[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Paul I. Dale pauli at openssl.org
Tue Sep 4 19:20:21 UTC 2018 

The branch OpenSSL_1_1_0-stable has been updated
       via  febb025068f6c74f6776cc7faf1a8bcd55138f87 (commit)
      from  b4b651b09e738e8874c59f9fd24ec52d7258e5b4 (commit)


- Log -----------------------------------------------------------------
commit febb025068f6c74f6776cc7faf1a8bcd55138f87
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Tue Sep 4 15:00:21 2018 +1000

    key zeroisation fix for p12
    
    Reviewed-by: Paul Yang <yang.yang at baishancloud.com>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/7109)
    
    (cherry picked from commit f5cee414fa8e7e9a088d8d5ebe641f368df20801)

-----------------------------------------------------------------------

Summary of changes:
 crypto/pkcs12/p12_mutl.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index a9e2202..02e529c 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -75,6 +75,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
                                                 unsigned char *out,
                                                 const EVP_MD *md_type))
 {
+    int ret = 0;
     const EVP_MD *md_type;
     HMAC_CTX *hmac = NULL;
     unsigned char key[EVP_MAX_MD_SIZE], *salt;
@@ -116,24 +117,27 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
         if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
                                      md_size, key, md_type)) {
             PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
-            return 0;
+            goto err;
         }
     } else
         if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID,
                                iter, md_size, key, md_type)) {
         PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
-        return 0;
+        goto err;
     }
     if ((hmac = HMAC_CTX_new()) == NULL
         || !HMAC_Init_ex(hmac, key, md_size, md_type, NULL)
         || !HMAC_Update(hmac, p12->authsafes->d.data->data,
                         p12->authsafes->d.data->length)
         || !HMAC_Final(hmac, mac, maclen)) {
-        HMAC_CTX_free(hmac);
-        return 0;
+        goto err;
     }
+    ret = 1;
+
+err:
+    OPENSSL_cleanse(key, sizeof(key));
     HMAC_CTX_free(hmac);
-    return 1;
+    return ret;
 }
 
 int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,

More information about the openssl-commits mailing list