Recent changes from 0.9.6-stable.

CHANGES

@@ -4,6 +4,21 @@
 
  Changes between 0.9.6g and 0.9.6h  [xx XXX xxxx]
 
+  *) New function OPENSSL_cleanse(), which is used to cleanse a section of
+     memory from it's contents.  This is done with a counter that will
+     place alternating values in each byte.  This can be used to solve
+     two issues: 1) the removal of calls to memset() by highly optimizing
+     compilers, and 2) cleansing with other values than 0, since those can
+     be read through on certain media, for example a swap space on disk.
+     [Geoff Thorpe]
+
+  *) Bugfix: client side session caching did not work with external caching,
+     because the session->cipher setting was not restored when reloading
+     from the external cache. This problem was masked, when
+     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
+     (Found by Steve Haslam <steve@araqnid.ddts.net>.)
+     [Lutz Jaenicke]
+
   *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
      length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
      [Zeev Lieber <zeev-l@yahoo.com>]

STATUS

@@ -1,6 +1,6 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2002/08/09 11:49:13 $
+  ______________                           $Date: 2002/11/28 12:26:04 $
 
   DEVELOPMENT STATE
 
@@ -23,6 +23,18 @@
 
   RELEASE SHOWSTOPPERS
 
+    o [2002-11-21]
+      PR 343 mentions that scrubbing memory with 'memset(ptr, 0, n)' may
+      be optimized away in modern compilers.  This is definitely not good
+      and needs to be fixed immediately.  The formula to use is presented
+      in:
+
+      http://online.securityfocus.com/archive/82/297918/2002-10-27/2002-11-02/0
+
+      The problem report that mentions this is:
+
+      https://www.aet.TU-Cottbus.DE/rt2/Ticket/Display.html?id=343
+
   AVAILABLE PATCHES
 
     o 

TABLE

@@ -71,7 +71,7 @@ $ranlib       =
 
 *** Cygwin
 $cc           = gcc
-$cflags       = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -march=486 -Wall
+$cflags       = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -march=i486 -Wall
 $unistd       = 
 $thread_cflag = 
 $lflags       = 

apps/ca.c

@@ -570,7 +570,7 @@ bad:
 		goto err;
 		}
 		pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key);
-		if(key) memset(key,0,strlen(key));
+		if(key) OPENSSL_cleanse(key,strlen(key));
 	if (pkey == NULL)
 		{
 		BIO_printf(bio_err,"unable to load CA private key\n");

apps/dgst.c

@@ -354,7 +354,7 @@ int MAIN(int argc, char **argv)
 end:
 	if (buf != NULL)
 		{
-		memset(buf,0,BUFSIZE);
+		OPENSSL_cleanse(buf,BUFSIZE);
 		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);

apps/enc.c

@@ -533,9 +533,9 @@ bad:
 			 * bug picked up by
 			 * Larry J. Hughes Jr. <hughes@indiana.edu> */
 			if (str == strbuf)
-				memset(str,0,SIZE);
+				OPENSSL_cleanse(str,SIZE);
 			else
-				memset(str,0,strlen(str));
+				OPENSSL_cleanse(str,strlen(str));
 			}
 		if ((hiv != NULL) && !set_hex(hiv,iv,8))
 			{

apps/s_client.c

@@ -800,8 +800,8 @@ end:
 	if (con != NULL) SSL_free(con);
 	if (con2 != NULL) SSL_free(con2);
 	if (ctx != NULL) SSL_CTX_free(ctx);
-	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); }
-	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); }
+	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
+	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (bio_c_out != NULL)
 		{
 		BIO_free(bio_c_out);

apps/s_server.c

@@ -1077,7 +1077,7 @@ err:
 	BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
 	if (buf != NULL)
 		{
-		memset(buf,0,bufsize);
+		OPENSSL_cleanse(buf,bufsize);
 		OPENSSL_free(buf);
 		}
 	if (ret >= 0)

crypto/Makefile.ssl

@@ -34,8 +34,8 @@ SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 GENERAL=Makefile README crypto-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
-LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
 
 SRC= $(LIBSRC)
 
@@ -185,6 +185,9 @@ mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 mem.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 mem.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
 mem.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+mem_clr.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h
+mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+mem_clr.o: ../include/openssl/symhacks.h
 mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h

crypto/asn1/a_sign.c

@@ -199,10 +199,10 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 	signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
 	signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
 err:
-	memset(&ctx,0,sizeof(ctx));
+	OPENSSL_cleanse(&ctx,sizeof(ctx));
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+		{ OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+		{ OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
 	return(outl);
 	}

crypto/asn1/a_verify.c

@@ -100,7 +100,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
 	EVP_VerifyInit(&ctx,type);
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
-	memset(buf_in,0,(unsigned int)inl);
+	OPENSSL_cleanse(buf_in,(unsigned int)inl);
 	OPENSSL_free(buf_in);
 
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,

crypto/asn1/n_pkey.c

@@ -181,7 +181,7 @@ int i2d_RSA_NET(RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
 	}
 		
 	EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-	memset(buf,0,256);
+	OPENSSL_cleanse(buf,256);
 
 	EVP_CIPHER_CTX_init(&ctx);
 	EVP_EncryptInit(&ctx,EVP_rc4(),key,NULL);
@@ -292,7 +292,7 @@ RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length,
 	}
 		
 	EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-	memset(buf,0,256);
+	OPENSSL_cleanse(buf,256);
 
 	EVP_CIPHER_CTX_init(&ctx);
 	EVP_DecryptInit(&ctx,EVP_rc4(),key,NULL);

crypto/asn1/p8_pkey.c

@@ -119,8 +119,8 @@ void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a)
 	X509_ALGOR_free(a->pkeyalg);
 	/* Clear sensitive data */
 	if (a->pkey->value.octet_string)
-		memset (a->pkey->value.octet_string->data,
-				 0, a->pkey->value.octet_string->length);
+		OPENSSL_cleanse(a->pkey->value.octet_string->data,
+				a->pkey->value.octet_string->length);
 	ASN1_TYPE_free (a->pkey);
 	sk_X509_ATTRIBUTE_pop_free (a->attributes, X509_ATTRIBUTE_free);
 	OPENSSL_free (a);

crypto/crypto-lib.com

@@ -174,7 +174,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid"
+$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"

crypto/crypto.h

@@ -346,6 +346,8 @@ void CRYPTO_free(void *);
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
 void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
 
+void OPENSSL_cleanse(void *ptr, size_t len);
+
 void CRYPTO_set_mem_debug_options(long bits);
 long CRYPTO_get_mem_debug_options(void);
 

crypto/des/des.c

@@ -423,7 +423,7 @@ void doencryption(void)
 				k2[i-8]=k;
 			}
 		des_set_key_unchecked(&k2,ks2);
-		memset(k2,0,sizeof(k2));
+		OPENSSL_cleanse(k2,sizeof(k2));
 		}
 	else if (longk || flag3)
 		{
@@ -431,7 +431,7 @@ void doencryption(void)
 			{
 			des_string_to_2keys(key,&kk,&k2);
 			des_set_key_unchecked(&k2,ks2);
-			memset(k2,0,sizeof(k2));
+			OPENSSL_cleanse(k2,sizeof(k2));
 			}
 		else
 			des_string_to_key(key,&kk);
@@ -453,8 +453,8 @@ void doencryption(void)
 			}
 
 	des_set_key_unchecked(&kk,ks);
-	memset(key,0,sizeof(key));
-	memset(kk,0,sizeof(kk));
+	OPENSSL_cleanse(key,sizeof(key));
+	OPENSSL_cleanse(kk,sizeof(kk));
 	/* woops - A bug that does not showup under unix :-( */
 	memset(iv,0,sizeof(iv));
 	memset(iv2,0,sizeof(iv2));
@@ -662,18 +662,18 @@ void doencryption(void)
 		if (l) fclose(CKSUM_OUT);
 		}
 problems:
-	memset(buf,0,sizeof(buf));
-	memset(obuf,0,sizeof(obuf));
-	memset(ks,0,sizeof(ks));
-	memset(ks2,0,sizeof(ks2));
-	memset(iv,0,sizeof(iv));
-	memset(iv2,0,sizeof(iv2));
-	memset(kk,0,sizeof(kk));
-	memset(k2,0,sizeof(k2));
-	memset(uubuf,0,sizeof(uubuf));
-	memset(b,0,sizeof(b));
-	memset(bb,0,sizeof(bb));
-	memset(cksum,0,sizeof(cksum));
+	OPENSSL_cleanse(buf,sizeof(buf));
+	OPENSSL_cleanse(obuf,sizeof(obuf));
+	OPENSSL_cleanse(ks,sizeof(ks));
+	OPENSSL_cleanse(ks2,sizeof(ks2));
+	OPENSSL_cleanse(iv,sizeof(iv));
+	OPENSSL_cleanse(iv2,sizeof(iv2));
+	OPENSSL_cleanse(kk,sizeof(kk));
+	OPENSSL_cleanse(k2,sizeof(k2));
+	OPENSSL_cleanse(uubuf,sizeof(uubuf));
+	OPENSSL_cleanse(b,sizeof(b));
+	OPENSSL_cleanse(bb,sizeof(bb));
+	OPENSSL_cleanse(cksum,sizeof(cksum));
 	if (Exit) EXIT(Exit);
 	}
 

crypto/des/read2pwd.c

@@ -65,8 +65,8 @@ int des_read_password(des_cblock *key, const char *prompt, int verify)
 
 	if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
 		des_string_to_key(buf,key);
-	memset(buf,0,BUFSIZ);
-	memset(buff,0,BUFSIZ);
+	OPENSSL_cleanse(buf,BUFSIZ);
+	OPENSSL_cleanse(buff,BUFSIZ);
 	return(ok);
 	}
 
@@ -78,7 +78,7 @@ int des_read_2passwords(des_cblock *key1, des_cblock *key2, const char *prompt,
 
 	if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
 		des_string_to_2keys(buf,key1,key2);
-	memset(buf,0,BUFSIZ);
-	memset(buff,0,BUFSIZ);
+	OPENSSL_cleanse(buf,BUFSIZ);
+	OPENSSL_cleanse(buff,BUFSIZ);
 	return(ok);
 	}

crypto/des/read_pwd.c

@@ -218,7 +218,7 @@ int des_read_pw_string(char *buf, int length, const char *prompt,
 	int ret;
 
 	ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
-	memset(buff,0,BUFSIZ);
+	OPENSSL_cleanse(buff,BUFSIZ);
 	return(ret);
 	}
 

crypto/des/str2key.c

@@ -88,7 +88,7 @@ void des_string_to_key(const char *str, des_cblock *key)
 	des_set_odd_parity(key);
 	des_set_key_unchecked(key,ks);
 	des_cbc_cksum((const unsigned char*)str,key,length,ks,key);
-	memset(ks,0,sizeof(ks));
+	OPENSSL_cleanse(ks,sizeof(ks));
 	des_set_odd_parity(key);
 	}
 
@@ -149,7 +149,7 @@ void des_string_to_2keys(const char *str, des_cblock *key1, des_cblock *key2)
 	des_cbc_cksum((const unsigned char*)str,key1,length,ks,key1);
 	des_set_key_unchecked(key2,ks);
 	des_cbc_cksum((const unsigned char*)str,key2,length,ks,key2);
-	memset(ks,0,sizeof(ks));
+	OPENSSL_cleanse(ks,sizeof(ks));
 	des_set_odd_parity(key1);
 	des_set_odd_parity(key2);
 	}

crypto/engine/hw_sureware.c

@@ -800,7 +800,7 @@ static int surewarehk_rsa_priv_dec(int flen,unsigned char *from,unsigned char *t
 err:
 	if (buf)
 	{
-		memset(buf,0,tlen);
+		OPENSSL_cleanse(buf,tlen);
 		OPENSSL_free(buf);
 	}
 	return ret;

crypto/evp/bio_enc.c

@@ -128,7 +128,7 @@ static int enc_free(BIO *a)
 	if (a == NULL) return(0);
 	b=(BIO_ENC_CTX *)a->ptr;
 	EVP_CIPHER_CTX_cleanup(&(b->cipher));
-	memset(a->ptr,0,sizeof(BIO_ENC_CTX));
+	OPENSSL_cleanse(a->ptr,sizeof(BIO_ENC_CTX));
 	OPENSSL_free(a->ptr);
 	a->ptr=NULL;
 	a->init=0;

crypto/evp/bio_ok.c

@@ -208,7 +208,7 @@ static int ok_new(BIO *bi)
 static int ok_free(BIO *a)
 	{
 	if (a == NULL) return(0);
-	memset(a->ptr,0,sizeof(BIO_OK_CTX));
+	OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX));
 	OPENSSL_free(a->ptr);
 	a->ptr=NULL;
 	a->init=0;

crypto/evp/e_idea.c

@@ -103,7 +103,7 @@ static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 
 		idea_set_encrypt_key(key,&tmp);
 		idea_set_decrypt_key(&tmp,&(ctx->c.idea_ks));
-		memset((unsigned char *)&tmp,0,
+		OPENSSL_cleanse((unsigned char *)&tmp,
 				sizeof(IDEA_KEY_SCHEDULE));
 		}
 	return 1;

crypto/evp/evp_key.c

@@ -152,8 +152,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
 			}
 		if ((nkey == 0) && (niv == 0)) break;
 		}
-	memset(&c,0,sizeof(c));
-	memset(&(md_buf[0]),0,EVP_MAX_MD_SIZE);
+	OPENSSL_cleanse(&c,sizeof(c));
+	OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE);
 	return(type->key_len);
 	}
 

crypto/evp/p5_crpt.c

@@ -142,8 +142,8 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
 	memcpy (iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
 						 EVP_CIPHER_iv_length(cipher));
 	EVP_CipherInit(cctx, cipher, key, iv, en_de);
-	memset(md_tmp, 0, EVP_MAX_MD_SIZE);
-	memset(key, 0, EVP_MAX_KEY_LENGTH);
-	memset(iv, 0, EVP_MAX_IV_LENGTH);
+	OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
+	OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+	OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
 	return 1;
 }

crypto/evp/p5_crpt2.c

@@ -228,7 +228,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 	iter = ASN1_INTEGER_get(kdf->iter);
 	PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
 	EVP_CipherInit(ctx, NULL, key, NULL, en_de);
-	memset(key, 0, keylen);
+	OPENSSL_cleanse(key, keylen);
 	PBKDF2PARAM_free(kdf);
 	return 1;
 

crypto/evp/p_open.c

@@ -101,7 +101,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek,
 
 	ret=1;
 err:
-	if (key != NULL) memset(key,0,size);
+	if (key != NULL) OPENSSL_cleanse(key,size);
 	OPENSSL_free(key);
 	return(ret);
 	}

crypto/md32_common.h

@@ -602,6 +602,6 @@ void HASH_FINAL (unsigned char *md, HASH_CTX *c)
 	c->num=0;
 	/* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
 	 * but I'm not worried :-)
-	memset((void *)c,0,sizeof(HASH_CTX));
+	OPENSSL_cleanse((void *)c,sizeof(HASH_CTX));
 	 */
 	}

crypto/mem.c

@@ -173,6 +173,7 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
 void *CRYPTO_malloc_locked(int num, const char *file, int line)
 	{
 	void *ret = NULL;
+	extern unsigned char cleanse_ctr;
 
 	allow_customize = 0;
 	if (malloc_debug_func != NULL)
@@ -187,6 +188,12 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line)
 	if (malloc_debug_func != NULL)
 		malloc_debug_func(ret, num, file, line, 1);
 
+        /* Create a dependency on the value of 'cleanse_ctr' so our memory
+         * sanitisation function can't be optimised out. NB: We only do
+         * this for >2Kb so the overhead doesn't bother us. */
+        if(ret && (num > 2048))
+		((unsigned char *)ret)[0] = cleanse_ctr;
+
 	return ret;
 	}
 
@@ -205,6 +212,7 @@ void CRYPTO_free_locked(void *str)
 void *CRYPTO_malloc(int num, const char *file, int line)
 	{
 	void *ret = NULL;
+	extern unsigned char cleanse_ctr;
 
 	allow_customize = 0;
 	if (malloc_debug_func != NULL)
@@ -219,6 +227,12 @@ void *CRYPTO_malloc(int num, const char *file, int line)
 	if (malloc_debug_func != NULL)
 		malloc_debug_func(ret, num, file, line, 1);
 
