Add some missing smemclrs and sfrees.

The absence of these could have prevented sensitive private key
information from being properly cleared out of memory that PuTTY tools
had finished with.

Thanks to Patrick Coleman for spotting this and sending a patch.

diff --git a/sshpubk.c b/sshpubk.c
index 74cf1080373ae02d8277602f18ca79ecbdbc7f91..63b54b12e3ccec9bb103dd076ba8b6c0930a43cd 100644 (file)
--- a/sshpubk.c
+++ b/sshpubk.c
@@ -796,6 +796,7 @@ struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
        goto error;
     }
     sfree(public_blob);
+    smemclr(private_blob, private_blob_len);
     sfree(private_blob);
     sfree(encryption);
     if (errorstr)
@@ -816,8 +817,10 @@ struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
        sfree(mac);
     if (public_blob)
        sfree(public_blob);
-    if (private_blob)
-       sfree(private_blob);
+    if (private_blob) {
+        smemclr(private_blob, private_blob_len);
+        sfree(private_blob);
+    }
     if (errorstr)
        *errorstr = error;
     return ret;
@@ -1106,8 +1109,14 @@ int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key,
     }
 
     fp = f_open(filename, "w", TRUE);
-    if (!fp)
-       return 0;
+    if (!fp) {
+        sfree(pub_blob);
+        smemclr(priv_blob, priv_blob_len);
+        sfree(priv_blob);
+        smemclr(priv_blob_encrypted, priv_blob_len);
+        sfree(priv_blob_encrypted);
+        return 0;
+    }
     fprintf(fp, "PuTTY-User-Key-File-2: %s\n", key->alg->name);
     fprintf(fp, "Encryption: %s\n", cipherstr);
     fprintf(fp, "Comment: %s\n", key->comment);
@@ -1124,6 +1133,7 @@ int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key,
     sfree(pub_blob);
     smemclr(priv_blob, priv_blob_len);
     sfree(priv_blob);
+    smemclr(priv_blob_encrypted, priv_blob_len);
     sfree(priv_blob_encrypted);
     return 1;
 }