From: Neil Horman <nhorman@openssl.org>
Date: Tue, 17 Jun 2025 17:32:44 +0000 (-0400)
Subject: Fix fips cleanup of master key
X-Git-Tag: openssl-3.6.0-alpha1~549
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=32559a6035b7ec2155c0fe4e2199834c639a981b;p=thirdparty%2Fopenssl.git

Fix fips cleanup of master key

With the conversion to a fixed array, we can no longer just clean the
top level sparse array, as we don't enjoy the NULL check within the
sa_doall loop.

Add a NULL check in the fips cleanup routine to make up for this

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27794)
---

diff --git a/crypto/threads_common.c b/crypto/threads_common.c
index fdd19418a82..c255c87df91 100644
--- a/crypto/threads_common.c
+++ b/crypto/threads_common.c
@@ -403,7 +403,8 @@ void CRYPTO_THREAD_clean_local_for_fips(void)
         return;
 
     mkey = CRYPTO_THREAD_get_local(&master_key);
-    clean_master_key(mkey);
+    if (mkey != NULL)
+        clean_master_key(mkey);
     CRYPTO_THREAD_cleanup_local(&master_key);
 }
 #endif