Erase temporary buffer in EVP_PKEY_get_bn_param()

[openssl.git] / crypto / evp / p_lib.c

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 554fad927c12ac6531461a4c2c6044ee0e94c2c5..fa51304c97bea0c3aaaa163285ee22f8eb50d862 100644 (file)
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -2176,7 +2176,14 @@ int EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, const char *key_name,
         goto err;
     ret = OSSL_PARAM_get_BN(params, bn);
 err:
-    OPENSSL_free(buf);
+    if (buf != NULL) {
+        if (OSSL_PARAM_modified(params))
+            OPENSSL_clear_free(buf, buf_sz);
+        else
+            OPENSSL_free(buf);
+    } else if (OSSL_PARAM_modified(params)) {
+        OPENSSL_cleanse(buffer, params[0].data_size);
+    }
     return ret;
 }