[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Paul I. Dale pauli at openssl.org
Tue Sep 4 19:15:45 UTC 2018 

The branch OpenSSL_1_1_0-stable has been updated
       via  b4b651b09e738e8874c59f9fd24ec52d7258e5b4 (commit)
      from  1018ba701368bdcdec7190bfcd2fb4076d0c1244 (commit)


- Log -----------------------------------------------------------------
commit b4b651b09e738e8874c59f9fd24ec52d7258e5b4
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Tue Sep 4 14:31:11 2018 +1000

    key zeroisation for pvkfmt now done on all branch paths
    
    Reviewed-by: Paul Yang <yang.yang at baishancloud.com>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/7107)
    
    (cherry picked from commit 0239283d99a37e8527199a62100fec867b9996cb)

-----------------------------------------------------------------------

Summary of changes:
 crypto/pem/pvkfmt.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 63ce925..96a82eb 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -675,11 +675,11 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
     const unsigned char *p = *in;
     unsigned int magic;
     unsigned char *enctmp = NULL, *q;
+    unsigned char keybuf[20];
 
     EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
     if (saltlen) {
         char psbuf[PEM_BUFSIZE];
-        unsigned char keybuf[20];
         int enctmplen, inlen;
         if (cb)
             inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
@@ -719,7 +719,6 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
             memset(keybuf + 5, 0, 11);
             if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
                 goto err;
-            OPENSSL_cleanse(keybuf, 20);
             if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
                 goto err;
             if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
@@ -729,15 +728,17 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
                 PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT);
                 goto err;
             }
-        } else
-            OPENSSL_cleanse(keybuf, 20);
+        }
         p = enctmp;
     }
 
     ret = b2i_PrivateKey(&p, keylen);
  err:
     EVP_CIPHER_CTX_free(cctx);
-    OPENSSL_free(enctmp);
+    if (enctmp != NULL) {
+        OPENSSL_cleanse(keybuf, sizeof(keybuf));
+        OPENSSL_free(enctmp);
+    }
     return ret;
 }

More information about the openssl-commits mailing list