From 71c94d3c6115ab853bbdc2e0e1e26da2c8aba76a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Jan 2017 11:52:50 +0000
Subject: [PATCH] Make sure we also cleanse the finished key

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
---
 ssl/statem/extensions_clnt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 04dbea11fd..eb8cfa3b3d 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -820,6 +820,7 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
     ret = 1;
  err:
     OPENSSL_cleanse(binderkey, sizeof(binderkey));
+    OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
     EVP_PKEY_free(mackey);
     EVP_MD_CTX_free(mctx);
 
-- 
2.25.1