+        /* Create a dependency on the value of 'cleanse_ctr' so our memory
+         * sanitisation function can't be optimised out. NB: We only do
+         * this for >2Kb so the overhead doesn't bother us. */
+        if(ret && (num > 2048))
+                ((unsigned char *)ret)[0] = cleanse_ctr;
+
 	return ret;
 	}
 

crypto/pem/pem_info.c

@@ -358,7 +358,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
 	ret=1;
 
 err:
-	memset((char *)&ctx,0,sizeof(ctx));
-	memset(buf,0,PEM_BUFSIZE);
+	OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
+	OPENSSL_cleanse(buf,PEM_BUFSIZE);
 	return(ret);
 	}

crypto/pem/pem_lib.c

@@ -401,13 +401,13 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
 	i=PEM_write_bio(bp,name,buf,data,i);
 	if (i <= 0) ret=0;
 err:
-	memset(key,0,sizeof(key));
-	memset(iv,0,sizeof(iv));
-	memset((char *)&ctx,0,sizeof(ctx));
-	memset(buf,0,PEM_BUFSIZE);
+	OPENSSL_cleanse(key,sizeof(key));
+	OPENSSL_cleanse(iv,sizeof(iv));
+	OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
+	OPENSSL_cleanse(buf,PEM_BUFSIZE);
 	if (data != NULL)
 		{
-		memset(data,0,(unsigned int)dsize);
+		OPENSSL_cleanse(data,(unsigned int)dsize);
 		OPENSSL_free(data);
 		}
 	return(ret);
@@ -447,8 +447,8 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
 	EVP_DecryptUpdate(&ctx,data,&i,data,j);
 	o=EVP_DecryptFinal(&ctx,&(data[i]),&j);
 	EVP_CIPHER_CTX_cleanup(&ctx);
-	memset((char *)buf,0,sizeof(buf));
-	memset((char *)key,0,sizeof(key));
+	OPENSSL_cleanse((char *)buf,sizeof(buf));
+	OPENSSL_cleanse((char *)key,sizeof(key));
 	j+=i;
 	if (!o)
 		{

crypto/pem/pem_seal.c

@@ -109,7 +109,7 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
 	ret=npubk;
 err:
 	if (s != NULL) OPENSSL_free(s);
-	memset(key,0,EVP_MAX_KEY_LENGTH);
+	OPENSSL_cleanse(key,EVP_MAX_KEY_LENGTH);
 	return(ret);
 	}
 

crypto/pkcs12/p12_crpt.c

@@ -118,7 +118,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 	}
 	PBEPARAM_free(pbe);
 	EVP_CipherInit(ctx, cipher, key, iv, en_de);
-	memset(key, 0, EVP_MAX_KEY_LENGTH);
-	memset(iv, 0, EVP_MAX_IV_LENGTH);
+	OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+	OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
 	return 1;
 }

crypto/pkcs12/p12_decr.c

@@ -137,7 +137,7 @@ char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(),
 	if (seq & 1) ret = (char *) d2i_ASN1_SET(NULL, &p, outlen, d2i,
 				free_func, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
 	else ret = d2i(NULL, &p, outlen);
-	if (seq & 2) memset(out, 0, outlen);
+	if (seq & 2) OPENSSL_cleanse(out, outlen);
 	if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
 	OPENSSL_free (out);
 	return ret;

crypto/pkcs12/p12_key.c

@@ -91,7 +91,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
 	ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
 						 id, iter, n, out, md_type);
 	if(unipass) {
-		memset(unipass, 0, uniplen);	/* Clear password from memory */
+		OPENSSL_cleanse(unipass, uniplen);	/* Clear password from memory */
 		OPENSSL_free(unipass);
 	}
 	return ret;

crypto/pkcs7/bio_ber.c

@@ -145,7 +145,7 @@ static int ber_free(BIO *a)
 
 	if (a == NULL) return(0);
 	b=(BIO_BER_CTX *)a->ptr;
-	memset(a->ptr,0,sizeof(BIO_BER_CTX));
+	OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX));
 	OPENSSL_free(a->ptr);
 	a->ptr=NULL;
 	a->init=0;

crypto/pkcs7/pk7_doit.c

@@ -241,7 +241,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 			M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
 			}
 		OPENSSL_free(tmp);
-		memset(key, 0, keylen);
+		OPENSSL_cleanse(key, keylen);
 
 		if (out == NULL)
 			out=btmp;
@@ -448,7 +448,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 		} 
 		EVP_CipherInit(evp_ctx,NULL,tmp,NULL,0);
 
