From 683f03e4881ffd19b8671f290387cd4e68fad457 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 9 Mar 2015 13:59:58 +0000
Subject: [PATCH] Cleanse buffers

Cleanse various intermediate buffers used by the PRF (backported version
from master).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 35fafc4dbc0b3a717ad1b208fe2867e8c64867de)

Conflicts:
	ssl/s3_enc.c

Conflicts:
	ssl/t1_enc.c
---
 ssl/s3_enc.c | 1 +
 ssl/t1_enc.c | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 7c3a38c837..247efdc741 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -830,6 +830,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
         ret += n;
     }
     EVP_MD_CTX_cleanup(&ctx);
+    OPENSSL_cleanse(buf, sizeof buf);
     return (ret);
 }
 
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index acef20bdbb..c233827659 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -860,6 +860,8 @@ int tls1_final_finish_mac(SSL *s,
         err = 1;
     EVP_MD_CTX_cleanup(&ctx);
 
+    OPENSSL_cleanse(buf, (int)(q - buf));
+    OPENSSL_cleanse(buf2, sizeof(buf2));
     if (err)
         return 0;
     else
@@ -1017,6 +1019,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
              co, col,
              s->s3->server_random, SSL3_RANDOM_SIZE,
              so, sol, p, len, s->session->master_key, buff, sizeof buff);
+    OPENSSL_cleanse(buff, sizeof buff);
 
 #ifdef KSSL_DEBUG
     printf("tls1_generate_master_secret() complete\n");
-- 
2.25.1