diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2018-09-04 14:31:11 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2018-09-05 05:14:02 +1000 |
commit | 0239283d99a37e8527199a62100fec867b9996cb (patch) | |
tree | 6f6a65896c24b12b20ddd713168b99f6234279c5 /crypto/pem/pvkfmt.c | |
parent | 8f39d8af7de12d5ac8699e54cf2fd8ae2325bcf2 (diff) | |
download | openssl-0239283d99a37e8527199a62100fec867b9996cb.tar.gz |
key zeroisation for pvkfmt now done on all branch paths
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7107)
Diffstat (limited to 'crypto/pem/pvkfmt.c')
-rw-r--r-- | crypto/pem/pvkfmt.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 281c6cd95a..e39c243814 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -676,11 +676,11 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, const unsigned char *p = *in; unsigned int magic; unsigned char *enctmp = NULL, *q; + unsigned char keybuf[20]; EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new(); if (saltlen) { char psbuf[PEM_BUFSIZE]; - unsigned char keybuf[20]; int enctmplen, inlen; if (cb) inlen = cb(psbuf, PEM_BUFSIZE, 0, u); @@ -720,7 +720,6 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, memset(keybuf + 5, 0, 11); if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) goto err; - OPENSSL_cleanse(keybuf, 20); if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) goto err; if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) @@ -730,15 +729,17 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT); goto err; } - } else - OPENSSL_cleanse(keybuf, 20); + } p = enctmp; } ret = b2i_PrivateKey(&p, keylen); err: EVP_CIPHER_CTX_free(cctx); - OPENSSL_free(enctmp); + if (enctmp != NULL) { + OPENSSL_cleanse(keybuf, sizeof(keybuf)); + OPENSSL_free(enctmp); + } return ret; } |