From: Bernd Edlinger Date: Sat, 29 Jul 2017 10:19:29 +0000 (+0200) Subject: Clean password buffer on stack for PEM_read_bio_PrivateKey X-Git-Tag: OpenSSL_1_0_2m~46 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5292833132cc863b66574fe2bbf55e4b2eff7949;p=oweals%2Fopenssl.git Clean password buffer on stack for PEM_read_bio_PrivateKey and d2i_PKCS8PrivateKey_bio before it goes out of scope. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/4047) (cherry picked from commit 02fd47c8b0930dff9b188fd13bfb9da5e59444a8) --- diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c index 5747c7366e..daf210fde0 100644 --- a/crypto/pem/pem_pk8.c +++ b/crypto/pem/pem_pk8.c @@ -178,6 +178,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, } p8inf = PKCS8_decrypt(p8, psbuf, klen); X509_SIG_free(p8); + OPENSSL_cleanse(psbuf, klen); if (!p8inf) return NULL; ret = EVP_PKCS82PKEY(p8inf); diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 04d6319a22..e8b3a1b92c 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -120,6 +120,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, } p8inf = PKCS8_decrypt(p8, psbuf, klen); X509_SIG_free(p8); + OPENSSL_cleanse(psbuf, klen); if (!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf);