As far as I can tell, all of the calls to memset(3) in
lib/libc/crypt/arc4random.c are intended to wipe memory to avoid having
the randomly generated data in memory twice, so it would seem good
practice to use explicit_bzero(3) to avoid this being optimized out.
Index: lib/libc/crypt/arc4random.c
===================================================================
RCS file: /cvs/src/lib/libc/crypt/arc4random.c,v
retrieving revision 1.55
diff -u -p -r1.55 arc4random.c
--- lib/libc/crypt/arc4random.c 24 Mar 2019 17:56:54 -0000 1.55
+++ lib/libc/crypt/arc4random.c 19 Dec 2019 12:51:23 -0000
@@ -98,7 +98,7 @@ _rs_stir(void)
/* invalidate rs_buf */
rs->rs_have = 0;
- memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
+ explicit_bzero(rsx->rs_buf, sizeof(rsx->rs_buf));
rs->rs_count = 1600000;
}
@@ -119,7 +119,7 @@ static inline void
_rs_rekey(u_char *dat, size_t datlen)
{
#ifndef KEYSTREAM_ONLY
- memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
+ explicit_bzero(rsx->rs_buf, sizeof(rsx->rs_buf));
#endif
/* fill rs_buf with the keystream */
chacha_encrypt_bytes(&rsx->rs_chacha, rsx->rs_buf,
@@ -134,7 +134,7 @@ _rs_rekey(u_char *dat, size_t datlen)
}
/* immediately reinit for backtracking resistance */
_rs_init(rsx->rs_buf, KEYSZ + IVSZ);
- memset(rsx->rs_buf, 0, KEYSZ + IVSZ);
+ explicit_bzero(rsx->rs_buf, KEYSZ + IVSZ);
rs->rs_have = sizeof(rsx->rs_buf) - KEYSZ - IVSZ;
}
@@ -152,7 +152,7 @@ _rs_random_buf(void *_buf, size_t n)
keystream = rsx->rs_buf + sizeof(rsx->rs_buf)
- rs->rs_have;
memcpy(buf, keystream, m);
- memset(keystream, 0, m);
+ explicit_bzero(keystream, m);
buf += m;
n -= m;
rs->rs_have -= m;
@@ -172,7 +172,7 @@ _rs_random_u32(uint32_t *val)
_rs_rekey(NULL, 0);
keystream = rsx->rs_buf + sizeof(rsx->rs_buf) - rs->rs_have;
memcpy(val, keystream, sizeof(*val));
- memset(keystream, 0, sizeof(*val));
+ explicit_bzero(keystream, sizeof(*val));
rs->rs_have -= sizeof(*val);
}
