diff --git a/lib/internal.c b/lib/internal.c index 20b911a..a3b66cd 100644 --- a/lib/internal.c +++ b/lib/internal.c @@ -241,6 +241,7 @@ des_rc des_import_key(const int type, const unsigned char* keyraw, const size_t EXIT: #ifdef _WINDOWS if (pbSessionBlob) { + yc_memzero(pbSessionBlob, cbSessionBlob); free(pbSessionBlob); pbSessionBlob = NULL; } @@ -353,6 +354,7 @@ EXIT: bool yk_des_is_weak_key(const unsigned char *key, const size_t cb_key) { #ifdef _WINDOWS + bool rv = false; /* defined weak keys, borrowed from openssl to be consistent across platforms */ static const unsigned char weak_keys[][DES_LEN_DES] = { /* weak keys */ @@ -400,11 +402,13 @@ bool yk_des_is_weak_key(const unsigned char *key, const size_t cb_key) { if ((0 == memcmp(weak_keys[i], tmp, DES_LEN_DES)) || (0 == memcmp(weak_keys[i], tmp + DES_LEN_DES, DES_LEN_DES)) || (0 == memcmp(weak_keys[i], tmp + 2*DES_LEN_DES, DES_LEN_DES))) { - return true; + rv = true; + break; } } - return false; + yc_memzero(tmp, DES_LEN_3DES); + return rv; #else (void)cb_key; /* unused */ diff --git a/lib/ykpiv.c b/lib/ykpiv.c index 49f284f..f9ee4a1 100644 --- a/lib/ykpiv.c +++ b/lib/ykpiv.c @@ -838,6 +838,7 @@ ykpiv_rc ykpiv_set_mgmkey2(ykpiv_state *state, const unsigned char *new_key, con res = YKPIV_GENERIC_ERROR; Cleanup: + yc_memzero(&apdu, sizeof(APDU)); _ykpiv_end_transaction(state); return res; } @@ -1704,6 +1705,7 @@ ykpiv_rc ykpiv_import_private_key(ykpiv_state *state, const unsigned char key, u } Cleanup: + yc_memzero(key_data, sizeof(key_data)); _ykpiv_end_transaction(state); return res; }