Cleaning secret data after use

Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4509)
author: EasySec <easy.sec@free.fr> 2017-10-16 21:05:10 +0200
committer: Rich Salz <rsalz@openssl.org> 2017-10-16 21:06:29 +0200
commit: 1f83edda7b13b371b16de2ebff6455c8bc6dbbcd (patch)
tree: bc8ecc660e139ca304b8268eb0cad06385db2adf /apps/enc.c
parent: added cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 author (diff)
download: openssl-1f83edda7b13b371b16de2ebff6455c8bc6dbbcd.tar.xz
openssl-1f83edda7b13b371b16de2ebff6455c8bc6dbbcd.zip
1 files changed, 7 insertions, 3 deletions
diff --git a/apps/enc.c b/apps/enc.c
index 5117a4980e..14b029b33f 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -476,9 +476,13 @@ int enc_main(int argc, char **argv)
             BIO_printf(bio_err, "iv undefined\n");
             goto end;
         }
-        if ((hkey != NULL) && !set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
-            BIO_printf(bio_err, "invalid hex key value\n");
-            goto end;
+        if (hkey != NULL) {
+            if (!set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
+                BIO_printf(bio_err, "invalid hex key value\n");
+                goto end;
+            }
+            /* wiping secret data as we no longer need it */
+            OPENSSL_cleanse(hkey, strlen(hkey));
         }
 
         if ((benc = BIO_new(BIO_f_cipher())) == NULL)
author	EasySec <easy.sec@free.fr>	2017-10-16 21:05:10 +0200
committer	Rich Salz <rsalz@openssl.org>	2017-10-16 21:06:29 +0200
commit	1f83edda7b13b371b16de2ebff6455c8bc6dbbcd (patch)
tree	bc8ecc660e139ca304b8268eb0cad06385db2adf /apps/enc.c
parent	added cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 author (diff)
download	openssl-1f83edda7b13b371b16de2ebff6455c8bc6dbbcd.tar.xz openssl-1f83edda7b13b371b16de2ebff6455c8bc6dbbcd.zip