explicit_bzero() the GOST premaster secret.

ok miod@
author: jsing <> 2015-09-12 20:23:56 +0000
committer: jsing <> 2015-09-12 20:23:56 +0000
commit: 5fe63508fd9ea429800fda9e137e5773ccfe00ee (patch)
tree: 7759079fd7dc1bdd1155353091b6df88e0108fac /src/lib
parent: b23c8f0c7e56fd5c6e99bcad0ec4f4a085be2d6a (diff)
download: openbsd-5fe63508fd9ea429800fda9e137e5773ccfe00ee.tar.gz
openbsd-5fe63508fd9ea429800fda9e137e5773ccfe00ee.tar.bz2
openbsd-5fe63508fd9ea429800fda9e137e5773ccfe00ee.zip
2 files changed, 14 insertions, 4 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 2863b7380e..343b0a8cfe 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.131 2015/09/12 16:10:07 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.132 2015/09/12 20:23:56 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2159,6 +2159,8 @@ ssl3_send_client_key_exchange(SSL *s)
                        if (ukm_hash == NULL) {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                                    ERR_R_MALLOC_FAILURE);
+                                explicit_bzero(premaster_secret,
+                                    sizeof(premaster_secret));
                                goto err;
                        }
@@ -2178,6 +2180,8 @@ ssl3_send_client_key_exchange(SSL *s)
                            EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                                    SSL_R_LIBRARY_BUG);
+                                explicit_bzero(premaster_secret,
+                                    sizeof(premaster_secret));
                                goto err;
                        }
@@ -2213,7 +2217,8 @@ ssl3_send_client_key_exchange(SSL *s)
                            s->method->ssl3_enc->generate_master_secret(s,
                            s->session->master_key, premaster_secret, 32);
                        EVP_PKEY_free(pub_key);
+                        explicit_bzero(premaster_secret,
+                            sizeof(premaster_secret));
                } else {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_HANDSHAKE_FAILURE);
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 2863b7380e..343b0a8cfe 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.131 2015/09/12 16:10:07 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.132 2015/09/12 20:23:56 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2159,6 +2159,8 @@ ssl3_send_client_key_exchange(SSL *s)
                        if (ukm_hash == NULL) {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                                    ERR_R_MALLOC_FAILURE);
+                                explicit_bzero(premaster_secret,
+                                    sizeof(premaster_secret));
                                goto err;
                        }
@@ -2178,6 +2180,8 @@ ssl3_send_client_key_exchange(SSL *s)
                            EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                                    SSL_R_LIBRARY_BUG);
+                                explicit_bzero(premaster_secret,
+                                    sizeof(premaster_secret));
                                goto err;
                        }
@@ -2213,7 +2217,8 @@ ssl3_send_client_key_exchange(SSL *s)
                            s->method->ssl3_enc->generate_master_secret(s,
                            s->session->master_key, premaster_secret, 32);
                        EVP_PKEY_free(pub_key);
+                        explicit_bzero(premaster_secret,
+                            sizeof(premaster_secret));
                } else {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_HANDSHAKE_FAILURE);
author	jsing <>	2015-09-12 20:23:56 +0000
committer	jsing <>	2015-09-12 20:23:56 +0000
commit	5fe63508fd9ea429800fda9e137e5773ccfe00ee (patch)
tree	7759079fd7dc1bdd1155353091b6df88e0108fac /src/lib
parent	b23c8f0c7e56fd5c6e99bcad0ec4f4a085be2d6a (diff)
download	openbsd-5fe63508fd9ea429800fda9e137e5773ccfe00ee.tar.gz openbsd-5fe63508fd9ea429800fda9e137e5773ccfe00ee.tar.bz2 openbsd-5fe63508fd9ea429800fda9e137e5773ccfe00ee.zip

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 2863b7380e..343b0a8cfe 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.131 2015/09/12 16:10:07 doug Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.132 2015/09/12 20:23:56 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2159,6 +2159,8 @@ ssl3_send_client_key_exchange(SSL *s)
2159	if (ukm_hash == NULL) {	2159	if (ukm_hash == NULL) {
2160	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,	2160	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2161	ERR_R_MALLOC_FAILURE);	2161	ERR_R_MALLOC_FAILURE);
		2162	explicit_bzero(premaster_secret,
		2163	sizeof(premaster_secret));
2162	goto err;	2164	goto err;
2163	}	2165	}
2164		2166
@@ -2178,6 +2180,8 @@ ssl3_send_client_key_exchange(SSL *s)
2178	EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {	2180	EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2179	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,	2181	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2180	SSL_R_LIBRARY_BUG);	2182	SSL_R_LIBRARY_BUG);
		2183	explicit_bzero(premaster_secret,
		2184	sizeof(premaster_secret));
2181	goto err;	2185	goto err;
2182	}	2186	}
2183		2187
@@ -2213,7 +2217,8 @@ ssl3_send_client_key_exchange(SSL *s)
2213	s->method->ssl3_enc->generate_master_secret(s,	2217	s->method->ssl3_enc->generate_master_secret(s,
2214	s->session->master_key, premaster_secret, 32);	2218	s->session->master_key, premaster_secret, 32);
2215	EVP_PKEY_free(pub_key);	2219	EVP_PKEY_free(pub_key);
2216		2220	explicit_bzero(premaster_secret,
		2221	sizeof(premaster_secret));
2217	} else {	2222	} else {
2218	ssl3_send_alert(s, SSL3_AL_FATAL,	2223	ssl3_send_alert(s, SSL3_AL_FATAL,
2219	SSL_AD_HANDSHAKE_FAILURE);	2224	SSL_AD_HANDSHAKE_FAILURE);


diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 2863b7380e..343b0a8cfe 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.131 2015/09/12 16:10:07 doug Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.132 2015/09/12 20:23:56 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2159,6 +2159,8 @@ ssl3_send_client_key_exchange(SSL *s)
2159	if (ukm_hash == NULL) {	2159	if (ukm_hash == NULL) {
2160	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,	2160	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2161	ERR_R_MALLOC_FAILURE);	2161	ERR_R_MALLOC_FAILURE);
		2162	explicit_bzero(premaster_secret,
		2163	sizeof(premaster_secret));
2162	goto err;	2164	goto err;
2163	}	2165	}
2164		2166
@@ -2178,6 +2180,8 @@ ssl3_send_client_key_exchange(SSL *s)
2178	EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {	2180	EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2179	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,	2181	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2180	SSL_R_LIBRARY_BUG);	2182	SSL_R_LIBRARY_BUG);
		2183	explicit_bzero(premaster_secret,
		2184	sizeof(premaster_secret));
2181	goto err;	2185	goto err;
2182	}	2186	}
2183		2187
@@ -2213,7 +2217,8 @@ ssl3_send_client_key_exchange(SSL *s)
2213	s->method->ssl3_enc->generate_master_secret(s,	2217	s->method->ssl3_enc->generate_master_secret(s,
2214	s->session->master_key, premaster_secret, 32);	2218	s->session->master_key, premaster_secret, 32);
2215	EVP_PKEY_free(pub_key);	2219	EVP_PKEY_free(pub_key);
2216		2220	explicit_bzero(premaster_secret,
		2221	sizeof(premaster_secret));
2217	} else {	2222	} else {
2218	ssl3_send_alert(s, SSL3_AL_FATAL,	2223	ssl3_send_alert(s, SSL3_AL_FATAL,
2219	SSL_AD_HANDSHAKE_FAILURE);	2224	SSL_AD_HANDSHAKE_FAILURE);