lib: Fix OpenSSL includes and explicit_bzero on OSX

The include headers and NIDs are different on macOS X. It also doesn't
have explicit_bzero.

The crypt.h includes are now guarded to work on OS X (trying to avoid
the includes by defining the OpenSSL mac header guard led to a whole
list of other issues).

The explicit zero'ing of buffers temporarily holding secrets has now
been abstracted in a crypt_secure_clear() function defaulting to
OpenSSL_cleanse, explicit_bzero (if present) or a best-effort option
using a volatile pointer.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>

1 files changed, 3 insertions, 3 deletions

diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c
index 12660d7f..ea2a25d1 100644
--- a/src/irmd/oap/cli.c
+++ b/src/irmd/oap/cli.c
@@ -191,7 +191,7 @@ static int do_client_kex_prepare_kem_encap(const char *         server_name,
                 return -ENOMEM;
         }
         memcpy(s->key, key_buf, SYMMKEYSZ);
-        explicit_bzero(key_buf, SYMMKEYSZ);
+        crypt_secure_clear(key_buf, SYMMKEYSZ);
 
         return 0;
 }
@@ -395,7 +395,7 @@ static int do_client_kex_complete_kem(struct oap_cli_ctx *   s,
 
         memcpy(sk->key, key_buf, SYMMKEYSZ);
         sk->nid = kcfg->c.nid;
-        explicit_bzero(key_buf, SYMMKEYSZ);
+        crypt_secure_clear(key_buf, SYMMKEYSZ);
 
         log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, kcfg->c.str);
 
@@ -425,7 +425,7 @@ static int do_client_kex_complete_dhe(struct oap_cli_ctx *   s,
 
         memcpy(sk->key, key_buf, SYMMKEYSZ);
         sk->nid = kcfg->c.nid;
-        explicit_bzero(key_buf, SYMMKEYSZ);
+        crypt_secure_clear(key_buf, SYMMKEYSZ);
 
         log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, kcfg->c.str);