Commit b4b651b0 authored by Shane Lontis's avatar Shane Lontis Committed by Pauli
Browse files

key zeroisation for pvkfmt now done on all branch paths 



Reviewed-by: default avatarPaul Yang <yang.yang@baishancloud.com>
Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7107)

(cherry picked from commit 0239283d)
parent 1018ba70

crypto/pem/pvkfmt.c

+6 −5
Original line number Diff line number Diff line
@@ -675,11 +675,11 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, 
    const unsigned char *p = *in;

    unsigned int magic;

    unsigned char *enctmp = NULL, *q;

    unsigned char keybuf[20];



    EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();

    if (saltlen) {

        char psbuf[PEM_BUFSIZE];

        unsigned char keybuf[20];

        int enctmplen, inlen;

        if (cb)

            inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
@@ -719,7 +719,6 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, 
            memset(keybuf + 5, 0, 11);

            if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))

                goto err;

            OPENSSL_cleanse(keybuf, 20);

            if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))

                goto err;

            if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
@@ -729,15 +728,17 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, 
                PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_DECRYPT);

                goto err;

            }

        } else

            OPENSSL_cleanse(keybuf, 20);

        }

        p = enctmp;

    }



    ret = b2i_PrivateKey(&p, keylen);

 err:

    EVP_CIPHER_CTX_free(cctx);

    if (enctmp != NULL) {

        OPENSSL_cleanse(keybuf, sizeof(keybuf));

        OPENSSL_free(enctmp);

    }

    return ret;

}