From 3df16cc2e27f75eac2c0991248b0c294e2c847b5 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 28 Jul 2015 16:13:29 +0100
Subject: [PATCH] cleanse psk_identity on error

Reviewed-by: Matt Caswell <matt@openssl.org>
---
 ssl/s3_clnt.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index d5bcf54280..080dbf0f18 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2391,8 +2391,10 @@ int ssl3_send_client_key_exchange(SSL *s)
             s->s3->tmp.psk = BUF_memdup(psk, psklen);
             OPENSSL_cleanse(psk, psklen);
 
-            if (s->s3->tmp.psk == NULL)
+            if (s->s3->tmp.psk == NULL) {
+                OPENSSL_cleanse(identity, sizeof(identity));
                 goto memerr;
+            }
 
             s->s3->tmp.psklen = psklen;
 
@@ -2404,8 +2406,10 @@ int ssl3_send_client_key_exchange(SSL *s)
             }
             OPENSSL_free(s->session->psk_identity);
             s->session->psk_identity = BUF_strdup(identity);
-            if (s->session->psk_identity == NULL)
+            if (s->session->psk_identity == NULL) {
+                OPENSSL_cleanse(identity, sizeof(identity));
                 goto memerr;
+            }
 
             s2n(identitylen, p);
             memcpy(p, identity, identitylen);
-- 
2.34.1