Merge remote-tracking branch 'upstream-restricted/pr/402' into mbedtls-1.3-restricted

2024-11-27 04:14:23 +01:00 · 2017-11-28 14:34:24 +01:00 · 2017-11-28 14:34:24 +01:00 · 2bd6ca415b
commit 2bd6ca415b
parent d3dd8d2197 27ce0b5ff1
2 changed files with 4 additions and 0 deletions
--- a/2
+++ b/2
@ -13,6 +13,8 @@ Security
   * Tighten should-be-constant-time memcmp against compiler optimizations.
   * Ensure that buffers are cleared after use if they contain sensitive data.
     Changes were introduced in multiple places in the library.
+   * Set PEM buffer to zero before freeing it, to avoid decoded private keys
+     being leaked to memory after release.

 Bugfix
   * Fix memory leak in ssl_set_hostname() when called multiple times.
--- a/library/pem.c
+++ b/library/pem.c
@ -393,6 +393,8 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,

 void pem_free( pem_context *ctx )
 {
+    if ( ctx->buf != NULL )
+        polarssl_zeroize( ctx->buf, ctx->buflen );
    polarssl_free( ctx->buf );
    polarssl_free( ctx->info );