From 177d433bda2ffd287d676bc53b549b6c246973e6 Mon Sep 17 00:00:00 2001
From: slontis <shane.lontis@oracle.com>
Date: Thu, 22 Dec 2022 12:01:02 +1000
Subject: Cleanse internal BN_generate_dsa_nonce() buffers used to generate k.

Fixes #9205

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19954)
---
 crypto/bn/bn_rand.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'crypto/bn')

diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 46ace0744d..3b213d46c5 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -318,7 +318,9 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
  err:
     EVP_MD_CTX_free(mdctx);
     EVP_MD_free(md);
-    OPENSSL_free(k_bytes);
+    OPENSSL_clear_free(k_bytes, num_k_bytes);
+    OPENSSL_cleanse(digest, sizeof(digest));
+    OPENSSL_cleanse(random_bytes, sizeof(random_bytes));
     OPENSSL_cleanse(private_bytes, sizeof(private_bytes));
     return ret;
 }
-- 
cgit v1.2.3