[ruby/openssl] kdf: fix wrong OPENSSL_cleanse() calls

rhenium · matzbot · commit 7209523ffd90 · 2026-04-08T13:00:08.000Z
Embarrassingly, the previous commits introduced OPENSSL_cleanse() calls against the temporary struct instead of the buffer content. Thanks to nagachika for noticing. ruby/openssl@8eca3efad4
diff --git a/ext/openssl/ossl_kdf.c b/ext/openssl/ossl_kdf.c
@@ -92,7 +92,7 @@ kdf_pbkdf2_hmac(int argc, VALUE *argv, VALUE self)
     memcpy(args.salt, RSTRING_PTR(salt), saltlen);
     if (!rb_thread_call_without_gvl(pbkdf2_hmac_nogvl, &args, NULL, NULL))
         ossl_raise(eKDF, "PKCS5_PBKDF2_HMAC");
-    OPENSSL_cleanse(&args.pass, passlen);
+    OPENSSL_cleanse(args.pass, passlen);
     ALLOCV_END(pass_tmp);
     ALLOCV_END(salt_tmp);
     return str;
@@ -200,7 +200,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
     memcpy(args.salt, RSTRING_PTR(salt), saltlen);
     if (!rb_thread_call_without_gvl(scrypt_nogvl, &args, NULL, NULL))
         ossl_raise(eKDF, "EVP_PBE_scrypt");
-    OPENSSL_cleanse(&args.pass, passlen);
+    OPENSSL_cleanse(args.pass, passlen);
     ALLOCV_END(pass_tmp);
     ALLOCV_END(salt_tmp);
     return str;
