[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

Thu Jun 4 12:00:10 UTC 2015

The branch OpenSSL_1_0_1-stable has been updated
       via  c22ed559bbb6e75d03ce4e8cb3655988fc123d4f (commit)
       via  4b6f33a5c284168ef3aa49d1a37cbcc6565bc0e5 (commit)
      from  c36d3840ff45a290ea7fe6fbaf1520fe3124b3cd (commit)


- Log -----------------------------------------------------------------
commit c22ed559bbb6e75d03ce4e8cb3655988fc123d4f
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jun 4 11:18:55 2015 +0100

    Remove misleading comment
    
    Remove a comment that suggested further clean up was required.
    DH_free() performs the necessary cleanup.
    
    With thanks to the Open Crypto Audit Project for reporting this issue.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit f3d889523ee84f1e87e4da0d59e2702a4bee7907)

commit 4b6f33a5c284168ef3aa49d1a37cbcc6565bc0e5
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jun 4 11:16:16 2015 +0100

    Clean premaster_secret for GOST
    
    Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST.
    
    With thanks to the Open Crypto Audit Project for reporting this issue.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit b7ee4815f2452c854cc859e8dda88f2673cdddea)
    
    Conflicts:
    	ssl/s3_srvr.c

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c | 2 --
 ssl/s3_srvr.c | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index eb7b94e..f435899 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2595,8 +2595,6 @@ int ssl3_send_client_key_exchange(SSL *s)
             n += 2;
 
             DH_free(dh_clnt);
-
-            /* perhaps clean things up a bit EAY EAY EAY EAY */
         }
 #endif
 
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index d07f768..9aa3292 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2914,6 +2914,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                         s->
                                                         session->master_key,
                                                         premaster_secret, 32);
+        OPENSSL_cleanse(premaster_secret, sizeof(premaster_secret));
         /* Check if pubkey from client certificate was used */
         if (EVP_PKEY_CTX_ctrl
             (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
