From 0f8a6477825fbaad0d37233bdd3011d748f607ab Mon Sep 17 00:00:00 2001
From: Philip Kaufmann <phil.kaufmann@t-online.de>
Date: Thu, 8 Nov 2012 19:38:49 +0100
Subject: don't use memset() in privacy/security relevant code parts

As memset() can be optimized out by a compiler it should not be used in
privacy/security relevant code parts. OpenSSL provides the safe
OPENSSL_cleanse() function in crypto.h, which perfectly does the job of
clean and overwrite data.

For details see: http://www.viva64.com/en/b/0178/

- change memset() to OPENSSL_cleanse() where appropriate
- change a hard-coded number from netbase.cpp into a sizeof()
---
 src/crypter.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/crypter.cpp')

diff --git a/src/crypter.cpp b/src/crypter.cpp
index 181b8fa00a..a2b62a87c8 100644
--- a/src/crypter.cpp
+++ b/src/crypter.cpp
@@ -24,8 +24,8 @@ bool CCrypter::SetKeyFromPassphrase(const SecureString& strKeyData, const std::v
 
     if (i != (int)WALLET_CRYPTO_KEY_SIZE)
     {
-        memset(&chKey, 0, sizeof chKey);
-        memset(&chIV, 0, sizeof chIV);
+        OPENSSL_cleanse(chKey, sizeof(chKey));
+        OPENSSL_cleanse(chIV, sizeof(chIV));
         return false;
     }
 
-- 
cgit v1.2.3