Clean password buffer on stack for PEM_read_bio_PrivateKey

and d2i_PKCS8PrivateKey_bio before it goes out of scope. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4047)
author: Bernd Edlinger <bernd.edlinger@hotmail.de> 2017-07-29 12:19:29 +0200
committer: Bernd Edlinger <bernd.edlinger@hotmail.de> 2017-07-29 14:55:30 +0200
commit: 02fd47c8b0930dff9b188fd13bfb9da5e59444a8 (patch)
tree: 589942a5f110ec6c756d894836f0543107eb54ee /crypto/pem
parent: Fix rsa -check option (diff)
download: openssl-02fd47c8b0930dff9b188fd13bfb9da5e59444a8.tar.xz
openssl-02fd47c8b0930dff9b188fd13bfb9da5e59444a8.zip
2 files changed, 2 insertions, 0 deletions
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
index 993c595a7b..5caad9faab 100644
--- a/crypto/pem/pem_pk8.c
+++ b/crypto/pem/pem_pk8.c
@@ -131,6 +131,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
     }
     p8inf = PKCS8_decrypt(p8, psbuf, klen);
     X509_SIG_free(p8);
+    OPENSSL_cleanse(psbuf, klen);
     if (!p8inf)
         return NULL;
     ret = EVP_PKCS82PKEY(p8inf);
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 93565011c0..42ec933efd 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -67,6 +67,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
         }
         p8inf = PKCS8_decrypt(p8, psbuf, klen);
         X509_SIG_free(p8);
+        OPENSSL_cleanse(psbuf, klen);
         if (!p8inf)
             goto p8err;
         ret = EVP_PKCS82PKEY(p8inf);
author	Bernd Edlinger <bernd.edlinger@hotmail.de>	2017-07-29 12:19:29 +0200
committer	Bernd Edlinger <bernd.edlinger@hotmail.de>	2017-07-29 14:55:30 +0200
commit	02fd47c8b0930dff9b188fd13bfb9da5e59444a8 (patch)
tree	589942a5f110ec6c756d894836f0543107eb54ee /crypto/pem
parent	Fix rsa -check option (diff)
download	openssl-02fd47c8b0930dff9b188fd13bfb9da5e59444a8.tar.xz openssl-02fd47c8b0930dff9b188fd13bfb9da5e59444a8.zip