-		memset(tmp,0,jj);
+		OPENSSL_cleanse(tmp,jj);
 
 		if (out == NULL)
 			out=etmp;

crypto/rand/md_rand.c

@@ -177,10 +177,10 @@ RAND_METHOD *RAND_SSLeay(void)
 
 static void ssleay_rand_cleanup(void)
 	{
-	memset(state,0,sizeof(state));
+	OPENSSL_cleanse(state,sizeof(state));
 	state_num=0;
 	state_index=0;
-	memset(md,0,MD_DIGEST_LENGTH);
+	OPENSSL_cleanse(md,MD_DIGEST_LENGTH);
 	md_count[0]=0;
 	md_count[1]=0;
 	entropy=0;

crypto/rand/randfile.c

@@ -125,7 +125,7 @@ int RAND_load_file(const char *file, long bytes)
 			}
 		}
 	fclose(in);
-	memset(buf,0,BUFSIZE);
+	OPENSSL_cleanse(buf,BUFSIZE);
 err:
 	return(ret);
 	}
@@ -190,7 +190,7 @@ int RAND_write_file(const char *file)
 #endif /* VMS */
 
 	fclose(out);
-	memset(buf,0,BUFSIZE);
+	OPENSSL_cleanse(buf,BUFSIZE);
 err:
 	return (rand_err ? -1 : ret);
 	}

crypto/rc4/rc4.c

@@ -155,7 +155,7 @@ bad:
 		i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0);
 		if (i != 0)
 			{
-			memset(buf,0,BUFSIZ);
+			OPENSSL_cleanse(buf,BUFSIZ);
 			fprintf(stderr,"bad password read\n");
 			exit(1);
 			}
@@ -163,7 +163,7 @@ bad:
 		}
 
 	MD5((unsigned char *)keystr,(unsigned long)strlen(keystr),md);
-	memset(keystr,0,strlen(keystr));
+	OPENSSL_cleanse(keystr,strlen(keystr));
 	RC4_set_key(&key,MD5_DIGEST_LENGTH,md);
 	
 	for(;;)

crypto/ripemd/rmd_one.c

@@ -70,7 +70,7 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
 	RIPEMD160_Init(&c);
 	RIPEMD160_Update(&c,d,n);
 	RIPEMD160_Final(md,&c);
-	memset(&c,0,sizeof(c)); /* security consideration */
+	OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
 	return(md);
 	}
 

crypto/rsa/rsa.h

@@ -173,6 +173,8 @@ struct rsa_st
 #define RSA_NO_PADDING		3
 #define RSA_PKCS1_OAEP_PADDING	4
 
+#define RSA_PKCS1_PADDING_SIZE	11
+
 #define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,arg)
 #define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
 

crypto/rsa/rsa_eay.c

@@ -187,7 +187,7 @@ err:
 	BN_clear_free(&ret);
 	if (buf != NULL) 
 		{
-		memset(buf,0,num);
+		OPENSSL_cleanse(buf,num);
 		OPENSSL_free(buf);
 		}
 	return(r);
@@ -273,7 +273,7 @@ err:
 	BN_clear_free(&f);
 	if (buf != NULL)
 		{
-		memset(buf,0,num);
+		OPENSSL_cleanse(buf,num);
 		OPENSSL_free(buf);
 		}
 	return(r);
@@ -374,7 +374,7 @@ err:
 	BN_clear_free(&ret);
 	if (buf != NULL)
 		{
-		memset(buf,0,num);
+		OPENSSL_cleanse(buf,num);
 		OPENSSL_free(buf);
 		}
 	return(r);
@@ -473,7 +473,7 @@ err:
 	BN_clear_free(&ret);
 	if (buf != NULL)
 		{
-		memset(buf,0,num);
+		OPENSSL_cleanse(buf,num);
 		OPENSSL_free(buf);
 		}
 	return(r);

crypto/rsa/rsa_pk1.c

@@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
 	int j;
 	unsigned char *p;
 
