From 37e3dbdd8206e4f0f03fab13ff3f38aa932be065 Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Wed, 28 Jan 2026 00:35:28 +0100 Subject: lib: Fix OpenSSL includes and explicit_bzero on OSX The include headers and NIDs are different on macOS X. It also doesn't have explicit_bzero. The crypt.h includes are now guarded to work on OS X (trying to avoid the includes by defining the OpenSSL mac header guard led to a whole list of other issues). The explicit zero'ing of buffers temporarily holding secrets has now been abstracted in a crypt_secure_clear() function defaulting to OpenSSL_cleanse, explicit_bzero (if present) or a best-effort option using a volatile pointer. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/lib/dev.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/lib/dev.c') diff --git a/src/lib/dev.c b/src/lib/dev.c index 35ea701b..fb06c496 100644 --- a/src/lib/dev.c +++ b/src/lib/dev.c @@ -870,7 +870,7 @@ int flow_accept(qosspec_t * qs, fd = flow_init(&flow, &crypt); - explicit_bzero(key, SYMMKEYSZ); + crypt_secure_clear(key, SYMMKEYSZ); if (qs != NULL) *qs = flow.qs; @@ -917,7 +917,7 @@ int flow_alloc(const char * dst, fd = flow_init(&flow, &crypt); - explicit_bzero(key, SYMMKEYSZ); + crypt_secure_clear(key, SYMMKEYSZ); if (qs != NULL) *qs = flow.qs; @@ -956,7 +956,7 @@ int flow_join(const char * dst, fd = flow_init(&flow, &crypt); - explicit_bzero(key, SYMMKEYSZ); + crypt_secure_clear(key, SYMMKEYSZ); return fd; } -- cgit v1.2.3