From 7209523ffd909ed1914f4ec2544d327a950b19d2 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Wed, 8 Apr 2026 21:52:33 +0900
Subject: [ruby/openssl] kdf: fix wrong OPENSSL_cleanse() calls

Embarrassingly, the previous commits introduced OPENSSL_cleanse() calls
against the temporary struct instead of the buffer content. Thanks to
nagachika for noticing.

https://github.com/ruby/openssl/commit/8eca3efad4
---
 ext/openssl/ossl_kdf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/openssl/ossl_kdf.c b/ext/openssl/ossl_kdf.c
index ab2b6bba0a..f70b7f6cf9 100644
--- a/ext/openssl/ossl_kdf.c
+++ b/ext/openssl/ossl_kdf.c
@@ -92,7 +92,7 @@ kdf_pbkdf2_hmac(int argc, VALUE *argv, VALUE self)
     memcpy(args.salt, RSTRING_PTR(salt), saltlen);
     if (!rb_thread_call_without_gvl(pbkdf2_hmac_nogvl, &args, NULL, NULL))
         ossl_raise(eKDF, "PKCS5_PBKDF2_HMAC");
-    OPENSSL_cleanse(&args.pass, passlen);
+    OPENSSL_cleanse(args.pass, passlen);
     ALLOCV_END(pass_tmp);
     ALLOCV_END(salt_tmp);
     return str;
@@ -200,7 +200,7 @@ kdf_scrypt(int argc, VALUE *argv, VALUE self)
     memcpy(args.salt, RSTRING_PTR(salt), saltlen);
     if (!rb_thread_call_without_gvl(scrypt_nogvl, &args, NULL, NULL))
         ossl_raise(eKDF, "EVP_PBE_scrypt");
-    OPENSSL_cleanse(&args.pass, passlen);
+    OPENSSL_cleanse(args.pass, passlen);
     ALLOCV_END(pass_tmp);
     ALLOCV_END(salt_tmp);
     return str;
-- 
cgit v1.2.3