-	if (flen > (tlen-11))
+	if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
 		{
 		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
 		return(0);

crypto/rsa/rsa_saos.c

@@ -76,7 +76,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
 
 	i=i2d_ASN1_OCTET_STRING(&sig,NULL);
 	j=RSA_size(rsa);
-	if ((i-RSA_PKCS1_PADDING) > j)
+	if (i > (j-RSA_PKCS1_PADDING_SIZE))
 		{
 		RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
 		return(0);
@@ -95,7 +95,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
 	else
 		*siglen=i;
 
-	memset(s,0,(unsigned int)j+1);
+	OPENSSL_cleanse(s,(unsigned int)j+1);
 	OPENSSL_free(s);
 	return(ret);
 	}
@@ -137,7 +137,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, unsigned char *m,
 		ret=1;
 err:
 	if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
-	memset(s,0,(unsigned int)siglen);
+	OPENSSL_cleanse(s,(unsigned int)siglen);
 	OPENSSL_free(s);
 	return(ret);
 	}

crypto/rsa/rsa_sign.c

@@ -111,7 +111,7 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
 		i=i2d_X509_SIG(&sig,NULL);
 	}
 	j=RSA_size(rsa);
-	if ((i-RSA_PKCS1_PADDING) > j)
+	if (i > (j-RSA_PKCS1_PADDING_SIZE))
 		{
 		RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
 		return(0);
@@ -133,7 +133,7 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
 		*siglen=i;
 
 	if(type != NID_md5_sha1) {
-		memset(s,0,(unsigned int)j+1);
+		OPENSSL_cleanse(s,(unsigned int)j+1);
 		OPENSSL_free(s);
 	}
 	return(ret);
@@ -217,7 +217,7 @@ int RSA_verify(int dtype, unsigned char *m, unsigned int m_len,
 	}
 err:
 	if (sig != NULL) X509_SIG_free(sig);
-	memset(s,0,(unsigned int)siglen);
+	OPENSSL_cleanse(s,(unsigned int)siglen);
 	OPENSSL_free(s);
 	return(ret);
 	}

crypto/sha/sha1_one.c

@@ -70,7 +70,7 @@ unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
 	SHA1_Init(&c);
 	SHA1_Update(&c,d,n);
 	SHA1_Final(md,&c);
-	memset(&c,0,sizeof(c));
+	OPENSSL_cleanse(&c,sizeof(c));
 	return(md);
 	}
 #endif

crypto/sha/sha_one.c

@@ -70,7 +70,7 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
 	SHA_Init(&c);
 	SHA_Update(&c,d,n);
 	SHA_Final(md,&c);
-	memset(&c,0,sizeof(c));
+	OPENSSL_cleanse(&c,sizeof(c));
 	return(md);
 	}
 #endif

crypto/x509/x509_vfy.c

@@ -897,7 +897,7 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 		ctx->chain=NULL;
 		}
 	CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data));
-	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
+	OPENSSL_cleanse(&ctx->ex_data,sizeof(CRYPTO_EX_DATA));
 	}
 
 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags)

ssl/s2_lib.c

@@ -307,7 +307,7 @@ void ssl2_free(SSL *s)
 	s2=s->s2;
 	if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
 	if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
-	memset(s2,0,sizeof *s2);
+	OPENSSL_cleanse(s2,sizeof *s2);
 	OPENSSL_free(s2);
 	s->s2=NULL;
 	}

ssl/s3_clnt.c

@@ -695,6 +695,11 @@ static int ssl3_get_server_hello(SSL *s)
 		goto f_err;
 		}
 
+	/* Depending on the session caching (internal/external), the cipher
+	   and/or cipher_id values may not be set. Make sure that
+	   cipher_id is set and use it for comparison. */
+	if (s->session->cipher)
+		s->session->cipher_id = s->session->cipher->id;
 	if (s->hit && (s->session->cipher_id != c->id))
 		{
 		if (!(s->options &
@@ -1456,7 +1461,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
 				s->method->ssl3_enc->generate_master_secret(s,
 					s->session->master_key,
 					tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
-			memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
+			OPENSSL_cleanse(tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
 			}
 		else
 #endif

ssl/s3_enc.c

@@ -174,7 +174,7 @@ static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
 		km+=MD5_DIGEST_LENGTH;
 		}
-	memset(smd,0,SHA_DIGEST_LENGTH);
+	OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
 	}
 
 int ssl3_change_cipher_state(SSL *s, int which)
@@ -318,8 +318,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
 
