From 6fd1ff93b61aebeb899a0df564198b065ae90d26 Mon Sep 17 00:00:00 2001
From: guenther <>
Date: Mon, 21 Jul 2014 20:19:47 +0000
Subject: [PATCH] Use explicit_bzero() instead of memset() on buffers going out
 of scope. Also, zero the SHA256 context.

suggested by "eric" in a comment on an opensslrampage.org post
ok miod@ deraadt@
---
 src/lib/libcrypto/arc4random/getentropy_linux.c   | 5 +++--
 src/lib/libcrypto/arc4random/getentropy_osx.c     | 5 +++--
 src/lib/libcrypto/arc4random/getentropy_solaris.c | 5 +++--
 src/lib/libcrypto/crypto/getentropy_linux.c       | 5 +++--
 src/lib/libcrypto/crypto/getentropy_osx.c         | 5 +++--
 src/lib/libcrypto/crypto/getentropy_solaris.c     | 5 +++--
 6 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/src/lib/libcrypto/arc4random/getentropy_linux.c b/src/lib/libcrypto/arc4random/getentropy_linux.c
index 69471021..eeaf9a4e 100644
--- a/src/lib/libcrypto/arc4random/getentropy_linux.c
+++ b/src/lib/libcrypto/arc4random/getentropy_linux.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_linux.c,v 1.29 2014/07/21 19:15:56 deraadt Exp $	*/
+/*	$OpenBSD: getentropy_linux.c,v 1.30 2014/07/21 20:19:47 guenther Exp $	*/
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -539,7 +539,8 @@ getentropy_fallback(void *buf, size_t len)
 		memcpy((char *)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
-	memset(results, 0, sizeof results);
+	explicit_bzero(&ctx, sizeof ctx);
+	explicit_bzero(results, sizeof results);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
 		return 0;		/* satisfied */
diff --git a/src/lib/libcrypto/arc4random/getentropy_osx.c b/src/lib/libcrypto/arc4random/getentropy_osx.c
index b0ffda8c..ac5c748f 100644
--- a/src/lib/libcrypto/arc4random/getentropy_osx.c
+++ b/src/lib/libcrypto/arc4random/getentropy_osx.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_osx.c,v 1.7 2014/07/19 16:12:00 deraadt Exp $	*/
+/*	$OpenBSD: getentropy_osx.c,v 1.8 2014/07/21 20:19:47 guenther Exp $	*/
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -418,7 +418,8 @@ getentropy_fallback(void *buf, size_t len)
 		memcpy((char *)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
-	memset(results, 0, sizeof results);
+	explicit_bzero(&ctx, sizeof ctx);
+	explicit_bzero(results, sizeof results);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
 		return 0;		/* satisfied */
diff --git a/src/lib/libcrypto/arc4random/getentropy_solaris.c b/src/lib/libcrypto/arc4random/getentropy_solaris.c
index fed0eeb5..6ec2fe58 100644
--- a/src/lib/libcrypto/arc4random/getentropy_solaris.c
+++ b/src/lib/libcrypto/arc4random/getentropy_solaris.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_solaris.c,v 1.8 2014/07/19 16:12:00 deraadt Exp $	*/
+/*	$OpenBSD: getentropy_solaris.c,v 1.9 2014/07/21 20:19:47 guenther Exp $	*/
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -434,7 +434,8 @@ getentropy_fallback(void *buf, size_t len)
 		memcpy((char *)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
-	memset(results, 0, sizeof results);
+	explicit_bzero(&ctx, sizeof ctx);
+	explicit_bzero(results, sizeof results);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
 		return 0;		/* satisfied */
diff --git a/src/lib/libcrypto/crypto/getentropy_linux.c b/src/lib/libcrypto/crypto/getentropy_linux.c
index 69471021..eeaf9a4e 100644
--- a/src/lib/libcrypto/crypto/getentropy_linux.c
+++ b/src/lib/libcrypto/crypto/getentropy_linux.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_linux.c,v 1.29 2014/07/21 19:15:56 deraadt Exp $	*/
+/*	$OpenBSD: getentropy_linux.c,v 1.30 2014/07/21 20:19:47 guenther Exp $	*/
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -539,7 +539,8 @@ getentropy_fallback(void *buf, size_t len)
 		memcpy((char *)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
-	memset(results, 0, sizeof results);
+	explicit_bzero(&ctx, sizeof ctx);
+	explicit_bzero(results, sizeof results);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
 		return 0;		/* satisfied */
diff --git a/src/lib/libcrypto/crypto/getentropy_osx.c b/src/lib/libcrypto/crypto/getentropy_osx.c
index b0ffda8c..ac5c748f 100644
--- a/src/lib/libcrypto/crypto/getentropy_osx.c
+++ b/src/lib/libcrypto/crypto/getentropy_osx.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_osx.c,v 1.7 2014/07/19 16:12:00 deraadt Exp $	*/
+/*	$OpenBSD: getentropy_osx.c,v 1.8 2014/07/21 20:19:47 guenther Exp $	*/
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -418,7 +418,8 @@ getentropy_fallback(void *buf, size_t len)
 		memcpy((char *)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
-	memset(results, 0, sizeof results);
+	explicit_bzero(&ctx, sizeof ctx);
+	explicit_bzero(results, sizeof results);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
 		return 0;		/* satisfied */
diff --git a/src/lib/libcrypto/crypto/getentropy_solaris.c b/src/lib/libcrypto/crypto/getentropy_solaris.c
index fed0eeb5..6ec2fe58 100644
--- a/src/lib/libcrypto/crypto/getentropy_solaris.c
+++ b/src/lib/libcrypto/crypto/getentropy_solaris.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_solaris.c,v 1.8 2014/07/19 16:12:00 deraadt Exp $	*/
+/*	$OpenBSD: getentropy_solaris.c,v 1.9 2014/07/21 20:19:47 guenther Exp $	*/
 
 /*
  * Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
@@ -434,7 +434,8 @@ getentropy_fallback(void *buf, size_t len)
 		memcpy((char *)buf + i, results, min(sizeof(results), len - i));
 		i += min(sizeof(results), len - i);
 	}
-	memset(results, 0, sizeof results);
+	explicit_bzero(&ctx, sizeof ctx);
+	explicit_bzero(results, sizeof results);
 	if (gotdata(buf, len) == 0) {
 		errno = save_errno;
 		return 0;		/* satisfied */