From 2df57490845cf80b3a87e8b029cb44e54aa97ee0 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 28 Jul 2025 15:32:06 -0400 Subject: [PATCH] Clear keymgmt params containing sensitive data Signed-off-by: Simo Sorce Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/28108) --- providers/implementations/keymgmt/dh_kmgmt.c | 2 +- providers/implementations/keymgmt/dsa_kmgmt.c | 2 +- providers/implementations/keymgmt/ec_kmgmt.c | 2 +- providers/implementations/keymgmt/ecx_kmgmt.c | 2 +- providers/implementations/keymgmt/lms_kmgmt.c | 2 +- providers/implementations/keymgmt/mac_legacy_kmgmt.c | 2 +- providers/implementations/keymgmt/ml_kem_kmgmt.c | 2 +- providers/implementations/keymgmt/mlx_kmgmt.c | 2 +- providers/implementations/keymgmt/rsa_kmgmt.c | 2 +- providers/implementations/keymgmt/slh_dsa_kmgmt.c | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index 7a95ac0d73a..e454a337266 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -249,7 +249,7 @@ static int dh_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, } ok = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); return ok; diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index 5b3358e0dde..4e2945a231c 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/providers/implementations/keymgmt/dsa_kmgmt.c @@ -249,7 +249,7 @@ static int dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, } ok = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); return ok; diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 5b7cca59c56..9e96dffd2c6 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -515,7 +515,7 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, } ok = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); end: OSSL_PARAM_BLD_free(tmpl); OPENSSL_free(pub_key); diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index c9e4ceca509..0acb1796234 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -292,7 +292,7 @@ static int ecx_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, goto err; ret = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); return ret; diff --git a/providers/implementations/keymgmt/lms_kmgmt.c b/providers/implementations/keymgmt/lms_kmgmt.c index 867b56b5733..54f49902d7a 100644 --- a/providers/implementations/keymgmt/lms_kmgmt.c +++ b/providers/implementations/keymgmt/lms_kmgmt.c @@ -117,7 +117,7 @@ static int lms_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, goto err; ret = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); return ret; diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index 85da34dad6e..4b3b4e8c9c8 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -338,7 +338,7 @@ static int mac_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, goto err; ret = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); return ret; diff --git a/providers/implementations/keymgmt/ml_kem_kmgmt.c b/providers/implementations/keymgmt/ml_kem_kmgmt.c index c63c9d1fa75..81d51391539 100644 --- a/providers/implementations/keymgmt/ml_kem_kmgmt.c +++ b/providers/implementations/keymgmt/ml_kem_kmgmt.c @@ -320,7 +320,7 @@ static int ml_kem_export(void *vkey, int selection, OSSL_CALLBACK *param_cb, goto err; ret = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); diff --git a/providers/implementations/keymgmt/mlx_kmgmt.c b/providers/implementations/keymgmt/mlx_kmgmt.c index 3b557d537dc..e8fd93cbf06 100644 --- a/providers/implementations/keymgmt/mlx_kmgmt.c +++ b/providers/implementations/keymgmt/mlx_kmgmt.c @@ -307,7 +307,7 @@ static int mlx_kem_export(void *vkey, int selection, OSSL_CALLBACK *param_cb, goto err; ret = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 68691280cdf..0fafcc7872b 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -235,7 +235,7 @@ static int rsa_export(void *keydata, int selection, } ok = param_callback(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); return ok; diff --git a/providers/implementations/keymgmt/slh_dsa_kmgmt.c b/providers/implementations/keymgmt/slh_dsa_kmgmt.c index 0bec4642b0a..df538ddd851 100644 --- a/providers/implementations/keymgmt/slh_dsa_kmgmt.c +++ b/providers/implementations/keymgmt/slh_dsa_kmgmt.c @@ -235,7 +235,7 @@ static int slh_dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, goto err; ret = param_cb(params, cbarg); - OSSL_PARAM_free(params); + OSSL_PARAM_clear_free(params); err: OSSL_PARAM_BLD_free(tmpl); return ret; -- 2.47.3