 	EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
 
-	memset(&(exp_key[0]),0,sizeof(exp_key));
-	memset(&(exp_iv[0]),0,sizeof(exp_iv));
+	OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
+	OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
 	return(1);
 err:
 	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -390,7 +390,7 @@ void ssl3_cleanup_key_block(SSL *s)
 	{
 	if (s->s3->tmp.key_block != NULL)
 		{
-		memset(s->s3->tmp.key_block,0,
+		OPENSSL_cleanse(s->s3->tmp.key_block,
 			s->s3->tmp.key_block_length);
 		OPENSSL_free(s->s3->tmp.key_block);
 		s->s3->tmp.key_block=NULL;

ssl/s3_lib.c

@@ -732,7 +732,7 @@ void ssl3_free(SSL *s)
 #endif
 	if (s->s3->tmp.ca_names != NULL)
 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
-	memset(s->s3,0,sizeof *s->s3);
+	OPENSSL_cleanse(s->s3,sizeof *s->s3);
 	OPENSSL_free(s->s3);
 	s->s3=NULL;
 	}

ssl/s3_srvr.c

@@ -1534,7 +1534,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
 				s->session->master_key,p,i);
-		memset(p,0,i);
+		OPENSSL_cleanse(p,i);
 		}
 	else
 #endif

ssl/ssl_sess.c

@@ -477,13 +477,13 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 
 	CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data);
 
-	memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
-	memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
-	memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
+	OPENSSL_cleanse(ss->key_arg,SSL_MAX_KEY_ARG_LENGTH);
+	OPENSSL_cleanse(ss->master_key,SSL_MAX_MASTER_KEY_LENGTH);
+	OPENSSL_cleanse(ss->session_id,SSL_MAX_SSL_SESSION_ID_LENGTH);
 	if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
 	if (ss->peer != NULL) X509_free(ss->peer);
 	if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
-	memset(ss,0,sizeof(*ss));
+	OPENSSL_cleanse(ss,sizeof(*ss));
 	OPENSSL_free(ss);
 	}
 

ssl/ssltest.c

@@ -224,12 +224,13 @@ int main(int argc, char *argv[])
 	verbose = 0;
 	debug = 0;
 	cipher = 0;
-	
+
+	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);	
+
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
 	RAND_seed(rnd_seed, sizeof rnd_seed);
 
-	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
 
 	argc--;

ssl/t1_enc.c

@@ -158,7 +158,7 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 		}
 	HMAC_cleanup(&ctx);
 	HMAC_cleanup(&ctx_tmp);
-	memset(A1,0,sizeof(A1));
+	OPENSSL_cleanse(A1,sizeof(A1));
 	}
 
 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
@@ -372,10 +372,10 @@ printf("\niv=");
 printf("\n");
 #endif
 
-	memset(tmp1,0,sizeof(tmp1));
-	memset(tmp2,0,sizeof(tmp1));
-	memset(iv1,0,sizeof(iv1));
-	memset(iv2,0,sizeof(iv2));
+	OPENSSL_cleanse(tmp1,sizeof(tmp1));
+	OPENSSL_cleanse(tmp2,sizeof(tmp1));
+	OPENSSL_cleanse(iv1,sizeof(iv1));
+	OPENSSL_cleanse(iv2,sizeof(iv2));
 	return(1);
 err:
 	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -426,7 +426,7 @@ printf("pre-master\n");
 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
 #endif
 	tls1_generate_key_block(s,p1,p2,num);
-	memset(p2,0,num);
+	OPENSSL_cleanse(p2,num);
 	OPENSSL_free(p2);
 #ifdef TLS_DEBUG
 printf("\nkey block\n");

util/libeay.num

@@ -1934,3 +1934,4 @@ ENGINE_set_ctrl_function                2522	EXIST::FUNCTION:
 BN_pseudo_rand_range                    2523	EXIST::FUNCTION:
 X509_STORE_CTX_set_verify_cb            2524	EXIST::FUNCTION:
 ERR_load_COMP_strings                   2525	EXIST::FUNCTION:
+OPENSSL_cleanse                         3245	EXIST::FUNCTION: