From 1f83edda7b13b371b16de2ebff6455c8bc6dbbcd Mon Sep 17 00:00:00 2001
From: EasySec <easy.sec@free.fr>
Date: Mon, 16 Oct 2017 15:05:10 -0400
Subject: [PATCH] Cleaning secret data after use

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4509)
---
 apps/enc.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/apps/enc.c b/apps/enc.c
index 5117a4980e..14b029b33f 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -476,9 +476,13 @@ int enc_main(int argc, char **argv)
             BIO_printf(bio_err, "iv undefined\n");
             goto end;
         }
-        if ((hkey != NULL) && !set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
-            BIO_printf(bio_err, "invalid hex key value\n");
-            goto end;
+        if (hkey != NULL) {
+            if (!set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
+                BIO_printf(bio_err, "invalid hex key value\n");
+                goto end;
+            }
+            /* wiping secret data as we no longer need it */
+            OPENSSL_cleanse(hkey, strlen(hkey));
         }
 
         if ((benc = BIO_new(BIO_f_cipher())) == NULL)
-- 
2.25.1