From 52ee969e2991d8e8c90c4835dc4bb047912ea291 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 21 Feb 2007 13:48:49 +0000 Subject: [PATCH] Update from 0.9.7-stable. --- CHANGES | 4 ++++ crypto/pem/pem_lib.c | 5 ++++- crypto/pem/pem_pkey.c | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index cadf0d57a4..806049fdc9 100644 --- a/CHANGES +++ b/CHANGES @@ -1045,6 +1045,10 @@ Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] + *) Cleanse PEM buffers before freeing them since they may contain + sensitive data. + [Benjamin Bennett ] + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index ffb29ce3d7..9bae4c8850 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -579,6 +579,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, } EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; + OPENSSL_cleanse(buf, PEM_BUFSIZE*8); OPENSSL_free(buf); buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || @@ -587,8 +588,10 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, goto err; return(i+outl); err: - if (buf) + if (buf) { + OPENSSL_cleanse(buf, PEM_BUFSIZE*8); OPENSSL_free(buf); + } PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 2162a45323..4da4c31ce5 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -125,6 +125,7 @@ p8err: PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY,ERR_R_ASN1_LIB); err: OPENSSL_free(nm); + OPENSSL_cleanse(data, len); OPENSSL_free(data); return(ret); } -- 2.40.0