try_pkcs12(): cleanse passphrase so it is not left on the stack

Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/17320)
2025-01-18 13:44:20 +08:00 · 2021-12-29 09:26:58 +01:00 · 2021-12-29 09:26:58 +01:00 · da7db7ae6d
commit da7db7ae6d
parent 1dfef929e4
1 changed files with 3 additions and 2 deletions
--- a/crypto/store/store_result.c
+++ b/crypto/store/store_result.c
@ -619,9 +619,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
                }
                ctx->cached_info = infos;
            }
+         p12_end:
+            OPENSSL_cleanse(tpass, sizeof(tpass));
+            PKCS12_free(p12);
        }
-     p12_end:
-        PKCS12_free(p12);
        *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
    }