diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2007-02-21 13:48:09 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2007-02-21 13:48:09 +0000 |
commit | 9a3a58e13b708da3285e72e8ffeeb976c2253f88 (patch) | |
tree | 3fabdbe344e604e4d4e0f1b5ba9fc2e56e7f34d1 | |
parent | 3bd95a14ca76316e64e60c8e3f97a454eeb663bd (diff) | |
download | openssl-9a3a58e13b708da3285e72e8ffeeb976c2253f88.tar.gz |
Cleanse PEM buffers before freeing them.
Submitted by: Benjamin Bennett <ben@psc.edu>
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | crypto/pem/pem_lib.c | 5 | ||||
-rw-r--r-- | crypto/pem/pem_pkey.c | 1 |
3 files changed, 9 insertions, 1 deletions
@@ -4,6 +4,10 @@ Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] + *) Cleanse PEM buffers before freeing them since they may contain + sensitive data. + [Benjamin Bennett <ben@psc.edu>] + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 0dcbab6f35..54262cc8f0 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -577,6 +577,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, } EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; + OPENSSL_cleanse(buf, PEM_BUFSIZE*8); OPENSSL_free(buf); buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || @@ -585,8 +586,10 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, goto err; return(i+outl); err: - if (buf) + if (buf) { + OPENSSL_cleanse(buf, PEM_BUFSIZE*8); OPENSSL_free(buf); + } PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 9ecdbd5419..69300ba5e1 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -122,6 +122,7 @@ p8err: PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB); err: OPENSSL_free(nm); + OPENSSL_cleanse(data, len); OPENSSL_free(data); return(ret); } |