From 1315fad7dce15509c3ec76262758d420ada3f03e Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 30 Mar 2018 13:33:05 -0700
Subject: [PATCH] Added ForceZero on the password buffer after done using it.

---
 src/ssl.c           | 13 +++++++++----
 wolfcrypt/src/asn.c | 37 +++++++++++++++++++------------------
 2 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 04ffea21a..140c768b0 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -4603,12 +4603,17 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
             ret = NO_PASSWORD;
         }
         else {
-            passwordSz = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
+            ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
                 info->passwd_userdata);
+            if (ret >= 0) {
+                passwordSz = ret;
 
-            /* decrypt the key */
-            ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
-                (byte*)password, passwordSz, WC_MD5);
+                /* decrypt the key */
+                ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
+                    (byte*)password, passwordSz, WC_MD5);
+
+                ForceZero(password, passwordSz);
+            }
         }
 
     #ifdef WOLFSSL_SMALL_STACK
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index af206ff79..6977bd5a1 100755
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -7990,30 +7990,31 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
     #endif
 
         /* get password */
-        passwordSz = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
+        ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
             info->passwd_userdata);
+        if (ret >= 0) {
+            passwordSz = ret;
 
-        /* convert and adjust length */
-        if (header == BEGIN_ENC_PRIV_KEY) {
-            ret = ToTraditionalEnc(der->buffer, der->length,
-                                   password, passwordSz);
-    #ifdef WOLFSSL_SMALL_STACK
-            XFREE(password, NULL, DYNAMIC_TYPE_STRING);
-    #endif
-            if (ret < 0) {
-                return ret;
+            /* convert and adjust length */
+            if (header == BEGIN_ENC_PRIV_KEY) {
+                ret = ToTraditionalEnc(der->buffer, der->length,
+                                       password, passwordSz);
+
+                if (ret >= 0) {
+                    der->length = ret;
+                }
             }
+            /* decrypt the key */
+            else {
+                ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
+                    (byte*)password, passwordSz, WC_MD5);
+            }
+            ForceZero(password, passwordSz);
+        }
 
-            der->length = ret;
-        }
-        /* decrypt the key */
-        else {
-            ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
-                (byte*)password, passwordSz, WC_MD5);
     #ifdef WOLFSSL_SMALL_STACK
-            XFREE(password, heap, DYNAMIC_TYPE_STRING);
+        XFREE(password, heap, DYNAMIC_TYPE_STRING);
     #endif
-        }
     }
 #endif /* WOLFSSL_ENCRYPTED_KEYS */