Added ForceZero on the password buffer after done using it.

2025-08-03 04:34:41 +02:00 · 2018-03-30 13:33:05 -07:00
parent 3a8b08cdbf
commit 1315fad7dc
2 changed files with 28 additions and 22 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -4603,12 +4603,17 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
            ret = NO_PASSWORD;
        }
        else {
-            passwordSz = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
+            ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
                info->passwd_userdata);
+            if (ret >= 0) {
+                passwordSz = ret;

-            /* decrypt the key */
-            ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
-                (byte*)password, passwordSz, WC_MD5);
+                /* decrypt the key */
+                ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
+                    (byte*)password, passwordSz, WC_MD5);
+
+                ForceZero(password, passwordSz);
+            }
        }

    #ifdef WOLFSSL_SMALL_STACK
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -7990,30 +7990,31 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
    #endif

        /* get password */
-        passwordSz = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
+        ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
            info->passwd_userdata);
+        if (ret >= 0) {
+            passwordSz = ret;

-        /* convert and adjust length */
-        if (header == BEGIN_ENC_PRIV_KEY) {
-            ret = ToTraditionalEnc(der->buffer, der->length,
-                                   password, passwordSz);
-    #ifdef WOLFSSL_SMALL_STACK
-            XFREE(password, NULL, DYNAMIC_TYPE_STRING);
-    #endif
-            if (ret < 0) {
-                return ret;
+            /* convert and adjust length */
+            if (header == BEGIN_ENC_PRIV_KEY) {
+                ret = ToTraditionalEnc(der->buffer, der->length,
+                                       password, passwordSz);
+
+                if (ret >= 0) {
+                    der->length = ret;
+                }
            }
+            /* decrypt the key */
+            else {
+                ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
+                    (byte*)password, passwordSz, WC_MD5);
+            }
+            ForceZero(password, passwordSz);
+        }

-            der->length = ret;
-        }
-        /* decrypt the key */
-        else {
-            ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
-                (byte*)password, passwordSz, WC_MD5);
    #ifdef WOLFSSL_SMALL_STACK
-            XFREE(password, heap, DYNAMIC_TYPE_STRING);
+        XFREE(password, heap, DYNAMIC_TYPE_STRING);
    #endif
-        }
    }
 #endif /* WOLFSSL_ENCRYPTED_KEYS */