summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
7671342)
We now have a version of PEM_read_bytes that can use temporary
buffers allocated from the secure heap; use them to handle this
sensitive information.
Note that for PEM_read_PrivateKey, the i/o still goes through
stdio since the input is a FILE pointer. Standard I/O performs
additional buffering, which cannot be changed to use the OpenSSL
secure heap for temporary storage. As such, it is recommended
to use BIO_new_file() and PEM_read_bio_PrivateKey() instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1700)
int slen;
EVP_PKEY *ret = NULL;
int slen;
EVP_PKEY *ret = NULL;
- if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u))
+ if (!PEM_bytes_read_bio_secmem(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp,
+ cb, u))
if (ret == NULL)
PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, ERR_R_ASN1_LIB);
err:
if (ret == NULL)
PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, ERR_R_ASN1_LIB);
err:
- OPENSSL_free(nm);
- OPENSSL_clear_free(data, len);
+ OPENSSL_secure_free(nm);
+ OPENSSL_secure_free(data);