libmd: Always erase context in _Final method, and when doing

it, consistently use explicit_bzero().

Update manual pages to match the behavior.

Reviewed by:	pfg, allanjude, jmg
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D16316

3 files changed, 8 insertions, 5 deletions

diff --git a/sys/crypto/sha2/sha256c.c b/sys/crypto/sha2/sha256c.c
index 70980ac5fb7a..135fb68ccc65 100644
--- a/sys/crypto/sha2/sha256c.c
+++ b/sys/crypto/sha2/sha256c.c
@@ -298,7 +298,7 @@ SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx)
 	be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH);
 
 	/* Clear the context state */
-	memset(ctx, 0, sizeof(*ctx));
+	explicit_bzero(ctx, sizeof(*ctx));
 }
 
 /*** SHA-224: *********************************************************/
diff --git a/sys/crypto/sha2/sha512c.c b/sys/crypto/sha2/sha512c.c
index 21c7efabe156..e0dd36120a90 100644
--- a/sys/crypto/sha2/sha512c.c
+++ b/sys/crypto/sha2/sha512c.c
@@ -331,7 +331,7 @@ SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx)
 	be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH);
 
 	/* Clear the context state */
-	memset(ctx, 0, sizeof(*ctx));
+	explicit_bzero(ctx, sizeof(*ctx));
 }
 
 /*** SHA-512t: *********************************************************/
@@ -374,7 +374,7 @@ SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_C
 	be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH);
 
 	/* Clear the context state */
-	memset(ctx, 0, sizeof(*ctx));
+	explicit_bzero(ctx, sizeof(*ctx));
 }
 
 void
@@ -413,7 +413,7 @@ SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_C
 	be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH);
 
 	/* Clear the context state */
-	memset(ctx, 0, sizeof(*ctx));
+	explicit_bzero(ctx, sizeof(*ctx));
 }
 
 /*** SHA-384: *********************************************************/
@@ -463,7 +463,7 @@ SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx)
 	be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH);
 
 	/* Clear the context state */
-	memset(ctx, 0, sizeof(*ctx));
+	explicit_bzero(ctx, sizeof(*ctx));
 }
 
 #ifdef WEAK_REFS
diff --git a/sys/crypto/skein/skein.c b/sys/crypto/skein/skein.c
index b8d5905078a3..fd17623db21a 100644
--- a/sys/crypto/skein/skein.c
+++ b/sys/crypto/skein/skein.c
@@ -812,6 +812,7 @@ SKEIN256_Final(unsigned char digest[static SKEIN_256_BLOCK_BYTES], SKEIN256_CTX
 {
 
 	Skein_256_Final(ctx, digest);
+	explicit_bzero(ctx, sizeof(*ctx));
 }
 
 void
@@ -819,6 +820,7 @@ SKEIN512_Final(unsigned char digest[static SKEIN_512_BLOCK_BYTES], SKEIN512_CTX
 {
 
 	Skein_512_Final(ctx, digest);
+	explicit_bzero(ctx, sizeof(*ctx));
 }
 
 void
@@ -826,6 +828,7 @@ SKEIN1024_Final(unsigned char digest[static SKEIN1024_BLOCK_BYTES], SKEIN1024_CT
 {
 
 	Skein1024_Final(ctx, digest);
+	explicit_bzero(ctx, sizeof(*ctx));
 }
 
 #ifdef WEAK_REFS