Clean password buffer on stack for PEM_read_bio_PrivateKey
authorBernd Edlinger <bernd.edlinger@hotmail.de>
Sat, 29 Jul 2017 10:19:29 +0000 (12:19 +0200)
committerBernd Edlinger <bernd.edlinger@hotmail.de>
Sat, 29 Jul 2017 12:55:30 +0000 (14:55 +0200)
and d2i_PKCS8PrivateKey_bio before it goes out of scope.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4047)

crypto/pem/pem_pk8.c
crypto/pem/pem_pkey.c

index 993c595..5caad9f 100644 (file)
@@ -131,6 +131,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
     }
     p8inf = PKCS8_decrypt(p8, psbuf, klen);
     X509_SIG_free(p8);
+    OPENSSL_cleanse(psbuf, klen);
     if (!p8inf)
         return NULL;
     ret = EVP_PKCS82PKEY(p8inf);
index 9356501..42ec933 100644 (file)
@@ -67,6 +67,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
         }
         p8inf = PKCS8_decrypt(p8, psbuf, klen);
         X509_SIG_free(p8);
+        OPENSSL_cleanse(psbuf, klen);
         if (!p8inf)
             goto p8err;
         ret = EVP_PKCS82PKEY(p8inf);