell commented Nov 11, 2019
edited

Yes - agreed. OPENSSL_free is sufficient. Still a bug - but in ecdsa_ossl.c not sm2_sign.c

@mattcaswell mattcaswell added good first issue Bite size change that could be a good start help wanted triaged: bug The issue/pr is/fixes a bug and removed issue: bug report The issue was opened to report a bug labels Nov 11, 2019
@paulidale paulidale mentioned this issue Nov 20, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Bite size change that could be a good start help wanted triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ECDSA: don't clear free memory after verify. paulidale/openssl
4 participants
@romen @mattcaswell @ManSoSec @paulidale