From b23b04d1777074d340e64fb137016bf74414e168 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 20 Mar 2018 05:02:29 -0400 Subject: [PATCH] pkcs11: zeroize buffer earlier on failure Change the buffer zeroization so that it happens earlier --- library/pkcs11_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/pkcs11_client.c b/library/pkcs11_client.c index 82cc0e19a..1244f4008 100644 --- a/library/pkcs11_client.c +++ b/library/pkcs11_client.c @@ -157,6 +157,8 @@ static int pkcs11_sign_core( mbedtls_pk_pkcs11_context_t *ctx, goto exit; *sig_len = ck_sig_len; exit: + if( rv != CKR_OK ) + memset( sig, 0, ck_sig_len ); return( pkcs11_err_to_mbedtls_pk_err( rv ) ); } #endif /* MBEDTLS_RSA_C */ @@ -226,8 +228,6 @@ static int pkcs11_sign( void *ctx_arg, return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG ); } - if( ret != 0 ) - memset( sig, 0, *sig_len ); return( ret ); }