From da7db7ae6d7d1929893a58e41335c88e472fc364 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 29 Dec 2021 09:26:58 +0100
Subject: try_pkcs12(): cleanse passphrase so it is not left on the stack

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
---
 crypto/store/store_result.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'crypto/store')

diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c
index 893828ee3e..de00f4f562 100644
--- a/crypto/store/store_result.c
+++ b/crypto/store/store_result.c
@@ -619,9 +619,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                 }
                 ctx->cached_info = infos;
             }
+         p12_end:
+            OPENSSL_cleanse(tpass, sizeof(tpass));
+            PKCS12_free(p12);
         }
-     p12_end:
-        PKCS12_free(p12);
         *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
     }
 
-- 
cgit v1.2.1