overwrite the key in failure modes in case the caller doesn't check.

ok deraadt

src/lib/libutil/bcrypt_pbkdf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bcrypt_pbkdf.c,v 1.13 2015/01/12 03:20:04 tedu Exp $ */
+/* $OpenBSD: bcrypt_pbkdf.c,v 1.14 2019/11/21 16:07:24 tedu Exp $ */
 /*
  * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
  *
@@ -110,10 +110,10 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltl
 
 	/* nothing crazy */
 	if (rounds < 1)
-		return -1;
+		goto bad;
 	if (passlen == 0 || saltlen == 0 || keylen == 0 ||
 	    keylen > sizeof(out) * sizeof(out))
-		return -1;
+		goto bad;
 	stride = (keylen + sizeof(out) - 1) / sizeof(out);
 	amt = (keylen + stride - 1) / stride;
 
@@ -166,4 +166,9 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltl
 	explicit_bzero(out, sizeof(out));
 
 	return 0;
+
+bad:
+	/* overwrite with random in case caller doesn't check return code */
+	arc4random_buf(key, keylen);
+	return -1;
 }

src/lib/libutil/pkcs5_pbkdf2.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pkcs5_pbkdf2.c,v 1.10 2017/04/18 04:06:21 deraadt Exp $	*/
+/*	$OpenBSD: pkcs5_pbkdf2.c,v 1.11 2019/11/21 16:07:24 tedu Exp $	*/
 
 /*-
  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -84,11 +84,11 @@ pkcs5_pbkdf2(const char *pass, size_t pass_len, const uint8_t *salt,
 	size_t r;
 
 	if (rounds < 1 || key_len == 0)
-		return -1;
+		goto bad;
 	if (salt_len == 0 || salt_len > SIZE_MAX - 4)
-		return -1;
+		goto bad;
 	if ((asalt = malloc(salt_len + 4)) == NULL)
-		return -1;
+		goto bad;
 
 	memcpy(asalt, salt, salt_len);
 
@@ -118,4 +118,9 @@ pkcs5_pbkdf2(const char *pass, size_t pass_len, const uint8_t *salt,
 	explicit_bzero(obuf, sizeof(obuf));
 
 	return 0;
+
+bad:
+	/* overwrite with random in case caller doesn't check return code */
+	arc4random_buf(key, key_len);
+	return -1;
 }