Recommemded change to the previous diff in aes_wrap_cleanup, since cipher data and the context are cleaned up by the caller (avoids a double free):
if (wctx) { EVP_CIPHER_CTX_cleanup(&wctx->aes_ctx); - OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size); - OPENSSL_free(c->cipher_data); } - memset(c, 0, sizeof(EVP_CIPHER_CTX)); On 10/01/2016 04:02 AM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "Change EVP_aes_xxx_wrap to use FIPS crypto module in FIPS mode", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4692]. > > Please include the string: > > [openssl.org #4692] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > r...@openssl.org > > ------------------------------------------------------------------------- > The FIPS certified 2.0.x crypto module does not incorporate the key wrap > modes within the module boundary, and calls the local > AES_{encrypt,decrypt} functions (which is, strictly speaking, a no-no). > So, it's not using FIPS validated crypto. This patch provides a > modification to use the appropriate underlying FIPS EVP_aes_..._ecb APIs > which use the FIPS module to do the actual block-at-a-time > encryption/decryption. > > Kent > > > ------------------------------------------------------------------------- > http://rt.openssl.org/Ticket/Display.html?id=4692&user=guest&pass=guest > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4693 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev