fix: use BN_clear_free() for private key BIGNUMs in _get_key_parameters()#137
Merged
timlegge merged 1 commit intocpan-authors:mainfrom Mar 22, 2026
Conversation
…rs() On OpenSSL 3.x, EVP_PKEY_get_bn_param() allocates new BIGNUMs. After cor_bn2sv() duplicates them, the originals containing private key material (d, p, q, dmp1, dmq1, iqmp) were freed with BN_free() which does not wipe the memory. Use BN_clear_free() to securely zero sensitive data before freeing, consistent with _is_private() and _new_key_from_parameters(). Public components (n, e) remain with BN_free() — no sensitive data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Securely wipe private key BIGNUMs before freeing in
_get_key_parameters()on OpenSSL 3.x.Why
On 3.x,
EVP_PKEY_get_bn_param()allocates new BIGNUMs containing private key material.After
cor_bn2sv()duplicates them, the originals (d, p, q, dmp1, dmq1, iqmp) were freedwith
BN_free()— which deallocates without zeroing. This leaves private key data in freedheap memory, recoverable by heap-scanning attacks.
The rest of the codebase already uses
BN_clear_free()for these same parameters:_is_private()(line 113) and_new_key_from_parameters()(lines 726-733, 790-794).How
Changed 6
BN_free()calls toBN_clear_free()for sensitive components.Public components (n, e) stay with
BN_free()— not sensitive.Testing
Full test suite passes (499 tests, 16 files).
🤖 Generated with Claude Code
Quality Report
Changes: 1 file changed, 6 insertions(+), 6 deletions(-)
Code scan: clean
Tests: passed (OK)
Branch hygiene: clean
Generated by Kōan post-mission quality pipeline