Zeroise the random seed used to generate the ED25519 keys

aws · Jan 18, 2023 · 3aceaa2 · 3aceaa2
1 parent ee63cde
commit 3aceaa2
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c
@@ -1874,10 +1874,13 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
   s[31] = s11 >> 17;
 }
 
-void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
-  uint8_t seed[32];
-  RAND_bytes(seed, 32);
+#define ED25519_SEED_LEN 32
+
+void ED25519_keypair(uint8_t out_public_key[ED25519_SEED_LEN], uint8_t out_private_key[64]) {
+  uint8_t seed[ED25519_SEED_LEN];
+  RAND_bytes(seed, ED25519_SEED_LEN);
   ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
+  OPENSSL_cleanse(seed, ED25519_SEED_LEN);
 }
 
 int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,
@@ -1982,9 +1985,9 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
 
 void ED25519_keypair_from_seed(uint8_t out_public_key[32],
                                uint8_t out_private_key[64],
-                               const uint8_t seed[32]) {
+                               const uint8_t seed[ED25519_SEED_LEN]) {
   uint8_t az[SHA512_DIGEST_LENGTH];
-  SHA512(seed, 32, az);
+  SHA512(seed, ED25519_SEED_LEN, az);
 
   az[0] &= 248;
   az[31] &= 127;
@@ -1994,7 +1997,7 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[32],
   x25519_ge_scalarmult_base(&A, az);
   ge_p3_tobytes(out_public_key, &A);
 
-  OPENSSL_memcpy(out_private_key, seed, 32);
+  OPENSSL_memcpy(out_private_key, seed, ED25519_SEED_LEN);
   OPENSSL_memcpy(out_private_key + 32, out_public_key, 32);
 }