From 37e3dbdd8206e4f0f03fab13ff3f38aa932be065 Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <Dimitri.Staessens@Quantum.Com>
Date: Wed, 28 Jan 2026 00:35:28 +0100
Subject: lib: Fix OpenSSL includes and explicit_bzero on OSX

The include headers and NIDs are different on macOS X. It also doesn't
have explicit_bzero.

The crypt.h includes are now guarded to work on OS X (trying to avoid
the includes by defining the OpenSSL mac header guard led to a whole
list of other issues).

The explicit zero'ing of buffers temporarily holding secrets has now
been abstracted in a crypt_secure_clear() function defaulting to
OpenSSL_cleanse, explicit_bzero (if present) or a best-effort option
using a volatile pointer.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/irmd/main.c    | 2 +-
 src/irmd/oap/cli.c | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/irmd')

diff --git a/src/irmd/main.c b/src/irmd/main.c
index e67fdd23..5b787a24 100644
--- a/src/irmd/main.c
+++ b/src/irmd/main.c
@@ -1553,7 +1553,7 @@ static irm_msg_t * do_command_msg(irm_msg_t * msg)
         else
                 ret_msg->result = res;
 
-        explicit_bzero(kbuf, SYMMKEYSZ);
+        crypt_secure_clear(kbuf, SYMMKEYSZ);
 
         return ret_msg;
 }
diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c
index 12660d7f..ea2a25d1 100644
--- a/src/irmd/oap/cli.c
+++ b/src/irmd/oap/cli.c
@@ -191,7 +191,7 @@ static int do_client_kex_prepare_kem_encap(const char *         server_name,
                 return -ENOMEM;
         }
         memcpy(s->key, key_buf, SYMMKEYSZ);
-        explicit_bzero(key_buf, SYMMKEYSZ);
+        crypt_secure_clear(key_buf, SYMMKEYSZ);
 
         return 0;
 }
@@ -395,7 +395,7 @@ static int do_client_kex_complete_kem(struct oap_cli_ctx *   s,
 
         memcpy(sk->key, key_buf, SYMMKEYSZ);
         sk->nid = kcfg->c.nid;
-        explicit_bzero(key_buf, SYMMKEYSZ);
+        crypt_secure_clear(key_buf, SYMMKEYSZ);
 
         log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, kcfg->c.str);
 
@@ -425,7 +425,7 @@ static int do_client_kex_complete_dhe(struct oap_cli_ctx *   s,
 
         memcpy(sk->key, key_buf, SYMMKEYSZ);
         sk->nid = kcfg->c.nid;
-        explicit_bzero(key_buf, SYMMKEYSZ);
+        crypt_secure_clear(key_buf, SYMMKEYSZ);
 
         log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, kcfg->c.str);
 
-- 
cgit v1.2.3