Use explicit_bzero() instead of memset() on buffers going out of scope.

Also, zero the SHA256 context.

suggested by "eric" in a comment on an opensslrampage.org post
ok miod@ deraadt@

diff --git a/lib/libcrypto/arc4random/getentropy_linux.c b/lib/libcrypto/arc4random/getentropy_linux.c
index 6947102..eeaf9a4 100644 (file)
--- a/lib/libcrypto/arc4random/getentropy_linux.c
+++ b/lib/libcrypto/arc4random/getentropy_linux.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: getentropy_linux.c,v 1.29 2014/07/21 19:15:56 deraadt Exp $   */
+/*     $OpenBSD: getentropy_linux.c,v 1.30 2014/07/21 20:19:47 guenther Exp $  */
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -539,7 +539,8 @@ getentropy_fallback(void *buf, size_t len)
                memcpy((char *)buf + i, results, min(sizeof(results), len - i));
                i += min(sizeof(results), len - i);
        }
-       memset(results, 0, sizeof results);
+       explicit_bzero(&ctx, sizeof ctx);
+       explicit_bzero(results, sizeof results);
        if (gotdata(buf, len) == 0) {
                errno = save_errno;
                return 0;               /* satisfied */

diff --git a/lib/libcrypto/arc4random/getentropy_osx.c b/lib/libcrypto/arc4random/getentropy_osx.c
index b0ffda8..ac5c748 100644 (file)
--- a/lib/libcrypto/arc4random/getentropy_osx.c
+++ b/lib/libcrypto/arc4random/getentropy_osx.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: getentropy_osx.c,v 1.7 2014/07/19 16:12:00 deraadt Exp $      */
+/*     $OpenBSD: getentropy_osx.c,v 1.8 2014/07/21 20:19:47 guenther Exp $     */
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -418,7 +418,8 @@ getentropy_fallback(void *buf, size_t len)
                memcpy((char *)buf + i, results, min(sizeof(results), len - i));
                i += min(sizeof(results), len - i);
        }
-       memset(results, 0, sizeof results);
+       explicit_bzero(&ctx, sizeof ctx);
+       explicit_bzero(results, sizeof results);
        if (gotdata(buf, len) == 0) {
                errno = save_errno;
                return 0;               /* satisfied */

diff --git a/lib/libcrypto/arc4random/getentropy_solaris.c b/lib/libcrypto/arc4random/getentropy_solaris.c
index fed0eeb..6ec2fe5 100644 (file)
--- a/lib/libcrypto/arc4random/getentropy_solaris.c
+++ b/lib/libcrypto/arc4random/getentropy_solaris.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: getentropy_solaris.c,v 1.8 2014/07/19 16:12:00 deraadt Exp $  */
+/*     $OpenBSD: getentropy_solaris.c,v 1.9 2014/07/21 20:19:47 guenther Exp $ */
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -434,7 +434,8 @@ getentropy_fallback(void *buf, size_t len)
                memcpy((char *)buf + i, results, min(sizeof(results), len - i));
                i += min(sizeof(results), len - i);
        }
-       memset(results, 0, sizeof results);
+       explicit_bzero(&ctx, sizeof ctx);
+       explicit_bzero(results, sizeof results);
        if (gotdata(buf, len) == 0) {
                errno = save_errno;
                return 0;               /* satisfied */

diff --git a/lib/libcrypto/crypto/getentropy_linux.c b/lib/libcrypto/crypto/getentropy_linux.c
index 6947102..eeaf9a4 100644 (file)
--- a/lib/libcrypto/crypto/getentropy_linux.c
+++ b/lib/libcrypto/crypto/getentropy_linux.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: getentropy_linux.c,v 1.29 2014/07/21 19:15:56 deraadt Exp $   */
+/*     $OpenBSD: getentropy_linux.c,v 1.30 2014/07/21 20:19:47 guenther Exp $  */
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -539,7 +539,8 @@ getentropy_fallback(void *buf, size_t len)
                memcpy((char *)buf + i, results, min(sizeof(results), len - i));
                i += min(sizeof(results), len - i);
        }
-       memset(results, 0, sizeof results);
+       explicit_bzero(&ctx, sizeof ctx);
+       explicit_bzero(results, sizeof results);
        if (gotdata(buf, len) == 0) {
                errno = save_errno;
                return 0;               /* satisfied */

diff --git a/lib/libcrypto/crypto/getentropy_osx.c b/lib/libcrypto/crypto/getentropy_osx.c
index b0ffda8..ac5c748 100644 (file)
--- a/lib/libcrypto/crypto/getentropy_osx.c
+++ b/lib/libcrypto/crypto/getentropy_osx.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: getentropy_osx.c,v 1.7 2014/07/19 16:12:00 deraadt Exp $      */
+/*     $OpenBSD: getentropy_osx.c,v 1.8 2014/07/21 20:19:47 guenther Exp $     */
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -418,7 +418,8 @@ getentropy_fallback(void *buf, size_t len)
                memcpy((char *)buf + i, results, min(sizeof(results), len - i));
                i += min(sizeof(results), len - i);
        }
-       memset(results, 0, sizeof results);
+       explicit_bzero(&ctx, sizeof ctx);
+       explicit_bzero(results, sizeof results);
        if (gotdata(buf, len) == 0) {
                errno = save_errno;
                return 0;               /* satisfied */

diff --git a/lib/libcrypto/crypto/getentropy_solaris.c b/lib/libcrypto/crypto/getentropy_solaris.c
index fed0eeb..6ec2fe5 100644 (file)
--- a/lib/libcrypto/crypto/getentropy_solaris.c
+++ b/lib/libcrypto/crypto/getentropy_solaris.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: getentropy_solaris.c,v 1.8 2014/07/19 16:12:00 deraadt Exp $  */
+/*     $OpenBSD: getentropy_solaris.c,v 1.9 2014/07/21 20:19:47 guenther Exp $ */
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -434,7 +434,8 @@ getentropy_fallback(void *buf, size_t len)
                memcpy((char *)buf + i, results, min(sizeof(results), len - i));
                i += min(sizeof(results), len - i);
        }
-       memset(results, 0, sizeof results);
+       explicit_bzero(&ctx, sizeof ctx);
+       explicit_bzero(results, sizeof results);
        if (gotdata(buf, len) == 0) {
                errno = save_errno;
                return 0;               /* satisfied */