Cleanse PKCS#8 private key components.

New function ASN1_STRING_clear_free which cleanses an ASN1_STRING
structure before freeing it.

Call ASN1_STRING_clear_free on PKCS#8 private key components.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a8ae0891d4bfd18f224777aed1fbb172504421f1)

crypto/asn1/asn1.h

@@ -795,6 +795,7 @@ DECLARE_ASN1_SET_OF(ASN1_OBJECT)
 
 ASN1_STRING *ASN1_STRING_new(void);
 void ASN1_STRING_free(ASN1_STRING *a);
+void ASN1_STRING_clear_free(ASN1_STRING *a);
 int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str);
 ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *a);
 ASN1_STRING *ASN1_STRING_type_new(int type);

crypto/asn1/asn1_lib.c

@@ -430,6 +430,13 @@ void ASN1_STRING_free(ASN1_STRING *a)
     OPENSSL_free(a);
 }
 
+void ASN1_STRING_clear_free(ASN1_STRING *a)
+{
+    if (a && a->data && !(a->flags & ASN1_STRING_FLAG_NDEF))
+        OPENSSL_cleanse(a->data, a->length);
+    ASN1_STRING_free(a);
+}
+
 int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
 {
     int i;

crypto/dh/dh_ameth.c

@@ -215,7 +215,7 @@ static int dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 
     EVP_PKEY_assign_DH(pkey, dh);
 
-    ASN1_INTEGER_free(privkey);
+    ASN1_STRING_clear_free(privkey);
 
     return 1;
 
@@ -223,7 +223,7 @@ static int dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
     DHerr(DH_F_DH_PRIV_DECODE, EVP_R_DECODE_ERROR);
  dherr:
     DH_free(dh);
-    ASN1_INTEGER_free(privkey);
+    ASN1_STRING_clear_free(privkey);
     return 0;
 }
 
@@ -258,7 +258,7 @@ static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 
     dplen = i2d_ASN1_INTEGER(prkey, &dp);
 
-    ASN1_INTEGER_free(prkey);
+    ASN1_STRING_clear_free(prkey);
     prkey = NULL;
 
     if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dhKeyAgreement), 0,
@@ -273,7 +273,7 @@ static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
     if (params != NULL)
         ASN1_STRING_free(params);
     if (prkey != NULL)
-        ASN1_INTEGER_free(prkey);
+        ASN1_STRING_clear_free(prkey);
     return 0;
 }
 

crypto/dsa/dsa_ameth.c

@@ -226,7 +226,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
             goto decerr;
         if (privkey->type == V_ASN1_NEG_INTEGER) {
             p8->broken = PKCS8_NEG_PRIVKEY;
-            ASN1_INTEGER_free(privkey);
+            ASN1_STRING_clear_free(privkey);
             if (!(privkey = d2i_ASN1_UINTEGER(NULL, &q, pklen)))
                 goto decerr;
         }
@@ -264,7 +264,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
     if (ndsa)
         sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
     else
-        ASN1_INTEGER_free(privkey);
+        ASN1_STRING_clear_free(privkey);
 
     return 1;
 
@@ -273,7 +273,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
  dsaerr:
     BN_CTX_free(ctx);
     if (privkey)
-        ASN1_INTEGER_free(privkey);
+        ASN1_STRING_clear_free(privkey);
     sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
     DSA_free(dsa);
     return 0;
@@ -315,7 +315,7 @@ static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 
     dplen = i2d_ASN1_INTEGER(prkey, &dp);
 
-    ASN1_INTEGER_free(prkey);
+    ASN1_STRING_clear_free(prkey);
 
     if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dsa), 0,
                          V_ASN1_SEQUENCE, params, dp, dplen))
@@ -329,7 +329,7 @@ static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
     if (params != NULL)
         ASN1_STRING_free(params);
     if (prkey != NULL)
-        ASN1_INTEGER_free(prkey);
+        ASN1_STRING_clear_free(prkey);
     return 0;
 }