Correct spelling of OPENSSL_cleanse.

ok miod@
author: jsing <> 2015-09-10 15:56:26 +0000
committer: jsing <> 2015-09-10 15:56:26 +0000
commit: 1b9402de2dd1b97eca2be1996ed51c82f0663c92 (patch)
tree: 27c1922db8e3f519794fe6a13a1dfba3d4759090
parent: e1b77a3f14ebb06ead650e78b43ddd6546237b0a (diff)
download: openbsd-1b9402de2dd1b97eca2be1996ed51c82f0663c92.tar.gz
openbsd-1b9402de2dd1b97eca2be1996ed51c82f0663c92.tar.bz2
openbsd-1b9402de2dd1b97eca2be1996ed51c82f0663c92.zip
139 files changed, 423 insertions, 399 deletions
diff --git a/src/lib/libcrypto/aes/aes_wrap.c b/src/lib/libcrypto/aes/aes_wrap.c
index 4479473e6b..ac2f83a993 100644
--- a/src/lib/libcrypto/aes/aes_wrap.c
+++ b/src/lib/libcrypto/aes/aes_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_wrap.c,v 1.9 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: aes_wrap.c,v 1.10 2015/09/10 15:56:24 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -126,7 +126,7 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
        if (!iv)
                iv = default_iv;
        if (memcmp(A, iv, 8)) {
-                OPENSSL_cleanse(out, inlen);
+                explicit_bzero(out, inlen);
                return 0;
        }
        return inlen;
diff --git a/src/lib/libcrypto/asn1/a_sign.c b/src/lib/libcrypto/asn1/a_sign.c
index d9385312a7..195daa3b9f 100644
--- a/src/lib/libcrypto/asn1/a_sign.c
+++ b/src/lib/libcrypto/asn1/a_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_sign.c,v 1.20 2015/07/19 18:29:31 miod Exp $ */
+/* $OpenBSD: a_sign.c,v 1.21 2015/09/10 15:56:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -112,6 +112,7 @@
 #include <sys/types.h>
 #include <stdio.h>
+#include <string.h>
 #include <time.h>
 #include <openssl/bn.h>
@@ -229,11 +230,11 @@ ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
        EVP_MD_CTX_cleanup(ctx);
        if (buf_in != NULL) {
-                OPENSSL_cleanse((char *)buf_in, inl);
+                explicit_bzero((char *)buf_in, inl);
                free(buf_in);
        }
        if (buf_out != NULL) {
-                OPENSSL_cleanse((char *)buf_out, outll);
+                explicit_bzero((char *)buf_out, outll);
                free(buf_out);
        }
        return (outl);
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index 3fc79b78f6..12b76501e0 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_verify.c,v 1.21 2015/01/28 04:14:31 beck Exp $ */
+/* $OpenBSD: a_verify.c,v 1.22 2015/09/10 15:56:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,6 +59,7 @@
 #include <sys/types.h>
 #include <stdio.h>
+#include <string.h>
 #include <time.h>
 #include <openssl/bn.h>
@@ -152,7 +153,7 @@ ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
                goto err;
        }
-        OPENSSL_cleanse(buf_in, (unsigned int)inl);
+        explicit_bzero(buf_in, (unsigned int)inl);
        free(buf_in);
        if (EVP_DigestVerifyFinal(&ctx, signature->data,
diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c
index d3a7431356..491f988e92 100644
--- a/src/lib/libcrypto/asn1/n_pkey.c
+++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: n_pkey.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
+/* $OpenBSD: n_pkey.c,v 1.27 2015/09/10 15:56:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -277,7 +277,7 @@ i2d_RSA_NET(const RSA *a, unsigned char **pp,
        i2d_NETSCAPE_PKEY(pkey, &zz);
        /* Wipe the private key encoding */
-        OPENSSL_cleanse(pkey->private_key->data, rsalen);
+        explicit_bzero(pkey->private_key->data, rsalen);
        if (cb == NULL)
                cb = EVP_read_pw_string;
@@ -297,7 +297,7 @@ i2d_RSA_NET(const RSA *a, unsigned char **pp,
        if (!EVP_BytesToKey(EVP_rc4(), EVP_md5(), NULL, buf, i,1, key, NULL))
                goto err;
-        OPENSSL_cleanse(buf, sizeof(buf));
+        explicit_bzero(buf, sizeof(buf));
        /* Encrypt private key in place */
        zz = enckey->enckey->digest->data;
@@ -394,7 +394,7 @@ d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
        if (!EVP_BytesToKey(EVP_rc4(), EVP_md5(), NULL, buf, i,1, key, NULL))
                goto err;
-        OPENSSL_cleanse(buf, sizeof(buf));
+        explicit_bzero(buf, sizeof(buf));
        if (!EVP_DecryptInit_ex(&ctx, EVP_rc4(), NULL, key, NULL))
                goto err;
diff --git a/src/lib/libcrypto/asn1/p8_pkey.c b/src/lib/libcrypto/asn1/p8_pkey.c
index 2f7a469673..71d579456a 100644
--- a/src/lib/libcrypto/asn1/p8_pkey.c
+++ b/src/lib/libcrypto/asn1/p8_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p8_pkey.c,v 1.16 2015/07/16 18:21:57 miod Exp $ */
+/* $OpenBSD: p8_pkey.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
@@ -71,7 +72,7 @@ pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                if (key->pkey != NULL &&
                    key->pkey->type == V_ASN1_OCTET_STRING &&
                    key->pkey->value.octet_string != NULL)
-                        OPENSSL_cleanse(key->pkey->value.octet_string->data,
+                        explicit_bzero(key->pkey->value.octet_string->data,
                            key->pkey->value.octet_string->length);
        }
        return 1;
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 4a28c2c605..c4ca36d136 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.22 2015/03/21 08:05:20 doug Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.23 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -825,7 +825,7 @@ err:
        if ((in_mont == NULL) && (mont != NULL))
                BN_MONT_CTX_free(mont);
        if (powerbuf != NULL) {
-                OPENSSL_cleanse(powerbuf, powerbufLen);
+                explicit_bzero(powerbuf, powerbufLen);
                free(powerbufFree);
        }
        BN_CTX_end(ctx);
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index d0cb49cd1e..7cc76c1e85 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.33 2014/07/12 16:03:36 miod Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.34 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -221,11 +221,11 @@ BN_clear_free(BIGNUM *a)
                return;
        bn_check_top(a);
        if (a->d != NULL && !(BN_get_flags(a, BN_FLG_STATIC_DATA))) {
-                OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
+                explicit_bzero(a->d, a->dmax * sizeof(a->d[0]));
                free(a->d);
        }
        i = BN_get_flags(a, BN_FLG_MALLOCED);
-        OPENSSL_cleanse(a, sizeof(BIGNUM));
+        explicit_bzero(a, sizeof(BIGNUM));
        if (i)
                free(a);
 }
@@ -395,7 +395,7 @@ bn_expand2(BIGNUM *b, int words)
                if (!a)
                        return NULL;
                if (b->d) {
-                        OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
+                        explicit_bzero(b->d, b->dmax * sizeof(b->d[0]));
                        free(b->d);
                }
                b->d = a;
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index ac5c5eb308..783f6c22f8 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.17 2015/02/19 06:10:29 jsing Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.18 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -111,6 +111,7 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <time.h>
 #include <openssl/err.h>
@@ -186,7 +187,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 err:
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, bytes);
+                explicit_bzero(buf, bytes);
                free(buf);
        }
        bn_check_top(rnd);
diff --git a/src/lib/libcrypto/cmac/cmac.c b/src/lib/libcrypto/cmac/cmac.c
index 18635b942a..d01ae0f3ae 100644
--- a/src/lib/libcrypto/cmac/cmac.c
+++ b/src/lib/libcrypto/cmac/cmac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cmac.c,v 1.9 2014/07/12 14:58:32 miod Exp $ */
+/* $OpenBSD: cmac.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -107,10 +107,10 @@ void
 CMAC_CTX_cleanup(CMAC_CTX *ctx)
 {
        EVP_CIPHER_CTX_cleanup(&ctx->cctx);
-        OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
+        explicit_bzero(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
-        OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
+        explicit_bzero(ctx->k1, EVP_MAX_BLOCK_LENGTH);
-        OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH);
+        explicit_bzero(ctx->k2, EVP_MAX_BLOCK_LENGTH);
-        OPENSSL_cleanse(ctx->last_block, EVP_MAX_BLOCK_LENGTH);
+        explicit_bzero(ctx->last_block, EVP_MAX_BLOCK_LENGTH);
        ctx->nlast_block = -1;
 }
@@ -183,7 +183,7 @@ CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
                        return 0;
                make_kn(ctx->k1, ctx->tbl, bl);
                make_kn(ctx->k2, ctx->k1, bl);
-                OPENSSL_cleanse(ctx->tbl, bl);
+                explicit_bzero(ctx->tbl, bl);
                /* Reset context again ready for first data block */
                if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
                        return 0;
@@ -260,7 +260,7 @@ CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
                        out[i] = ctx->last_block[i] ^ ctx->k2[i];
        }
        if (!EVP_Cipher(&ctx->cctx, out, out, bl)) {
-                OPENSSL_cleanse(out, bl);
+                explicit_bzero(out, bl);
                return 0;
        }
        return 1;
diff --git a/src/lib/libcrypto/cms/cms_asn1.c b/src/lib/libcrypto/cms/cms_asn1.c
index 02a594575d..e450259832 100644
--- a/src/lib/libcrypto/cms/cms_asn1.c
+++ b/src/lib/libcrypto/cms/cms_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_asn1.c,v 1.6 2015/07/25 15:22:10 jsing Exp $ */
+/* $OpenBSD: cms_asn1.c,v 1.7 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -888,13 +888,13 @@ cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                } else if (ri->type == CMS_RECIPINFO_KEK) {
                        CMS_KEKRecipientInfo *kekri = ri->d.kekri;
                        if (kekri->key) {
-                                OPENSSL_cleanse(kekri->key, kekri->keylen);
+                                explicit_bzero(kekri->key, kekri->keylen);
                                free(kekri->key);
                        }
                } else if (ri->type == CMS_RECIPINFO_PASS) {
                        CMS_PasswordRecipientInfo *pwri = ri->d.pwri;
                        if (pwri->pass) {
-                                OPENSSL_cleanse(pwri->pass, pwri->passlen);
+                                explicit_bzero(pwri->pass, pwri->passlen);
                                free(pwri->pass);
                        }
                }
diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
index f97e4d5f34..c967a18a3c 100644
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_enc.c,v 1.6 2014/10/22 13:02:04 jsing Exp $ */
+/* $OpenBSD: cms_enc.c,v 1.7 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -164,7 +164,7 @@ cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
                                goto err;
                        } else {
                                /* Use random key */
-                                OPENSSL_cleanse(ec->key, ec->keylen);
+                                explicit_bzero(ec->key, ec->keylen);
                                free(ec->key);
                                ec->key = tkey;
                                ec->keylen = tkeylen;
@@ -197,12 +197,12 @@ cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
 err:
        if (ec->key && !keep_key) {
-                OPENSSL_cleanse(ec->key, ec->keylen);
+                explicit_bzero(ec->key, ec->keylen);
                free(ec->key);
                ec->key = NULL;
        }
        if (tkey) {
-                OPENSSL_cleanse(tkey, tkeylen);
+                explicit_bzero(tkey, tkeylen);
                free(tkey);
        }
        if (ok)
diff --git a/src/lib/libcrypto/cms/cms_env.c b/src/lib/libcrypto/cms/cms_env.c
index 63b24b6374..e483c4539f 100644
--- a/src/lib/libcrypto/cms/cms_env.c
+++ b/src/lib/libcrypto/cms/cms_env.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_env.c,v 1.8 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: cms_env.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -406,7 +406,7 @@ cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
        ret = 1;
        if (ec->key) {
-                OPENSSL_cleanse(ec->key, ec->keylen);
+                explicit_bzero(ec->key, ec->keylen);
                free(ec->key);
        }
@@ -654,7 +654,7 @@ cms_RecipientInfo_kekri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
 err:
        if (!r && wkey)
                free(wkey);
-        OPENSSL_cleanse(&actx, sizeof(actx));
+        explicit_bzero(&actx, sizeof(actx));
        return r;
 }
@@ -727,7 +727,7 @@ cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
 err:
        if (!r && ukey)
                free(ukey);
-        OPENSSL_cleanse(&actx, sizeof(actx));
+        explicit_bzero(&actx, sizeof(actx));
        return r;
 }
@@ -806,7 +806,7 @@ cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
 err:
        ec->cipher = NULL;
        if (ec->key) {
-                OPENSSL_cleanse(ec->key, ec->keylen);
+                explicit_bzero(ec->key, ec->keylen);
                free(ec->key);
                ec->key = NULL;
                ec->keylen = 0;
diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c
index 11509e3c11..7055ba5d3b 100644
--- a/src/lib/libcrypto/cms/cms_pwri.c
+++ b/src/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.9 2015/05/15 11:00:14 jsg Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -262,7 +262,7 @@ kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
        rv = 1;
 err:
-        OPENSSL_cleanse(tmp, inlen);
+        explicit_bzero(tmp, inlen);
        free(tmp);
        return rv;
 }
diff --git a/src/lib/libcrypto/des/str2key.c b/src/lib/libcrypto/des/str2key.c
index 8999eb292a..ce17e2659b 100644
--- a/src/lib/libcrypto/des/str2key.c
+++ b/src/lib/libcrypto/des/str2key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: str2key.c,v 1.9 2014/10/28 07:35:58 jsg Exp $ */
+/* $OpenBSD: str2key.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -95,7 +95,7 @@ void DES_string_to_key(const char *str, DES_cblock *key)
        DES_set_key_unchecked(key,&ks);
 #endif
        DES_cbc_cksum((const unsigned char*)str,key,length,&ks,key);
-        OPENSSL_cleanse(&ks,sizeof(ks));
+        explicit_bzero(&ks,sizeof(ks));
        DES_set_odd_parity(key);
        }
@@ -168,7 +168,7 @@ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2)
        DES_set_key_unchecked(key2,&ks);
 #endif
        DES_cbc_cksum((const unsigned char*)str,key2,length,&ks,key2);
-        OPENSSL_cleanse(&ks,sizeof(ks));
+        explicit_bzero(&ks,sizeof(ks));
        DES_set_odd_parity(key1);
        DES_set_odd_parity(key2);
        }
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 45192c3231..fa962e4d0f 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.11 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: ec_key.c,v 1.12 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -122,7 +122,7 @@ EC_KEY_free(EC_KEY * r)
        EC_EX_DATA_free_all_data(&r->method_data);
-        OPENSSL_cleanse((void *) r, sizeof(EC_KEY));
+        explicit_bzero((void *) r, sizeof(EC_KEY));
        free(r);
 }
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index a12a2ffbb6..c28ab18fc0 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.18 2015/05/20 04:33:35 miod Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.19 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -152,10 +152,10 @@ EC_GROUP_clear_free(EC_GROUP * group)
        BN_clear_free(&group->cofactor);
        if (group->seed) {
-                OPENSSL_cleanse(group->seed, group->seed_len);
+                explicit_bzero(group->seed, group->seed_len);
                free(group->seed);
        }
-        OPENSSL_cleanse(group, sizeof *group);
+        explicit_bzero(group, sizeof *group);
        free(group);
 }
@@ -754,7 +754,7 @@ EC_POINT_clear_free(EC_POINT * point)
                point->meth->point_clear_finish(point);
        else if (point->meth->point_finish != 0)
                point->meth->point_finish(point);
-        OPENSSL_cleanse(point, sizeof *point);
+        explicit_bzero(point, sizeof *point);
        free(point);
 }
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 68f55cfcb3..e428ac586b 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.18 2015/02/15 08:44:35 miod Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.19 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
 */
@@ -173,11 +173,11 @@ ec_pre_comp_clear_free(void *pre_)
                for (p = pre->points; *p != NULL; p++) {
                        EC_POINT_clear_free(*p);
-                        OPENSSL_cleanse(p, sizeof *p);
+                        explicit_bzero(p, sizeof *p);
                }
                free(pre->points);
        }
-        OPENSSL_cleanse(pre, sizeof *pre);
+        explicit_bzero(pre, sizeof *pre);
        free(pre);
 }
diff --git a/src/lib/libcrypto/ec/ecp_nistp224.c b/src/lib/libcrypto/ec/ecp_nistp224.c
index d29113045a..0976f24a9f 100644
--- a/src/lib/libcrypto/ec/ecp_nistp224.c
+++ b/src/lib/libcrypto/ec/ecp_nistp224.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp224.c,v 1.16 2015/02/08 22:25:03 miod Exp $ */
+/* $OpenBSD: ecp_nistp224.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Written by Emilia Kasper (Google) for the OpenSSL project.
 */
@@ -1239,7 +1239,7 @@ nistp224_pre_comp_clear_free(void *pre_)
        if (i > 0)
                return;
-        OPENSSL_cleanse(pre, sizeof *pre);
+        explicit_bzero(pre, sizeof *pre);
        free(pre);
 }
diff --git a/src/lib/libcrypto/ec/ecp_nistp256.c b/src/lib/libcrypto/ec/ecp_nistp256.c
index 23a2131980..be1d2a5402 100644
--- a/src/lib/libcrypto/ec/ecp_nistp256.c
+++ b/src/lib/libcrypto/ec/ecp_nistp256.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp256.c,v 1.15 2015/02/08 22:25:03 miod Exp $ */
+/* $OpenBSD: ecp_nistp256.c,v 1.16 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Written by Adam Langley (Google) for the OpenSSL project
 */
@@ -1788,7 +1788,7 @@ nistp256_pre_comp_clear_free(void *pre_)
        if (i > 0)
                return;
-        OPENSSL_cleanse(pre, sizeof *pre);
+        explicit_bzero(pre, sizeof *pre);
        free(pre);
 }
diff --git a/src/lib/libcrypto/ec/ecp_nistp521.c b/src/lib/libcrypto/ec/ecp_nistp521.c
index 6382091cf9..cfa13b41f8 100644
--- a/src/lib/libcrypto/ec/ecp_nistp521.c
+++ b/src/lib/libcrypto/ec/ecp_nistp521.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp521.c,v 1.16 2015/02/08 22:25:03 miod Exp $ */
+/* $OpenBSD: ecp_nistp521.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Written by Adam Langley (Google) for the OpenSSL project
 */
@@ -1679,7 +1679,7 @@ nistp521_pre_comp_clear_free(void *pre_)
        if (i > 0)
                return;
-        OPENSSL_cleanse(pre, sizeof(*pre));
+        explicit_bzero(pre, sizeof(*pre));
        free(pre);
 }
diff --git a/src/lib/libcrypto/ecdh/ech_lib.c b/src/lib/libcrypto/ecdh/ech_lib.c
index 43c4f8ce31..58dddf638f 100644
--- a/src/lib/libcrypto/ecdh/ech_lib.c
+++ b/src/lib/libcrypto/ecdh/ech_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ech_lib.c,v 1.8 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: ech_lib.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@@ -180,7 +180,7 @@ void ecdh_data_free(void *data)
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDH, r, &r->ex_data);
-        OPENSSL_cleanse((void *)r, sizeof(ECDH_DATA));
+        explicit_bzero((void *)r, sizeof(ECDH_DATA));
        free(r);
        }
diff --git a/src/lib/libcrypto/ecdsa/ecs_lib.c b/src/lib/libcrypto/ecdsa/ecs_lib.c
index dba888cb48..1ba788b4f0 100644
--- a/src/lib/libcrypto/ecdsa/ecs_lib.c
+++ b/src/lib/libcrypto/ecdsa/ecs_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_lib.c,v 1.9 2015/02/08 13:35:07 jsing Exp $ */
+/* $OpenBSD: ecs_lib.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
 *
@@ -170,7 +170,7 @@ ecdsa_data_free(void *data)
 #endif
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDSA, r, &r->ex_data);
-        OPENSSL_cleanse((void *)r, sizeof(ECDSA_DATA));
+        explicit_bzero((void *)r, sizeof(ECDSA_DATA));
        free(r);
 }
diff --git a/src/lib/libcrypto/evp/bio_enc.c b/src/lib/libcrypto/evp/bio_enc.c
index e367faa967..1920c6d180 100644
--- a/src/lib/libcrypto/evp/bio_enc.c
+++ b/src/lib/libcrypto/evp/bio_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_enc.c,v 1.18 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: bio_enc.c,v 1.19 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -135,7 +135,7 @@ enc_free(BIO *a)
                return (0);
        b = (BIO_ENC_CTX *)a->ptr;
        EVP_CIPHER_CTX_cleanup(&(b->cipher));
-        OPENSSL_cleanse(a->ptr, sizeof(BIO_ENC_CTX));
+        explicit_bzero(a->ptr, sizeof(BIO_ENC_CTX));
        free(a->ptr);
        a->ptr = NULL;
        a->init = 0;
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 0a9455a5d2..a6d48085c3 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.28 2015/06/20 12:01:14 jsing Exp $ */
+/* $OpenBSD: e_aes.c,v 1.29 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
 *
@@ -690,7 +690,7 @@ aes_gcm_cleanup(EVP_CIPHER_CTX *c)
        if (gctx->iv != c->iv)
                free(gctx->iv);
-        OPENSSL_cleanse(gctx, sizeof(*gctx));
+        explicit_bzero(gctx, sizeof(*gctx));
        return 1;
 }
@@ -972,7 +972,7 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                /* If tag mismatch wipe buffer */
                if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
-                        OPENSSL_cleanse(out, len);
+                        explicit_bzero(out, len);
                        goto err;
                }
                rv = len;
@@ -1339,7 +1339,7 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        }
                }
                if (rv == -1)
-                        OPENSSL_cleanse(out, len);
+                        explicit_bzero(out, len);
                cctx->iv_set = 0;
                cctx->tag_set = 0;
                cctx->len_set = 0;
@@ -1417,7 +1417,7 @@ aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx)
 {
        struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
-        OPENSSL_cleanse(gcm_ctx, sizeof(*gcm_ctx));
+        explicit_bzero(gcm_ctx, sizeof(*gcm_ctx));
        free(gcm_ctx);
 }
diff --git a/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c b/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
index 7c23face34..c76c2b1c52 100644
--- a/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.8 2014/07/12 20:37:07 miod Exp $ */
+/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
 *
@@ -502,7 +502,7 @@ aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
                        SHA1_Init(&key->tail);
                        SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key));
-                        OPENSSL_cleanse(hmac_key, sizeof(hmac_key));
+                        explicit_bzero(hmac_key, sizeof(hmac_key));
                        return 1;
                }
diff --git a/src/lib/libcrypto/evp/e_chacha20poly1305.c b/src/lib/libcrypto/evp/e_chacha20poly1305.c
index c003b0ba7f..9deb40b72a 100644
--- a/src/lib/libcrypto/evp/e_chacha20poly1305.c
+++ b/src/lib/libcrypto/evp/e_chacha20poly1305.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha20poly1305.c,v 1.9 2015/06/20 12:01:14 jsing Exp $ */
+/* $OpenBSD: e_chacha20poly1305.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014, Google Inc.
 *
@@ -71,7 +71,7 @@ aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx)
 {
        struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-        OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
+        explicit_bzero(c20_ctx->key, sizeof(c20_ctx->key));
        free(c20_ctx);
 }
diff --git a/src/lib/libcrypto/evp/e_idea.c b/src/lib/libcrypto/evp/e_idea.c
index 3ba4dbcdb9..454ad4e672 100644
--- a/src/lib/libcrypto/evp/e_idea.c
+++ b/src/lib/libcrypto/evp/e_idea.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_idea.c,v 1.9 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: e_idea.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/opensslconf.h>
@@ -115,7 +116,7 @@ idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                idea_set_encrypt_key(key, &tmp);
                idea_set_decrypt_key(&tmp, ctx->cipher_data);
-                OPENSSL_cleanse((unsigned char *)&tmp,
+                explicit_bzero((unsigned char *)&tmp,
                    sizeof(IDEA_KEY_SCHEDULE));
        }
        return 1;
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 42ccfceec9..99bf59e05f 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.26 2015/02/10 09:52:35 miod Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.27 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -562,7 +562,7 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
                        return 0;
                /* Cleanse cipher context data */
                if (c->cipher_data)
-                        OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
+                        explicit_bzero(c->cipher_data, c->cipher->ctx_size);
        }
        free(c->cipher_data);
 #ifndef OPENSSL_NO_ENGINE
diff --git a/src/lib/libcrypto/evp/evp_key.c b/src/lib/libcrypto/evp/evp_key.c
index 0678536ccb..2c76743e42 100644
--- a/src/lib/libcrypto/evp/evp_key.c
+++ b/src/lib/libcrypto/evp/evp_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_key.c,v 1.22 2015/02/10 09:55:39 miod Exp $ */
+/* $OpenBSD: evp_key.c,v 1.23 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -116,7 +116,7 @@ EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
        }
        ret = UI_process(ui);
        UI_free(ui);
-        OPENSSL_cleanse(buff, BUFSIZ);
+        explicit_bzero(buff, BUFSIZ);
        return ret;
 }
@@ -201,6 +201,6 @@ EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
 err:
        EVP_MD_CTX_cleanup(&c);
-        OPENSSL_cleanse(md_buf, sizeof md_buf);
+        explicit_bzero(md_buf, sizeof md_buf);
        return rv;
 }
diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c
index 112a69114c..626910fd7a 100644
--- a/src/lib/libcrypto/evp/p5_crpt.c
+++ b/src/lib/libcrypto/evp/p5_crpt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_crpt.c,v 1.15 2015/02/10 09:52:35 miod Exp $ */
+/* $OpenBSD: p5_crpt.c,v 1.16 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -147,9 +147,9 @@ PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
            EVP_CIPHER_iv_length(cipher));
        if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
                goto err;
-        OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
+        explicit_bzero(md_tmp, EVP_MAX_MD_SIZE);
-        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        explicit_bzero(key, EVP_MAX_KEY_LENGTH);
-        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
+        explicit_bzero(iv, EVP_MAX_IV_LENGTH);
        rv = 1;
 err:
        EVP_MD_CTX_cleanup(&ctx);
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index afafb9551f..632c2c76ce 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_crpt2.c,v 1.20 2015/02/14 15:49:51 miod Exp $ */
+/* $OpenBSD: p5_crpt2.c,v 1.21 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -300,7 +300,7 @@ PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
        rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
 err:
-        OPENSSL_cleanse(key, keylen);
+        explicit_bzero(key, keylen);
        PBKDF2PARAM_free(kdf);
        return rv;
 }
diff --git a/src/lib/libcrypto/evp/p_open.c b/src/lib/libcrypto/evp/p_open.c
index aca83e74f6..002a6dea70 100644
--- a/src/lib/libcrypto/evp/p_open.c
+++ b/src/lib/libcrypto/evp/p_open.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_open.c,v 1.16 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: p_open.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/opensslconf.h>
@@ -109,7 +110,7 @@ EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 err:
        if (key != NULL)
-                OPENSSL_cleanse(key, size);
+                explicit_bzero(key, size);
        free(key);
        return (ret);
 }
diff --git a/src/lib/libcrypto/gost/gost2814789.c b/src/lib/libcrypto/gost/gost2814789.c
index b1bef9eae3..e285413ed4 100644
--- a/src/lib/libcrypto/gost/gost2814789.c
+++ b/src/lib/libcrypto/gost/gost2814789.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gost2814789.c,v 1.4 2015/02/10 09:46:30 miod Exp $ */
+/* $OpenBSD: gost2814789.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@@ -464,7 +464,7 @@ GOST2814789IMIT(const unsigned char *d, size_t n, unsigned char *md, int nid,
        Gost2814789_set_key(&c.cipher, key, 256);
        GOST2814789IMIT_Update(&c, d, n);
        GOST2814789IMIT_Final(md, &c);
-        OPENSSL_cleanse(&c, sizeof(c));
+        explicit_bzero(&c, sizeof(c));
        return (md);
 }
diff --git a/src/lib/libcrypto/gost/gostr341001_key.c b/src/lib/libcrypto/gost/gostr341001_key.c
index dbe360620a..894a189e3b 100644
--- a/src/lib/libcrypto/gost/gostr341001_key.c
+++ b/src/lib/libcrypto/gost/gostr341001_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341001_key.c,v 1.5 2015/02/14 06:40:04 jsing Exp $ */
+/* $OpenBSD: gostr341001_key.c,v 1.6 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@@ -49,6 +49,8 @@
 * ====================================================================
 */
+#include <string.h>
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_GOST
@@ -103,7 +105,7 @@ GOST_KEY_free(GOST_KEY *r)
        EC_POINT_free(r->pub_key);
        BN_clear_free(r->priv_key);
-        OPENSSL_cleanse((void *)r, sizeof(GOST_KEY));
+        explicit_bzero((void *)r, sizeof(GOST_KEY));
        free(r);
 }
diff --git a/src/lib/libcrypto/gost/gostr341194.c b/src/lib/libcrypto/gost/gostr341194.c
index 32c166aefa..2a462185aa 100644
--- a/src/lib/libcrypto/gost/gostr341194.c
+++ b/src/lib/libcrypto/gost/gostr341194.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341194.c,v 1.4 2015/07/15 17:13:17 beck Exp $ */
+/* $OpenBSD: gostr341194.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@@ -267,7 +267,7 @@ GOSTR341194(const unsigned char *d, size_t n, unsigned char *md, int nid)
                return 0;
        GOSTR341194_Update(&c, d, n);
        GOSTR341194_Final(md, &c);
-        OPENSSL_cleanse(&c, sizeof(c));
+        explicit_bzero(&c, sizeof(c));
        return (md);
 }
 #endif
diff --git a/src/lib/libcrypto/gost/streebog.c b/src/lib/libcrypto/gost/streebog.c
index 8060161d11..902472bd9e 100644
--- a/src/lib/libcrypto/gost/streebog.c
+++ b/src/lib/libcrypto/gost/streebog.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: streebog.c,v 1.4 2014/12/07 16:33:51 jsing Exp $ */
+/* $OpenBSD: streebog.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@@ -1455,7 +1455,7 @@ STREEBOG256(const unsigned char *d, size_t n, unsigned char *md)
        STREEBOG256_Init(&c);
        STREEBOG256_Update(&c, d, n);
        STREEBOG256_Final(md, &c);
-        OPENSSL_cleanse(&c, sizeof(c));
+        explicit_bzero(&c, sizeof(c));
        return (md);
 }
@@ -1470,7 +1470,7 @@ STREEBOG512(const unsigned char *d, size_t n, unsigned char *md)
        STREEBOG512_Init(&c);
        STREEBOG512_Update(&c, d, n);
        STREEBOG512_Final(md, &c);
-        OPENSSL_cleanse(&c, sizeof(c));
+        explicit_bzero(&c, sizeof(c));
        return (md);
 }
diff --git a/src/lib/libcrypto/hmac/hm_ameth.c b/src/lib/libcrypto/hmac/hm_ameth.c
index da3471c4fd..cfa0239705 100644
--- a/src/lib/libcrypto/hmac/hm_ameth.c
+++ b/src/lib/libcrypto/hmac/hm_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hm_ameth.c,v 1.9 2015/07/20 15:45:29 miod Exp $ */
+/* $OpenBSD: hm_ameth.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2007.
 */
@@ -83,7 +83,7 @@ hmac_key_free(EVP_PKEY *pkey)
        if (os) {
                if (os->data)
-                        OPENSSL_cleanse(os->data, os->length);
+                        explicit_bzero(os->data, os->length);
                ASN1_OCTET_STRING_free(os);
        }
 }
diff --git a/src/lib/libcrypto/hmac/hm_pmeth.c b/src/lib/libcrypto/hmac/hm_pmeth.c
index 255f4ece8b..c5ac6c00c0 100644
--- a/src/lib/libcrypto/hmac/hm_pmeth.c
+++ b/src/lib/libcrypto/hmac/hm_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hm_pmeth.c,v 1.8 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: hm_pmeth.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2007.
 */
@@ -124,7 +124,7 @@ pkey_hmac_cleanup(EVP_PKEY_CTX *ctx)
        HMAC_CTX_cleanup(&hctx->ctx);
        if (hctx->ktmp.data) {
                if (hctx->ktmp.length)
-                        OPENSSL_cleanse(hctx->ktmp.data, hctx->ktmp.length);
+                        explicit_bzero(hctx->ktmp.data, hctx->ktmp.length);
                free(hctx->ktmp.data);
                hctx->ktmp.data = NULL;
        }
diff --git a/src/lib/libcrypto/md4/md4_one.c b/src/lib/libcrypto/md4/md4_one.c
index 144f131914..9577d6577b 100644
--- a/src/lib/libcrypto/md4/md4_one.c
+++ b/src/lib/libcrypto/md4/md4_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: md4_one.c,v 1.7 2015/09/10 15:03:58 jsing Exp $ */
+/* $OpenBSD: md4_one.c,v 1.8 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -71,7 +71,7 @@ unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md)
                return NULL;
        MD4_Update(&c,d,n);
        MD4_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libcrypto/md5/md5_one.c b/src/lib/libcrypto/md5/md5_one.c
index f4cc56adb2..3fb05de30c 100644
--- a/src/lib/libcrypto/md5/md5_one.c
+++ b/src/lib/libcrypto/md5/md5_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: md5_one.c,v 1.9 2015/09/10 15:03:59 jsing Exp $ */
+/* $OpenBSD: md5_one.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -71,7 +71,7 @@ unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md)
                return NULL;
        MD5_Update(&c,d,n);
        MD5_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index 4a72901a33..dd6d91e880 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.12 2015/02/10 09:46:30 miod Exp $ */
+/* $OpenBSD: gcm128.c,v 1.13 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
 *
@@ -1533,7 +1533,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
 void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
 {
        if (ctx) {
-                OPENSSL_cleanse(ctx,sizeof(*ctx));
+                explicit_bzero(ctx,sizeof(*ctx));
                free(ctx);
        }
 }
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index 6fe72ce742..191e3b5b10 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_info.c,v 1.20 2015/02/10 09:52:35 miod Exp $ */
+/* $OpenBSD: pem_info.c,v 1.21 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -400,7 +400,7 @@ PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
        ret = 1;
 err:
-        OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
+        explicit_bzero((char *)&ctx, sizeof(ctx));
-        OPENSSL_cleanse(buf, PEM_BUFSIZE);
+        explicit_bzero(buf, PEM_BUFSIZE);
        return (ret);
 }
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 6f8759a9ee..852b0eaf86 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.41 2015/07/19 18:29:31 miod Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.42 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -403,7 +403,7 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
                        goto err;
                if (kstr == (unsigned char *)buf)
-                        OPENSSL_cleanse(buf, PEM_BUFSIZE);
+                        explicit_bzero(buf, PEM_BUFSIZE);
                if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 > sizeof buf) {
                        PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,
@@ -434,12 +434,12 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
        if (i <= 0)
                ret = 0;
 err:
-        OPENSSL_cleanse(key, sizeof(key));
+        explicit_bzero(key, sizeof(key));
-        OPENSSL_cleanse(iv, sizeof(iv));
+        explicit_bzero(iv, sizeof(iv));
-        OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
+        explicit_bzero((char *)&ctx, sizeof(ctx));
-        OPENSSL_cleanse(buf, PEM_BUFSIZE);
+        explicit_bzero(buf, PEM_BUFSIZE);
        if (data != NULL) {
-                OPENSSL_cleanse(data, (unsigned int)dsize);
+                explicit_bzero(data, (unsigned int)dsize);
                free(data);
        }
        return (ret);
@@ -480,8 +480,8 @@ PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
        if (o)
                o = EVP_DecryptFinal_ex(&ctx, &(data[i]), &j);
        EVP_CIPHER_CTX_cleanup(&ctx);
-        OPENSSL_cleanse((char *)buf, sizeof(buf));
+        explicit_bzero((char *)buf, sizeof(buf));
-        OPENSSL_cleanse((char *)key, sizeof(key));
+        explicit_bzero((char *)key, sizeof(key));
        if (!o) {
                PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_DECRYPT);
                return (0);
@@ -640,7 +640,7 @@ PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
        EVP_EncodeFinal(&ctx, buf, &outl);
        if ((outl > 0) && (BIO_write(bp, (char *)buf, outl) != outl))
                goto err;
-        OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
+        explicit_bzero(buf, PEM_BUFSIZE * 8);
        free(buf);
        buf = NULL;
        if ((BIO_write(bp, "-----END ", 9) != 9) ||
@@ -651,7 +651,7 @@ PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
 err:
        if (buf) {
-                OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
+                explicit_bzero(buf, PEM_BUFSIZE * 8);
                free(buf);
        }
        PEMerr(PEM_F_PEM_WRITE_BIO, reason);
diff --git a/src/lib/libcrypto/pem/pem_pk8.c b/src/lib/libcrypto/pem/pem_pk8.c
index 5b0fcc236b..d02dec1546 100644
--- a/src/lib/libcrypto/pem/pem_pk8.c
+++ b/src/lib/libcrypto/pem/pem_pk8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pk8.c,v 1.9 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: pem_pk8.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/buffer.h>
 #include <openssl/err.h>
@@ -135,7 +136,7 @@ do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
                }
                p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
                if (kstr == buf)
-                        OPENSSL_cleanse(buf, klen);
+                        explicit_bzero(buf, klen);
                PKCS8_PRIV_KEY_INFO_free(p8inf);
                if (isder)
                        ret = i2d_PKCS8_bio(bp, p8);
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index e9c0a8b1c9..afb476f818 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pkey.c,v 1.20 2015/02/11 03:19:37 doug Exp $ */
+/* $OpenBSD: pem_pkey.c,v 1.21 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -144,7 +144,7 @@ p8err:
                PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, ERR_R_ASN1_LIB);
 err:
        free(nm);
-        OPENSSL_cleanse(data, len);
+        explicit_bzero(data, len);
        free(data);
        return (ret);
 }
diff --git a/src/lib/libcrypto/pem/pem_seal.c b/src/lib/libcrypto/pem/pem_seal.c
index 08837bd7f7..96687eb77f 100644
--- a/src/lib/libcrypto/pem/pem_seal.c
+++ b/src/lib/libcrypto/pem/pem_seal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_seal.c,v 1.21 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: pem_seal.c,v 1.22 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -117,7 +117,7 @@ PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
 err:
        free(s);
-        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        explicit_bzero(key, EVP_MAX_KEY_LENGTH);
        return (ret);
 }
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index 025381bcc0..f5a9de39fc 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.13 2015/05/15 11:00:14 jsg Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.14 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -765,7 +765,7 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
                        if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf,
                            NULL))
                                goto err;
-                        OPENSSL_cleanse(keybuf, 20);
+                        explicit_bzero(keybuf, 20);
                        if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen))
                                goto err;
                        if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen,
@@ -777,7 +777,7 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
                                goto err;
                        }
                } else
-                        OPENSSL_cleanse(keybuf, 20);
+                        explicit_bzero(keybuf, 20);
                p = enctmp;
        }
@@ -823,7 +823,7 @@ b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
 err:
        if (buf) {
-                OPENSSL_cleanse(buf, buflen);
+                explicit_bzero(buf, buflen);
                free(buf);
        }
        return ret;
@@ -894,7 +894,7 @@ i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb,
                p = salt + PVK_SALTLEN + 8;
                if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
                        goto error;
-                OPENSSL_cleanse(keybuf, 20);
+                explicit_bzero(keybuf, 20);
                if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8))
                        goto error;
                if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen))
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index 288c93c49f..0f215d2fe2 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_crpt.c,v 1.11 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: p12_crpt.c,v 1.12 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
@@ -111,7 +112,7 @@ PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
        }
        PBEPARAM_free(pbe);
        ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
-        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        explicit_bzero(key, EVP_MAX_KEY_LENGTH);
-        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
+        explicit_bzero(iv, EVP_MAX_IV_LENGTH);
        return ret;
 }
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index 4cccf43d3f..00195f0a98 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_decr.c,v 1.15 2015/05/15 11:00:14 jsg Exp $ */
+/* $OpenBSD: p12_decr.c,v 1.16 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
@@ -137,7 +138,7 @@ PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
        p = out;
        ret = ASN1_item_d2i(NULL, &p, outlen, it);
        if (zbuf)
-                OPENSSL_cleanse(out, outlen);
+                explicit_bzero(out, outlen);
        if (!ret)
                PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
                    PKCS12_R_DECODE_ERROR);
@@ -176,7 +177,7 @@ PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it,
                goto err;
        }
        if (zbuf)
-                OPENSSL_cleanse(in, inlen);
+                explicit_bzero(in, inlen);
        free(in);
        return oct;
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 0b3547a6fb..38f8a8194c 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_key.c,v 1.22 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: p12_key.c,v 1.23 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -89,7 +89,7 @@ PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
        if (ret <= 0)
                return 0;
        if (unipass) {
-                OPENSSL_cleanse(unipass, uniplen);
+                explicit_bzero(unipass, uniplen);
                free(unipass);
        }
        return ret;
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 24bcebef61..7755c3c30e 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.36 2015/07/29 14:58:34 jsing Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.37 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -233,7 +233,7 @@ pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri,
        ret = 1;
        if (*pek) {
-                OPENSSL_cleanse(*pek, *peklen);
+                explicit_bzero(*pek, *peklen);
                free(*pek);
        }
@@ -371,7 +371,7 @@ PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                        if (pkcs7_encode_rinfo(ri, key, keylen) <= 0)
                                goto err;
                }
-                OPENSSL_cleanse(key, keylen);
+                explicit_bzero(key, keylen);
                if (out == NULL)
                        out = btmp;
@@ -588,7 +588,7 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                         */
                        if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) {
                                /* Use random key as MMA defence */
-                                OPENSSL_cleanse(ek, eklen);
+                                explicit_bzero(ek, eklen);
                                free(ek);
                                ek = tkey;
                                eklen = tkeylen;
@@ -601,12 +601,12 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                        goto err;
                if (ek) {
-                        OPENSSL_cleanse(ek, eklen);
+                        explicit_bzero(ek, eklen);
                        free(ek);
                        ek = NULL;
                }
                if (tkey) {
-                        OPENSSL_cleanse(tkey, tkeylen);
+                        explicit_bzero(tkey, tkeylen);
                        free(tkey);
                        tkey = NULL;
                }
@@ -635,11 +635,11 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
        if (0) {
 err:
                if (ek) {
-                        OPENSSL_cleanse(ek, eklen);
+                        explicit_bzero(ek, eklen);
                        free(ek);
                }
                if (tkey) {
-                        OPENSSL_cleanse(tkey, tkeylen);
+                        explicit_bzero(tkey, tkeylen);
                        free(tkey);
                }
                if (out != NULL)
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 6948a83634..72c065c48d 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: randfile.c,v 1.41 2015/07/18 22:46:42 beck Exp $ */
+/* $OpenBSD: randfile.c,v 1.42 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -130,7 +130,7 @@ RAND_write_file(const char *file)
        }
        fclose(out);
-        OPENSSL_cleanse(buf, BUFSIZE);
+        explicit_bzero(buf, BUFSIZE);
        return ret;
 }
diff --git a/src/lib/libcrypto/ripemd/rmd_one.c b/src/lib/libcrypto/ripemd/rmd_one.c
index 84b13d5312..0d372f32f7 100644
--- a/src/lib/libcrypto/ripemd/rmd_one.c
+++ b/src/lib/libcrypto/ripemd/rmd_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rmd_one.c,v 1.8 2015/09/10 15:03:59 jsing Exp $ */
+/* $OpenBSD: rmd_one.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -72,7 +72,7 @@ unsigned char *RIPEMD160(const unsigned char *d, size_t n,
                return NULL;
        RIPEMD160_Update(&c,d,n);
        RIPEMD160_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 940964cac3..76863e7220 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.39 2015/06/13 08:38:10 doug Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -110,6 +110,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/opensslconf.h>
@@ -242,7 +243,7 @@ err:
                BN_CTX_free(ctx);
        }
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, num);
+                explicit_bzero(buf, num);
                free(buf);
        }
        return r;
@@ -472,7 +473,7 @@ err:
                BN_CTX_free(ctx);
        }
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, num);
+                explicit_bzero(buf, num);
                free(buf);
        }
        return r;
@@ -607,7 +608,7 @@ err:
                BN_CTX_free(ctx);
        }
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, num);
+                explicit_bzero(buf, num);
                free(buf);
        }
        return r;
@@ -712,7 +713,7 @@ err:
                BN_CTX_free(ctx);
        }
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, num);
+                explicit_bzero(buf, num);
                free(buf);
        }
        return r;
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index 3a07a7af4a..0a4f37a3da 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_saos.c,v 1.17 2015/07/19 18:29:31 miod Exp $ */
+/* $OpenBSD: rsa_saos.c,v 1.18 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -97,7 +97,7 @@ RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
        else
                *siglen = i;
-        OPENSSL_cleanse(s, (unsigned int)j + 1);
+        explicit_bzero(s, (unsigned int)j + 1);
        free(s);
        return ret;
 }
@@ -142,7 +142,7 @@ RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
 err:
        M_ASN1_OCTET_STRING_free(sig);
        if (s != NULL) {
-                OPENSSL_cleanse(s, (unsigned int)siglen);
+                explicit_bzero(s, (unsigned int)siglen);
                free(s);
        }
        return ret;
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index db63c5f038..7be08f544b 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.24 2015/07/19 18:29:31 miod Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.25 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -137,7 +137,7 @@ RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                *siglen = i;
        if (type != NID_md5_sha1) {
-                OPENSSL_cleanse(tmps, (unsigned int)j + 1);
+                explicit_bzero(tmps, (unsigned int)j + 1);
                free(tmps);
        }
        return (ret);
@@ -237,7 +237,7 @@ err:
        if (sig != NULL)
                X509_SIG_free(sig);
        if (s != NULL) {
-                OPENSSL_cleanse(s, (unsigned int)siglen);
+                explicit_bzero(s, (unsigned int)siglen);
                free(s);
        }
        return ret;
diff --git a/src/lib/libcrypto/sha/sha1_one.c b/src/lib/libcrypto/sha/sha1_one.c
index f6b5e4bacf..91602ee503 100644
--- a/src/lib/libcrypto/sha/sha1_one.c
+++ b/src/lib/libcrypto/sha/sha1_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha1_one.c,v 1.11 2014/07/10 22:45:58 jsing Exp $ */
+/* $OpenBSD: sha1_one.c,v 1.12 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -75,7 +75,7 @@ unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
                return NULL;
        SHA1_Update(&c,d,n);
        SHA1_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
 #endif
diff --git a/src/lib/libcrypto/sha/sha256.c b/src/lib/libcrypto/sha/sha256.c
index c5ab56852f..d584660369 100644
--- a/src/lib/libcrypto/sha/sha256.c
+++ b/src/lib/libcrypto/sha/sha256.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha256.c,v 1.8 2014/08/18 19:11:48 bcook Exp $ */
+/* $OpenBSD: sha256.c,v 1.9 2015/09/10 15:56:26 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
 * according to the OpenSSL license [found in ../../LICENSE].
@@ -49,7 +49,7 @@ unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
        SHA224_Init(&c);
        SHA256_Update(&c,d,n);
        SHA256_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
@@ -62,7 +62,7 @@ unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
        SHA256_Init(&c);
        SHA256_Update(&c,d,n);
        SHA256_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libcrypto/sha/sha512.c b/src/lib/libcrypto/sha/sha512.c
index ad72b7e6f1..7a55c0acc9 100644
--- a/src/lib/libcrypto/sha/sha512.c
+++ b/src/lib/libcrypto/sha/sha512.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha512.c,v 1.13 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: sha512.c,v 1.14 2015/09/10 15:56:26 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
 * according to the OpenSSL license [found in ../../LICENSE].
@@ -248,7 +248,7 @@ unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
        SHA384_Init(&c);
        SHA512_Update(&c,d,n);
        SHA512_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
@@ -261,7 +261,7 @@ unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
        SHA512_Init(&c);
        SHA512_Update(&c,d,n);
        SHA512_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libcrypto/sha/sha_one.c b/src/lib/libcrypto/sha/sha_one.c
index 1d3fc35f05..ad04021eb1 100644
--- a/src/lib/libcrypto/sha/sha_one.c
+++ b/src/lib/libcrypto/sha/sha_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha_one.c,v 1.8 2014/07/10 22:45:58 jsing Exp $ */
+/* $OpenBSD: sha_one.c,v 1.9 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -75,7 +75,7 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md)
                return NULL;
        SHA_Update(&c,d,n);
        SHA_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
 #endif
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
index b3d2971a02..9562c2c937 100644
--- a/src/lib/libcrypto/ui/ui_openssl.c
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui_openssl.c,v 1.24 2015/07/16 02:46:49 guenther Exp $ */
+/* $OpenBSD: ui_openssl.c,v 1.25 2015/09/10 15:56:26 jsing Exp $ */
 /* Written by Richard Levitte (richard@levitte.org) and others
 * for the OpenSSL project 2001.
 */
@@ -286,7 +286,7 @@ error:
        if (ps >= 1)
                popsig();
-        OPENSSL_cleanse(result, BUFSIZ);
+        explicit_bzero(result, BUFSIZ);
        return ok;
 }
diff --git a/src/lib/libcrypto/ui/ui_util.c b/src/lib/libcrypto/ui/ui_util.c
index e5cee913b2..d1040c9826 100644
--- a/src/lib/libcrypto/ui/ui_util.c
+++ b/src/lib/libcrypto/ui/ui_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui_util.c,v 1.9 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ui_util.c,v 1.10 2015/09/10 15:56:26 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -67,7 +67,7 @@ UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int verify)
        ret = UI_UTIL_read_pw(buf, buff, (length > BUFSIZ) ? BUFSIZ : length,
            prompt, verify);
-        OPENSSL_cleanse(buff, BUFSIZ);
+        explicit_bzero(buff, BUFSIZ);
        return (ret);
 }
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 23d6b372c9..2b736b9243 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.48 2015/09/02 17:59:15 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.49 2015/09/10 15:56:26 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -731,7 +731,7 @@ dtls1_send_client_key_exchange(SSL *s)
                            s->method->ssl3_enc->generate_master_secret(s,
                            s->session->master_key,
                            tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+                        explicit_bzero(tmp_buf, sizeof tmp_buf);
                } else if (alg_k & SSL_kDHE) {
                        DH *dh_srvr, *dh_clnt;
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index b269efe469..e7eca4a8cd 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.29 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.30 2015/09/10 15:56:26 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -203,7 +203,7 @@ dtls1_free(SSL *s)
        pqueue_free(s->d1->sent_messages);
        pqueue_free(s->d1->buffered_app_data.q);
-        OPENSSL_cleanse(s->d1, sizeof *s->d1);
+        explicit_bzero(s->d1, sizeof *s->d1);
        free(s->d1);
        s->d1 = NULL;
 }
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 1d1a0c77f0..e4ce8163ac 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.125 2015/09/02 17:59:15 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.126 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1933,7 +1933,7 @@ ssl3_send_client_key_exchange(SSL *s)
                        s->session->master_key_length =
                            s->method->ssl3_enc->generate_master_secret(
                            s, s->session->master_key, tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+                        explicit_bzero(tmp_buf, sizeof tmp_buf);
                } else if (alg_k & SSL_kDHE) {
                        DH *dh_srvr, *dh_clnt;
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 42396a21e9..4e6b123698 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.101 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2066,7 +2066,7 @@ ssl3_free(SSL *s)
        ssl3_free_digest_list(s);
        free(s->s3->alpn_selected);
-        OPENSSL_cleanse(s->s3, sizeof *s->s3);
+        explicit_bzero(s->s3, sizeof *s->s3);
        free(s->s3);
        s->s3 = NULL;
 }
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 3f9f6720fa..b2c4f8e0d2 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.115 2015/09/01 13:38:27 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.116 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1725,7 +1725,7 @@ ssl3_get_client_key_exchange(SSL *s)
                    s->method->ssl3_enc->generate_master_secret(s,
                    s->session->master_key,
                    p, i);
-                OPENSSL_cleanse(p, i);
+                explicit_bzero(p, i);
        } else if (alg_k & SSL_kDHE) {
                if (2 > n)
                        goto truncated;
@@ -1776,7 +1776,7 @@ ssl3_get_client_key_exchange(SSL *s)
                s->session->master_key_length =
                    s->method->ssl3_enc->generate_master_secret(
                        s, s->session->master_key, p, i);
-                OPENSSL_cleanse(p, i);
+                explicit_bzero(p, i);
        } else
        if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) {
@@ -1920,7 +1920,7 @@ ssl3_get_client_key_exchange(SSL *s)
                s->session->master_key_length = s->method->ssl3_enc-> \
                    generate_master_secret(s, s->session->master_key, p, i);
-                OPENSSL_cleanse(p, i);
+                explicit_bzero(p, i);
                return (ret);
        } else
        if (alg_k & SSL_kGOST) {
diff --git a/src/lib/libssl/src/crypto/aes/aes_wrap.c b/src/lib/libssl/src/crypto/aes/aes_wrap.c
index 4479473e6b..ac2f83a993 100644
--- a/src/lib/libssl/src/crypto/aes/aes_wrap.c
+++ b/src/lib/libssl/src/crypto/aes/aes_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_wrap.c,v 1.9 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: aes_wrap.c,v 1.10 2015/09/10 15:56:24 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -126,7 +126,7 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
        if (!iv)
                iv = default_iv;
        if (memcmp(A, iv, 8)) {
-                OPENSSL_cleanse(out, inlen);
+                explicit_bzero(out, inlen);
                return 0;
        }
        return inlen;
diff --git a/src/lib/libssl/src/crypto/asn1/a_sign.c b/src/lib/libssl/src/crypto/asn1/a_sign.c
index d9385312a7..195daa3b9f 100644
--- a/src/lib/libssl/src/crypto/asn1/a_sign.c
+++ b/src/lib/libssl/src/crypto/asn1/a_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_sign.c,v 1.20 2015/07/19 18:29:31 miod Exp $ */
+/* $OpenBSD: a_sign.c,v 1.21 2015/09/10 15:56:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -112,6 +112,7 @@
 #include <sys/types.h>
 #include <stdio.h>
+#include <string.h>
 #include <time.h>
 #include <openssl/bn.h>
@@ -229,11 +230,11 @@ ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
        EVP_MD_CTX_cleanup(ctx);
        if (buf_in != NULL) {
-                OPENSSL_cleanse((char *)buf_in, inl);
+                explicit_bzero((char *)buf_in, inl);
                free(buf_in);
        }
        if (buf_out != NULL) {
-                OPENSSL_cleanse((char *)buf_out, outll);
+                explicit_bzero((char *)buf_out, outll);
                free(buf_out);
        }
        return (outl);
diff --git a/src/lib/libssl/src/crypto/asn1/a_verify.c b/src/lib/libssl/src/crypto/asn1/a_verify.c
index 3fc79b78f6..12b76501e0 100644
--- a/src/lib/libssl/src/crypto/asn1/a_verify.c
+++ b/src/lib/libssl/src/crypto/asn1/a_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_verify.c,v 1.21 2015/01/28 04:14:31 beck Exp $ */
+/* $OpenBSD: a_verify.c,v 1.22 2015/09/10 15:56:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,6 +59,7 @@
 #include <sys/types.h>
 #include <stdio.h>
+#include <string.h>
 #include <time.h>
 #include <openssl/bn.h>
@@ -152,7 +153,7 @@ ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
                goto err;
        }
-        OPENSSL_cleanse(buf_in, (unsigned int)inl);
+        explicit_bzero(buf_in, (unsigned int)inl);
        free(buf_in);
        if (EVP_DigestVerifyFinal(&ctx, signature->data,
diff --git a/src/lib/libssl/src/crypto/asn1/n_pkey.c b/src/lib/libssl/src/crypto/asn1/n_pkey.c
index d3a7431356..491f988e92 100644
--- a/src/lib/libssl/src/crypto/asn1/n_pkey.c
+++ b/src/lib/libssl/src/crypto/asn1/n_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: n_pkey.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
+/* $OpenBSD: n_pkey.c,v 1.27 2015/09/10 15:56:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -277,7 +277,7 @@ i2d_RSA_NET(const RSA *a, unsigned char **pp,
        i2d_NETSCAPE_PKEY(pkey, &zz);
        /* Wipe the private key encoding */
-        OPENSSL_cleanse(pkey->private_key->data, rsalen);
+        explicit_bzero(pkey->private_key->data, rsalen);
        if (cb == NULL)
                cb = EVP_read_pw_string;
@@ -297,7 +297,7 @@ i2d_RSA_NET(const RSA *a, unsigned char **pp,
        if (!EVP_BytesToKey(EVP_rc4(), EVP_md5(), NULL, buf, i,1, key, NULL))
                goto err;
-        OPENSSL_cleanse(buf, sizeof(buf));
+        explicit_bzero(buf, sizeof(buf));
        /* Encrypt private key in place */
        zz = enckey->enckey->digest->data;
@@ -394,7 +394,7 @@ d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
        if (!EVP_BytesToKey(EVP_rc4(), EVP_md5(), NULL, buf, i,1, key, NULL))
                goto err;
-        OPENSSL_cleanse(buf, sizeof(buf));
+        explicit_bzero(buf, sizeof(buf));
        if (!EVP_DecryptInit_ex(&ctx, EVP_rc4(), NULL, key, NULL))
                goto err;
diff --git a/src/lib/libssl/src/crypto/asn1/p8_pkey.c b/src/lib/libssl/src/crypto/asn1/p8_pkey.c
index 2f7a469673..71d579456a 100644
--- a/src/lib/libssl/src/crypto/asn1/p8_pkey.c
+++ b/src/lib/libssl/src/crypto/asn1/p8_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p8_pkey.c,v 1.16 2015/07/16 18:21:57 miod Exp $ */
+/* $OpenBSD: p8_pkey.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
@@ -71,7 +72,7 @@ pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                if (key->pkey != NULL &&
                    key->pkey->type == V_ASN1_OCTET_STRING &&
                    key->pkey->value.octet_string != NULL)
-                        OPENSSL_cleanse(key->pkey->value.octet_string->data,
+                        explicit_bzero(key->pkey->value.octet_string->data,
                            key->pkey->value.octet_string->length);
        }
        return 1;
diff --git a/src/lib/libssl/src/crypto/bn/bn_exp.c b/src/lib/libssl/src/crypto/bn/bn_exp.c
index 4a28c2c605..c4ca36d136 100644
--- a/src/lib/libssl/src/crypto/bn/bn_exp.c
+++ b/src/lib/libssl/src/crypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.22 2015/03/21 08:05:20 doug Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.23 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -825,7 +825,7 @@ err:
        if ((in_mont == NULL) && (mont != NULL))
                BN_MONT_CTX_free(mont);
        if (powerbuf != NULL) {
-                OPENSSL_cleanse(powerbuf, powerbufLen);
+                explicit_bzero(powerbuf, powerbufLen);
                free(powerbufFree);
        }
        BN_CTX_end(ctx);
diff --git a/src/lib/libssl/src/crypto/bn/bn_lib.c b/src/lib/libssl/src/crypto/bn/bn_lib.c
index d0cb49cd1e..7cc76c1e85 100644
--- a/src/lib/libssl/src/crypto/bn/bn_lib.c
+++ b/src/lib/libssl/src/crypto/bn/bn_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.33 2014/07/12 16:03:36 miod Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.34 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -221,11 +221,11 @@ BN_clear_free(BIGNUM *a)
                return;
        bn_check_top(a);
        if (a->d != NULL && !(BN_get_flags(a, BN_FLG_STATIC_DATA))) {
-                OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
+                explicit_bzero(a->d, a->dmax * sizeof(a->d[0]));
                free(a->d);
        }
        i = BN_get_flags(a, BN_FLG_MALLOCED);
-        OPENSSL_cleanse(a, sizeof(BIGNUM));
+        explicit_bzero(a, sizeof(BIGNUM));
        if (i)
                free(a);
 }
@@ -395,7 +395,7 @@ bn_expand2(BIGNUM *b, int words)
                if (!a)
                        return NULL;
                if (b->d) {
-                        OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
+                        explicit_bzero(b->d, b->dmax * sizeof(b->d[0]));
                        free(b->d);
                }
                b->d = a;
diff --git a/src/lib/libssl/src/crypto/bn/bn_rand.c b/src/lib/libssl/src/crypto/bn/bn_rand.c
index ac5c5eb308..783f6c22f8 100644
--- a/src/lib/libssl/src/crypto/bn/bn_rand.c
+++ b/src/lib/libssl/src/crypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.17 2015/02/19 06:10:29 jsing Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.18 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -111,6 +111,7 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <time.h>
 #include <openssl/err.h>
@@ -186,7 +187,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 err:
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, bytes);
+                explicit_bzero(buf, bytes);
                free(buf);
        }
        bn_check_top(rnd);
diff --git a/src/lib/libssl/src/crypto/cmac/cmac.c b/src/lib/libssl/src/crypto/cmac/cmac.c
index 18635b942a..d01ae0f3ae 100644
--- a/src/lib/libssl/src/crypto/cmac/cmac.c
+++ b/src/lib/libssl/src/crypto/cmac/cmac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cmac.c,v 1.9 2014/07/12 14:58:32 miod Exp $ */
+/* $OpenBSD: cmac.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -107,10 +107,10 @@ void
 CMAC_CTX_cleanup(CMAC_CTX *ctx)
 {
        EVP_CIPHER_CTX_cleanup(&ctx->cctx);
-        OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
+        explicit_bzero(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
-        OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
+        explicit_bzero(ctx->k1, EVP_MAX_BLOCK_LENGTH);
-        OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH);
+        explicit_bzero(ctx->k2, EVP_MAX_BLOCK_LENGTH);
-        OPENSSL_cleanse(ctx->last_block, EVP_MAX_BLOCK_LENGTH);
+        explicit_bzero(ctx->last_block, EVP_MAX_BLOCK_LENGTH);
        ctx->nlast_block = -1;
 }
@@ -183,7 +183,7 @@ CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
                        return 0;
                make_kn(ctx->k1, ctx->tbl, bl);
                make_kn(ctx->k2, ctx->k1, bl);
-                OPENSSL_cleanse(ctx->tbl, bl);
+                explicit_bzero(ctx->tbl, bl);
                /* Reset context again ready for first data block */
                if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
                        return 0;
@@ -260,7 +260,7 @@ CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
                        out[i] = ctx->last_block[i] ^ ctx->k2[i];
        }
        if (!EVP_Cipher(&ctx->cctx, out, out, bl)) {
-                OPENSSL_cleanse(out, bl);
+                explicit_bzero(out, bl);
                return 0;
        }
        return 1;
diff --git a/src/lib/libssl/src/crypto/cms/cms_asn1.c b/src/lib/libssl/src/crypto/cms/cms_asn1.c
index 02a594575d..e450259832 100644
--- a/src/lib/libssl/src/crypto/cms/cms_asn1.c
+++ b/src/lib/libssl/src/crypto/cms/cms_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_asn1.c,v 1.6 2015/07/25 15:22:10 jsing Exp $ */
+/* $OpenBSD: cms_asn1.c,v 1.7 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -888,13 +888,13 @@ cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                } else if (ri->type == CMS_RECIPINFO_KEK) {
                        CMS_KEKRecipientInfo *kekri = ri->d.kekri;
                        if (kekri->key) {
-                                OPENSSL_cleanse(kekri->key, kekri->keylen);
+                                explicit_bzero(kekri->key, kekri->keylen);
                                free(kekri->key);
                        }
                } else if (ri->type == CMS_RECIPINFO_PASS) {
                        CMS_PasswordRecipientInfo *pwri = ri->d.pwri;
                        if (pwri->pass) {
-                                OPENSSL_cleanse(pwri->pass, pwri->passlen);
+                                explicit_bzero(pwri->pass, pwri->passlen);
                                free(pwri->pass);
                        }
                }
diff --git a/src/lib/libssl/src/crypto/cms/cms_enc.c b/src/lib/libssl/src/crypto/cms/cms_enc.c
index f97e4d5f34..c967a18a3c 100644
--- a/src/lib/libssl/src/crypto/cms/cms_enc.c
+++ b/src/lib/libssl/src/crypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_enc.c,v 1.6 2014/10/22 13:02:04 jsing Exp $ */
+/* $OpenBSD: cms_enc.c,v 1.7 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -164,7 +164,7 @@ cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
                                goto err;
                        } else {
                                /* Use random key */
-                                OPENSSL_cleanse(ec->key, ec->keylen);
+                                explicit_bzero(ec->key, ec->keylen);
                                free(ec->key);
                                ec->key = tkey;
                                ec->keylen = tkeylen;
@@ -197,12 +197,12 @@ cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
 err:
        if (ec->key && !keep_key) {
-                OPENSSL_cleanse(ec->key, ec->keylen);
+                explicit_bzero(ec->key, ec->keylen);
                free(ec->key);
                ec->key = NULL;
        }
        if (tkey) {
-                OPENSSL_cleanse(tkey, tkeylen);
+                explicit_bzero(tkey, tkeylen);
                free(tkey);
        }
        if (ok)
diff --git a/src/lib/libssl/src/crypto/cms/cms_env.c b/src/lib/libssl/src/crypto/cms/cms_env.c
index 63b24b6374..e483c4539f 100644
--- a/src/lib/libssl/src/crypto/cms/cms_env.c
+++ b/src/lib/libssl/src/crypto/cms/cms_env.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_env.c,v 1.8 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: cms_env.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -406,7 +406,7 @@ cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
        ret = 1;
        if (ec->key) {
-                OPENSSL_cleanse(ec->key, ec->keylen);
+                explicit_bzero(ec->key, ec->keylen);
                free(ec->key);
        }
@@ -654,7 +654,7 @@ cms_RecipientInfo_kekri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
 err:
        if (!r && wkey)
                free(wkey);
-        OPENSSL_cleanse(&actx, sizeof(actx));
+        explicit_bzero(&actx, sizeof(actx));
        return r;
 }
@@ -727,7 +727,7 @@ cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
 err:
        if (!r && ukey)
                free(ukey);
-        OPENSSL_cleanse(&actx, sizeof(actx));
+        explicit_bzero(&actx, sizeof(actx));
        return r;
 }
@@ -806,7 +806,7 @@ cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
 err:
        ec->cipher = NULL;
        if (ec->key) {
-                OPENSSL_cleanse(ec->key, ec->keylen);
+                explicit_bzero(ec->key, ec->keylen);
                free(ec->key);
                ec->key = NULL;
                ec->keylen = 0;
diff --git a/src/lib/libssl/src/crypto/cms/cms_pwri.c b/src/lib/libssl/src/crypto/cms/cms_pwri.c
index 11509e3c11..7055ba5d3b 100644
--- a/src/lib/libssl/src/crypto/cms/cms_pwri.c
+++ b/src/lib/libssl/src/crypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.9 2015/05/15 11:00:14 jsg Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -262,7 +262,7 @@ kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
        rv = 1;
 err:
-        OPENSSL_cleanse(tmp, inlen);
+        explicit_bzero(tmp, inlen);
        free(tmp);
        return rv;
 }
diff --git a/src/lib/libssl/src/crypto/des/str2key.c b/src/lib/libssl/src/crypto/des/str2key.c
index 8999eb292a..ce17e2659b 100644
--- a/src/lib/libssl/src/crypto/des/str2key.c
+++ b/src/lib/libssl/src/crypto/des/str2key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: str2key.c,v 1.9 2014/10/28 07:35:58 jsg Exp $ */
+/* $OpenBSD: str2key.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -95,7 +95,7 @@ void DES_string_to_key(const char *str, DES_cblock *key)
        DES_set_key_unchecked(key,&ks);
 #endif
        DES_cbc_cksum((const unsigned char*)str,key,length,&ks,key);
-        OPENSSL_cleanse(&ks,sizeof(ks));
+        explicit_bzero(&ks,sizeof(ks));
        DES_set_odd_parity(key);
        }
@@ -168,7 +168,7 @@ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2)
        DES_set_key_unchecked(key2,&ks);
 #endif
        DES_cbc_cksum((const unsigned char*)str,key2,length,&ks,key2);
-        OPENSSL_cleanse(&ks,sizeof(ks));
+        explicit_bzero(&ks,sizeof(ks));
        DES_set_odd_parity(key1);
        DES_set_odd_parity(key2);
        }
diff --git a/src/lib/libssl/src/crypto/ec/ec_key.c b/src/lib/libssl/src/crypto/ec/ec_key.c
index 45192c3231..fa962e4d0f 100644
--- a/src/lib/libssl/src/crypto/ec/ec_key.c
+++ b/src/lib/libssl/src/crypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.11 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: ec_key.c,v 1.12 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -122,7 +122,7 @@ EC_KEY_free(EC_KEY * r)
        EC_EX_DATA_free_all_data(&r->method_data);
-        OPENSSL_cleanse((void *) r, sizeof(EC_KEY));
+        explicit_bzero((void *) r, sizeof(EC_KEY));
        free(r);
 }
diff --git a/src/lib/libssl/src/crypto/ec/ec_lib.c b/src/lib/libssl/src/crypto/ec/ec_lib.c
index a12a2ffbb6..c28ab18fc0 100644
--- a/src/lib/libssl/src/crypto/ec/ec_lib.c
+++ b/src/lib/libssl/src/crypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.18 2015/05/20 04:33:35 miod Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.19 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -152,10 +152,10 @@ EC_GROUP_clear_free(EC_GROUP * group)
        BN_clear_free(&group->cofactor);
        if (group->seed) {
-                OPENSSL_cleanse(group->seed, group->seed_len);
+                explicit_bzero(group->seed, group->seed_len);
                free(group->seed);
        }
-        OPENSSL_cleanse(group, sizeof *group);
+        explicit_bzero(group, sizeof *group);
        free(group);
 }
@@ -754,7 +754,7 @@ EC_POINT_clear_free(EC_POINT * point)
                point->meth->point_clear_finish(point);
        else if (point->meth->point_finish != 0)
                point->meth->point_finish(point);
-        OPENSSL_cleanse(point, sizeof *point);
+        explicit_bzero(point, sizeof *point);
        free(point);
 }
diff --git a/src/lib/libssl/src/crypto/ec/ec_mult.c b/src/lib/libssl/src/crypto/ec/ec_mult.c
index 68f55cfcb3..e428ac586b 100644
--- a/src/lib/libssl/src/crypto/ec/ec_mult.c
+++ b/src/lib/libssl/src/crypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.18 2015/02/15 08:44:35 miod Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.19 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
 */
@@ -173,11 +173,11 @@ ec_pre_comp_clear_free(void *pre_)
                for (p = pre->points; *p != NULL; p++) {
                        EC_POINT_clear_free(*p);
-                        OPENSSL_cleanse(p, sizeof *p);
+                        explicit_bzero(p, sizeof *p);
                }
                free(pre->points);
        }
-        OPENSSL_cleanse(pre, sizeof *pre);
+        explicit_bzero(pre, sizeof *pre);
        free(pre);
 }
diff --git a/src/lib/libssl/src/crypto/ec/ecp_nistp224.c b/src/lib/libssl/src/crypto/ec/ecp_nistp224.c
index d29113045a..0976f24a9f 100644
--- a/src/lib/libssl/src/crypto/ec/ecp_nistp224.c
+++ b/src/lib/libssl/src/crypto/ec/ecp_nistp224.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp224.c,v 1.16 2015/02/08 22:25:03 miod Exp $ */
+/* $OpenBSD: ecp_nistp224.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Written by Emilia Kasper (Google) for the OpenSSL project.
 */
@@ -1239,7 +1239,7 @@ nistp224_pre_comp_clear_free(void *pre_)
        if (i > 0)
                return;
-        OPENSSL_cleanse(pre, sizeof *pre);
+        explicit_bzero(pre, sizeof *pre);
        free(pre);
 }
diff --git a/src/lib/libssl/src/crypto/ec/ecp_nistp256.c b/src/lib/libssl/src/crypto/ec/ecp_nistp256.c
index 23a2131980..be1d2a5402 100644
--- a/src/lib/libssl/src/crypto/ec/ecp_nistp256.c
+++ b/src/lib/libssl/src/crypto/ec/ecp_nistp256.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp256.c,v 1.15 2015/02/08 22:25:03 miod Exp $ */
+/* $OpenBSD: ecp_nistp256.c,v 1.16 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Written by Adam Langley (Google) for the OpenSSL project
 */
@@ -1788,7 +1788,7 @@ nistp256_pre_comp_clear_free(void *pre_)
        if (i > 0)
                return;
-        OPENSSL_cleanse(pre, sizeof *pre);
+        explicit_bzero(pre, sizeof *pre);
        free(pre);
 }
diff --git a/src/lib/libssl/src/crypto/ec/ecp_nistp521.c b/src/lib/libssl/src/crypto/ec/ecp_nistp521.c
index 6382091cf9..cfa13b41f8 100644
--- a/src/lib/libssl/src/crypto/ec/ecp_nistp521.c
+++ b/src/lib/libssl/src/crypto/ec/ecp_nistp521.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp521.c,v 1.16 2015/02/08 22:25:03 miod Exp $ */
+/* $OpenBSD: ecp_nistp521.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Written by Adam Langley (Google) for the OpenSSL project
 */
@@ -1679,7 +1679,7 @@ nistp521_pre_comp_clear_free(void *pre_)
        if (i > 0)
                return;
-        OPENSSL_cleanse(pre, sizeof(*pre));
+        explicit_bzero(pre, sizeof(*pre));
        free(pre);
 }
diff --git a/src/lib/libssl/src/crypto/ecdh/ech_lib.c b/src/lib/libssl/src/crypto/ecdh/ech_lib.c
index 43c4f8ce31..58dddf638f 100644
--- a/src/lib/libssl/src/crypto/ecdh/ech_lib.c
+++ b/src/lib/libssl/src/crypto/ecdh/ech_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ech_lib.c,v 1.8 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: ech_lib.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@@ -180,7 +180,7 @@ void ecdh_data_free(void *data)
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDH, r, &r->ex_data);
-        OPENSSL_cleanse((void *)r, sizeof(ECDH_DATA));
+        explicit_bzero((void *)r, sizeof(ECDH_DATA));
        free(r);
        }
diff --git a/src/lib/libssl/src/crypto/ecdsa/ecs_lib.c b/src/lib/libssl/src/crypto/ecdsa/ecs_lib.c
index dba888cb48..1ba788b4f0 100644
--- a/src/lib/libssl/src/crypto/ecdsa/ecs_lib.c
+++ b/src/lib/libssl/src/crypto/ecdsa/ecs_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_lib.c,v 1.9 2015/02/08 13:35:07 jsing Exp $ */
+/* $OpenBSD: ecs_lib.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
 *
@@ -170,7 +170,7 @@ ecdsa_data_free(void *data)
 #endif
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDSA, r, &r->ex_data);
-        OPENSSL_cleanse((void *)r, sizeof(ECDSA_DATA));
+        explicit_bzero((void *)r, sizeof(ECDSA_DATA));
        free(r);
 }
diff --git a/src/lib/libssl/src/crypto/evp/bio_enc.c b/src/lib/libssl/src/crypto/evp/bio_enc.c
index e367faa967..1920c6d180 100644
--- a/src/lib/libssl/src/crypto/evp/bio_enc.c
+++ b/src/lib/libssl/src/crypto/evp/bio_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_enc.c,v 1.18 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: bio_enc.c,v 1.19 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -135,7 +135,7 @@ enc_free(BIO *a)
                return (0);
        b = (BIO_ENC_CTX *)a->ptr;
        EVP_CIPHER_CTX_cleanup(&(b->cipher));
-        OPENSSL_cleanse(a->ptr, sizeof(BIO_ENC_CTX));
+        explicit_bzero(a->ptr, sizeof(BIO_ENC_CTX));
        free(a->ptr);
        a->ptr = NULL;
        a->init = 0;
diff --git a/src/lib/libssl/src/crypto/evp/e_aes.c b/src/lib/libssl/src/crypto/evp/e_aes.c
index 0a9455a5d2..a6d48085c3 100644
--- a/src/lib/libssl/src/crypto/evp/e_aes.c
+++ b/src/lib/libssl/src/crypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.28 2015/06/20 12:01:14 jsing Exp $ */
+/* $OpenBSD: e_aes.c,v 1.29 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
 *
@@ -690,7 +690,7 @@ aes_gcm_cleanup(EVP_CIPHER_CTX *c)
        if (gctx->iv != c->iv)
                free(gctx->iv);
-        OPENSSL_cleanse(gctx, sizeof(*gctx));
+        explicit_bzero(gctx, sizeof(*gctx));
        return 1;
 }
@@ -972,7 +972,7 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                /* If tag mismatch wipe buffer */
                if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
-                        OPENSSL_cleanse(out, len);
+                        explicit_bzero(out, len);
                        goto err;
                }
                rv = len;
@@ -1339,7 +1339,7 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        }
                }
                if (rv == -1)
-                        OPENSSL_cleanse(out, len);
+                        explicit_bzero(out, len);
                cctx->iv_set = 0;
                cctx->tag_set = 0;
                cctx->len_set = 0;
@@ -1417,7 +1417,7 @@ aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx)
 {
        struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
-        OPENSSL_cleanse(gcm_ctx, sizeof(*gcm_ctx));
+        explicit_bzero(gcm_ctx, sizeof(*gcm_ctx));
        free(gcm_ctx);
 }
diff --git a/src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c b/src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c
index 7c23face34..c76c2b1c52 100644
--- a/src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.8 2014/07/12 20:37:07 miod Exp $ */
+/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
 *
@@ -502,7 +502,7 @@ aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
                        SHA1_Init(&key->tail);
                        SHA1_Update(&key->tail, hmac_key, sizeof(hmac_key));
-                        OPENSSL_cleanse(hmac_key, sizeof(hmac_key));
+                        explicit_bzero(hmac_key, sizeof(hmac_key));
                        return 1;
                }
diff --git a/src/lib/libssl/src/crypto/evp/e_chacha20poly1305.c b/src/lib/libssl/src/crypto/evp/e_chacha20poly1305.c
index c003b0ba7f..9deb40b72a 100644
--- a/src/lib/libssl/src/crypto/evp/e_chacha20poly1305.c
+++ b/src/lib/libssl/src/crypto/evp/e_chacha20poly1305.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha20poly1305.c,v 1.9 2015/06/20 12:01:14 jsing Exp $ */
+/* $OpenBSD: e_chacha20poly1305.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014, Google Inc.
 *
@@ -71,7 +71,7 @@ aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx)
 {
        struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-        OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
+        explicit_bzero(c20_ctx->key, sizeof(c20_ctx->key));
        free(c20_ctx);
 }
diff --git a/src/lib/libssl/src/crypto/evp/e_idea.c b/src/lib/libssl/src/crypto/evp/e_idea.c
index 3ba4dbcdb9..454ad4e672 100644
--- a/src/lib/libssl/src/crypto/evp/e_idea.c
+++ b/src/lib/libssl/src/crypto/evp/e_idea.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_idea.c,v 1.9 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: e_idea.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/opensslconf.h>
@@ -115,7 +116,7 @@ idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                idea_set_encrypt_key(key, &tmp);
                idea_set_decrypt_key(&tmp, ctx->cipher_data);
-                OPENSSL_cleanse((unsigned char *)&tmp,
+                explicit_bzero((unsigned char *)&tmp,
                    sizeof(IDEA_KEY_SCHEDULE));
        }
        return 1;
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c
index 42ccfceec9..99bf59e05f 100644
--- a/src/lib/libssl/src/crypto/evp/evp_enc.c
+++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.26 2015/02/10 09:52:35 miod Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.27 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -562,7 +562,7 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
                        return 0;
                /* Cleanse cipher context data */
                if (c->cipher_data)
-                        OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
+                        explicit_bzero(c->cipher_data, c->cipher->ctx_size);
        }
        free(c->cipher_data);
 #ifndef OPENSSL_NO_ENGINE
diff --git a/src/lib/libssl/src/crypto/evp/evp_key.c b/src/lib/libssl/src/crypto/evp/evp_key.c
index 0678536ccb..2c76743e42 100644
--- a/src/lib/libssl/src/crypto/evp/evp_key.c
+++ b/src/lib/libssl/src/crypto/evp/evp_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_key.c,v 1.22 2015/02/10 09:55:39 miod Exp $ */
+/* $OpenBSD: evp_key.c,v 1.23 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -116,7 +116,7 @@ EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
        }
        ret = UI_process(ui);
        UI_free(ui);
-        OPENSSL_cleanse(buff, BUFSIZ);
+        explicit_bzero(buff, BUFSIZ);
        return ret;
 }
@@ -201,6 +201,6 @@ EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
 err:
        EVP_MD_CTX_cleanup(&c);
-        OPENSSL_cleanse(md_buf, sizeof md_buf);
+        explicit_bzero(md_buf, sizeof md_buf);
        return rv;
 }
diff --git a/src/lib/libssl/src/crypto/evp/p5_crpt.c b/src/lib/libssl/src/crypto/evp/p5_crpt.c
index 112a69114c..626910fd7a 100644
--- a/src/lib/libssl/src/crypto/evp/p5_crpt.c
+++ b/src/lib/libssl/src/crypto/evp/p5_crpt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_crpt.c,v 1.15 2015/02/10 09:52:35 miod Exp $ */
+/* $OpenBSD: p5_crpt.c,v 1.16 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -147,9 +147,9 @@ PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
            EVP_CIPHER_iv_length(cipher));
        if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
                goto err;
-        OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
+        explicit_bzero(md_tmp, EVP_MAX_MD_SIZE);
-        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        explicit_bzero(key, EVP_MAX_KEY_LENGTH);
-        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
+        explicit_bzero(iv, EVP_MAX_IV_LENGTH);
        rv = 1;
 err:
        EVP_MD_CTX_cleanup(&ctx);
diff --git a/src/lib/libssl/src/crypto/evp/p5_crpt2.c b/src/lib/libssl/src/crypto/evp/p5_crpt2.c
index afafb9551f..632c2c76ce 100644
--- a/src/lib/libssl/src/crypto/evp/p5_crpt2.c
+++ b/src/lib/libssl/src/crypto/evp/p5_crpt2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_crpt2.c,v 1.20 2015/02/14 15:49:51 miod Exp $ */
+/* $OpenBSD: p5_crpt2.c,v 1.21 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -300,7 +300,7 @@ PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
        rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
 err:
-        OPENSSL_cleanse(key, keylen);
+        explicit_bzero(key, keylen);
        PBKDF2PARAM_free(kdf);
        return rv;
 }
diff --git a/src/lib/libssl/src/crypto/evp/p_open.c b/src/lib/libssl/src/crypto/evp/p_open.c
index aca83e74f6..002a6dea70 100644
--- a/src/lib/libssl/src/crypto/evp/p_open.c
+++ b/src/lib/libssl/src/crypto/evp/p_open.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_open.c,v 1.16 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: p_open.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/opensslconf.h>
@@ -109,7 +110,7 @@ EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 err:
        if (key != NULL)
-                OPENSSL_cleanse(key, size);
+                explicit_bzero(key, size);
        free(key);
        return (ret);
 }
diff --git a/src/lib/libssl/src/crypto/gost/gost2814789.c b/src/lib/libssl/src/crypto/gost/gost2814789.c
index b1bef9eae3..e285413ed4 100644
--- a/src/lib/libssl/src/crypto/gost/gost2814789.c
+++ b/src/lib/libssl/src/crypto/gost/gost2814789.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gost2814789.c,v 1.4 2015/02/10 09:46:30 miod Exp $ */
+/* $OpenBSD: gost2814789.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@@ -464,7 +464,7 @@ GOST2814789IMIT(const unsigned char *d, size_t n, unsigned char *md, int nid,
        Gost2814789_set_key(&c.cipher, key, 256);
        GOST2814789IMIT_Update(&c, d, n);
        GOST2814789IMIT_Final(md, &c);
-        OPENSSL_cleanse(&c, sizeof(c));
+        explicit_bzero(&c, sizeof(c));
        return (md);
 }
diff --git a/src/lib/libssl/src/crypto/gost/gostr341001_key.c b/src/lib/libssl/src/crypto/gost/gostr341001_key.c
index dbe360620a..894a189e3b 100644
--- a/src/lib/libssl/src/crypto/gost/gostr341001_key.c
+++ b/src/lib/libssl/src/crypto/gost/gostr341001_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341001_key.c,v 1.5 2015/02/14 06:40:04 jsing Exp $ */
+/* $OpenBSD: gostr341001_key.c,v 1.6 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@@ -49,6 +49,8 @@
 * ====================================================================
 */
+#include <string.h>
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_GOST
@@ -103,7 +105,7 @@ GOST_KEY_free(GOST_KEY *r)
        EC_POINT_free(r->pub_key);
        BN_clear_free(r->priv_key);
-        OPENSSL_cleanse((void *)r, sizeof(GOST_KEY));
+        explicit_bzero((void *)r, sizeof(GOST_KEY));
        free(r);
 }
diff --git a/src/lib/libssl/src/crypto/gost/gostr341194.c b/src/lib/libssl/src/crypto/gost/gostr341194.c
index 32c166aefa..2a462185aa 100644
--- a/src/lib/libssl/src/crypto/gost/gostr341194.c
+++ b/src/lib/libssl/src/crypto/gost/gostr341194.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341194.c,v 1.4 2015/07/15 17:13:17 beck Exp $ */
+/* $OpenBSD: gostr341194.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@@ -267,7 +267,7 @@ GOSTR341194(const unsigned char *d, size_t n, unsigned char *md, int nid)
                return 0;
        GOSTR341194_Update(&c, d, n);
        GOSTR341194_Final(md, &c);
-        OPENSSL_cleanse(&c, sizeof(c));
+        explicit_bzero(&c, sizeof(c));
        return (md);
 }
 #endif
diff --git a/src/lib/libssl/src/crypto/gost/streebog.c b/src/lib/libssl/src/crypto/gost/streebog.c
index 8060161d11..902472bd9e 100644
--- a/src/lib/libssl/src/crypto/gost/streebog.c
+++ b/src/lib/libssl/src/crypto/gost/streebog.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: streebog.c,v 1.4 2014/12/07 16:33:51 jsing Exp $ */
+/* $OpenBSD: streebog.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@@ -1455,7 +1455,7 @@ STREEBOG256(const unsigned char *d, size_t n, unsigned char *md)
        STREEBOG256_Init(&c);
        STREEBOG256_Update(&c, d, n);
        STREEBOG256_Final(md, &c);
-        OPENSSL_cleanse(&c, sizeof(c));
+        explicit_bzero(&c, sizeof(c));
        return (md);
 }
@@ -1470,7 +1470,7 @@ STREEBOG512(const unsigned char *d, size_t n, unsigned char *md)
        STREEBOG512_Init(&c);
        STREEBOG512_Update(&c, d, n);
        STREEBOG512_Final(md, &c);
-        OPENSSL_cleanse(&c, sizeof(c));
+        explicit_bzero(&c, sizeof(c));
        return (md);
 }
diff --git a/src/lib/libssl/src/crypto/hmac/hm_ameth.c b/src/lib/libssl/src/crypto/hmac/hm_ameth.c
index da3471c4fd..cfa0239705 100644
--- a/src/lib/libssl/src/crypto/hmac/hm_ameth.c
+++ b/src/lib/libssl/src/crypto/hmac/hm_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hm_ameth.c,v 1.9 2015/07/20 15:45:29 miod Exp $ */
+/* $OpenBSD: hm_ameth.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2007.
 */
@@ -83,7 +83,7 @@ hmac_key_free(EVP_PKEY *pkey)
        if (os) {
                if (os->data)
-                        OPENSSL_cleanse(os->data, os->length);
+                        explicit_bzero(os->data, os->length);
                ASN1_OCTET_STRING_free(os);
        }
 }
diff --git a/src/lib/libssl/src/crypto/hmac/hm_pmeth.c b/src/lib/libssl/src/crypto/hmac/hm_pmeth.c
index 255f4ece8b..c5ac6c00c0 100644
--- a/src/lib/libssl/src/crypto/hmac/hm_pmeth.c
+++ b/src/lib/libssl/src/crypto/hmac/hm_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hm_pmeth.c,v 1.8 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: hm_pmeth.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2007.
 */
@@ -124,7 +124,7 @@ pkey_hmac_cleanup(EVP_PKEY_CTX *ctx)
        HMAC_CTX_cleanup(&hctx->ctx);
        if (hctx->ktmp.data) {
                if (hctx->ktmp.length)
-                        OPENSSL_cleanse(hctx->ktmp.data, hctx->ktmp.length);
+                        explicit_bzero(hctx->ktmp.data, hctx->ktmp.length);
                free(hctx->ktmp.data);
                hctx->ktmp.data = NULL;
        }
diff --git a/src/lib/libssl/src/crypto/md4/md4_one.c b/src/lib/libssl/src/crypto/md4/md4_one.c
index 144f131914..9577d6577b 100644
--- a/src/lib/libssl/src/crypto/md4/md4_one.c
+++ b/src/lib/libssl/src/crypto/md4/md4_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: md4_one.c,v 1.7 2015/09/10 15:03:58 jsing Exp $ */
+/* $OpenBSD: md4_one.c,v 1.8 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -71,7 +71,7 @@ unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md)
                return NULL;
        MD4_Update(&c,d,n);
        MD4_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libssl/src/crypto/md5/md5_one.c b/src/lib/libssl/src/crypto/md5/md5_one.c
index f4cc56adb2..3fb05de30c 100644
--- a/src/lib/libssl/src/crypto/md5/md5_one.c
+++ b/src/lib/libssl/src/crypto/md5/md5_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: md5_one.c,v 1.9 2015/09/10 15:03:59 jsing Exp $ */
+/* $OpenBSD: md5_one.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -71,7 +71,7 @@ unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md)
                return NULL;
        MD5_Update(&c,d,n);
        MD5_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libssl/src/crypto/modes/gcm128.c b/src/lib/libssl/src/crypto/modes/gcm128.c
index 4a72901a33..dd6d91e880 100644
--- a/src/lib/libssl/src/crypto/modes/gcm128.c
+++ b/src/lib/libssl/src/crypto/modes/gcm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.12 2015/02/10 09:46:30 miod Exp $ */
+/* $OpenBSD: gcm128.c,v 1.13 2015/09/10 15:56:25 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
 *
@@ -1533,7 +1533,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
 void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
 {
        if (ctx) {
-                OPENSSL_cleanse(ctx,sizeof(*ctx));
+                explicit_bzero(ctx,sizeof(*ctx));
                free(ctx);
        }
 }
diff --git a/src/lib/libssl/src/crypto/pem/pem_info.c b/src/lib/libssl/src/crypto/pem/pem_info.c
index 6fe72ce742..191e3b5b10 100644
--- a/src/lib/libssl/src/crypto/pem/pem_info.c
+++ b/src/lib/libssl/src/crypto/pem/pem_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_info.c,v 1.20 2015/02/10 09:52:35 miod Exp $ */
+/* $OpenBSD: pem_info.c,v 1.21 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -400,7 +400,7 @@ PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
        ret = 1;
 err:
-        OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
+        explicit_bzero((char *)&ctx, sizeof(ctx));
-        OPENSSL_cleanse(buf, PEM_BUFSIZE);
+        explicit_bzero(buf, PEM_BUFSIZE);
        return (ret);
 }
diff --git a/src/lib/libssl/src/crypto/pem/pem_lib.c b/src/lib/libssl/src/crypto/pem/pem_lib.c
index 6f8759a9ee..852b0eaf86 100644
--- a/src/lib/libssl/src/crypto/pem/pem_lib.c
+++ b/src/lib/libssl/src/crypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.41 2015/07/19 18:29:31 miod Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.42 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -403,7 +403,7 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
                        goto err;
                if (kstr == (unsigned char *)buf)
-                        OPENSSL_cleanse(buf, PEM_BUFSIZE);
+                        explicit_bzero(buf, PEM_BUFSIZE);
                if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 > sizeof buf) {
                        PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,
@@ -434,12 +434,12 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
        if (i <= 0)
                ret = 0;
 err:
-        OPENSSL_cleanse(key, sizeof(key));
+        explicit_bzero(key, sizeof(key));
-        OPENSSL_cleanse(iv, sizeof(iv));
+        explicit_bzero(iv, sizeof(iv));
-        OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
+        explicit_bzero((char *)&ctx, sizeof(ctx));
-        OPENSSL_cleanse(buf, PEM_BUFSIZE);
+        explicit_bzero(buf, PEM_BUFSIZE);
        if (data != NULL) {
-                OPENSSL_cleanse(data, (unsigned int)dsize);
+                explicit_bzero(data, (unsigned int)dsize);
                free(data);
        }
        return (ret);
@@ -480,8 +480,8 @@ PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
        if (o)
                o = EVP_DecryptFinal_ex(&ctx, &(data[i]), &j);
        EVP_CIPHER_CTX_cleanup(&ctx);
-        OPENSSL_cleanse((char *)buf, sizeof(buf));
+        explicit_bzero((char *)buf, sizeof(buf));
-        OPENSSL_cleanse((char *)key, sizeof(key));
+        explicit_bzero((char *)key, sizeof(key));
        if (!o) {
                PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_DECRYPT);
                return (0);
@@ -640,7 +640,7 @@ PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
        EVP_EncodeFinal(&ctx, buf, &outl);
        if ((outl > 0) && (BIO_write(bp, (char *)buf, outl) != outl))
                goto err;
-        OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
+        explicit_bzero(buf, PEM_BUFSIZE * 8);
        free(buf);
        buf = NULL;
        if ((BIO_write(bp, "-----END ", 9) != 9) ||
@@ -651,7 +651,7 @@ PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
 err:
        if (buf) {
-                OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
+                explicit_bzero(buf, PEM_BUFSIZE * 8);
                free(buf);
        }
        PEMerr(PEM_F_PEM_WRITE_BIO, reason);
diff --git a/src/lib/libssl/src/crypto/pem/pem_pk8.c b/src/lib/libssl/src/crypto/pem/pem_pk8.c
index 5b0fcc236b..d02dec1546 100644
--- a/src/lib/libssl/src/crypto/pem/pem_pk8.c
+++ b/src/lib/libssl/src/crypto/pem/pem_pk8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pk8.c,v 1.9 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: pem_pk8.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/buffer.h>
 #include <openssl/err.h>
@@ -135,7 +136,7 @@ do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
                }
                p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
                if (kstr == buf)
-                        OPENSSL_cleanse(buf, klen);
+                        explicit_bzero(buf, klen);
                PKCS8_PRIV_KEY_INFO_free(p8inf);
                if (isder)
                        ret = i2d_PKCS8_bio(bp, p8);
diff --git a/src/lib/libssl/src/crypto/pem/pem_pkey.c b/src/lib/libssl/src/crypto/pem/pem_pkey.c
index e9c0a8b1c9..afb476f818 100644
--- a/src/lib/libssl/src/crypto/pem/pem_pkey.c
+++ b/src/lib/libssl/src/crypto/pem/pem_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pkey.c,v 1.20 2015/02/11 03:19:37 doug Exp $ */
+/* $OpenBSD: pem_pkey.c,v 1.21 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -144,7 +144,7 @@ p8err:
                PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, ERR_R_ASN1_LIB);
 err:
        free(nm);
-        OPENSSL_cleanse(data, len);
+        explicit_bzero(data, len);
        free(data);
        return (ret);
 }
diff --git a/src/lib/libssl/src/crypto/pem/pem_seal.c b/src/lib/libssl/src/crypto/pem/pem_seal.c
index 08837bd7f7..96687eb77f 100644
--- a/src/lib/libssl/src/crypto/pem/pem_seal.c
+++ b/src/lib/libssl/src/crypto/pem/pem_seal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_seal.c,v 1.21 2014/10/18 17:20:40 jsing Exp $ */
+/* $OpenBSD: pem_seal.c,v 1.22 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -117,7 +117,7 @@ PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
 err:
        free(s);
-        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        explicit_bzero(key, EVP_MAX_KEY_LENGTH);
        return (ret);
 }
diff --git a/src/lib/libssl/src/crypto/pem/pvkfmt.c b/src/lib/libssl/src/crypto/pem/pvkfmt.c
index 025381bcc0..f5a9de39fc 100644
--- a/src/lib/libssl/src/crypto/pem/pvkfmt.c
+++ b/src/lib/libssl/src/crypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.13 2015/05/15 11:00:14 jsg Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.14 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -765,7 +765,7 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
                        if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf,
                            NULL))
                                goto err;
-                        OPENSSL_cleanse(keybuf, 20);
+                        explicit_bzero(keybuf, 20);
                        if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen))
                                goto err;
                        if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen,
@@ -777,7 +777,7 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
                                goto err;
                        }
                } else
-                        OPENSSL_cleanse(keybuf, 20);
+                        explicit_bzero(keybuf, 20);
                p = enctmp;
        }
@@ -823,7 +823,7 @@ b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
 err:
        if (buf) {
-                OPENSSL_cleanse(buf, buflen);
+                explicit_bzero(buf, buflen);
                free(buf);
        }
        return ret;
@@ -894,7 +894,7 @@ i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb,
                p = salt + PVK_SALTLEN + 8;
                if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
                        goto error;
-                OPENSSL_cleanse(keybuf, 20);
+                explicit_bzero(keybuf, 20);
                if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8))
                        goto error;
                if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen))
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
index 288c93c49f..0f215d2fe2 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_crpt.c,v 1.11 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: p12_crpt.c,v 1.12 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
@@ -111,7 +112,7 @@ PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
        }
        PBEPARAM_free(pbe);
        ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
-        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        explicit_bzero(key, EVP_MAX_KEY_LENGTH);
-        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
+        explicit_bzero(iv, EVP_MAX_IV_LENGTH);
        return ret;
 }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
index 4cccf43d3f..00195f0a98 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_decr.c,v 1.15 2015/05/15 11:00:14 jsg Exp $ */
+/* $OpenBSD: p12_decr.c,v 1.16 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -57,6 +57,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
@@ -137,7 +138,7 @@ PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
        p = out;
        ret = ASN1_item_d2i(NULL, &p, outlen, it);
        if (zbuf)
-                OPENSSL_cleanse(out, outlen);
+                explicit_bzero(out, outlen);
        if (!ret)
                PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
                    PKCS12_R_DECODE_ERROR);
@@ -176,7 +177,7 @@ PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it,
                goto err;
        }
        if (zbuf)
-                OPENSSL_cleanse(in, inlen);
+                explicit_bzero(in, inlen);
        free(in);
        return oct;
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_key.c b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
index 0b3547a6fb..38f8a8194c 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_key.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_key.c,v 1.22 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: p12_key.c,v 1.23 2015/09/10 15:56:25 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -89,7 +89,7 @@ PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
        if (ret <= 0)
                return 0;
        if (unipass) {
-                OPENSSL_cleanse(unipass, uniplen);
+                explicit_bzero(unipass, uniplen);
                free(unipass);
        }
        return ret;
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
index 24bcebef61..7755c3c30e 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.36 2015/07/29 14:58:34 jsing Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.37 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -233,7 +233,7 @@ pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri,
        ret = 1;
        if (*pek) {
-                OPENSSL_cleanse(*pek, *peklen);
+                explicit_bzero(*pek, *peklen);
                free(*pek);
        }
@@ -371,7 +371,7 @@ PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                        if (pkcs7_encode_rinfo(ri, key, keylen) <= 0)
                                goto err;
                }
-                OPENSSL_cleanse(key, keylen);
+                explicit_bzero(key, keylen);
                if (out == NULL)
                        out = btmp;
@@ -588,7 +588,7 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                         */
                        if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) {
                                /* Use random key as MMA defence */
-                                OPENSSL_cleanse(ek, eklen);
+                                explicit_bzero(ek, eklen);
                                free(ek);
                                ek = tkey;
                                eklen = tkeylen;
@@ -601,12 +601,12 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                        goto err;
                if (ek) {
-                        OPENSSL_cleanse(ek, eklen);
+                        explicit_bzero(ek, eklen);
                        free(ek);
                        ek = NULL;
                }
                if (tkey) {
-                        OPENSSL_cleanse(tkey, tkeylen);
+                        explicit_bzero(tkey, tkeylen);
                        free(tkey);
                        tkey = NULL;
                }
@@ -635,11 +635,11 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
        if (0) {
 err:
                if (ek) {
-                        OPENSSL_cleanse(ek, eklen);
+                        explicit_bzero(ek, eklen);
                        free(ek);
                }
                if (tkey) {
-                        OPENSSL_cleanse(tkey, tkeylen);
+                        explicit_bzero(tkey, tkeylen);
                        free(tkey);
                }
                if (out != NULL)
diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c
index 6948a83634..72c065c48d 100644
--- a/src/lib/libssl/src/crypto/rand/randfile.c
+++ b/src/lib/libssl/src/crypto/rand/randfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: randfile.c,v 1.41 2015/07/18 22:46:42 beck Exp $ */
+/* $OpenBSD: randfile.c,v 1.42 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -130,7 +130,7 @@ RAND_write_file(const char *file)
        }
        fclose(out);
-        OPENSSL_cleanse(buf, BUFSIZE);
+        explicit_bzero(buf, BUFSIZE);
        return ret;
 }
diff --git a/src/lib/libssl/src/crypto/ripemd/rmd_one.c b/src/lib/libssl/src/crypto/ripemd/rmd_one.c
index 84b13d5312..0d372f32f7 100644
--- a/src/lib/libssl/src/crypto/ripemd/rmd_one.c
+++ b/src/lib/libssl/src/crypto/ripemd/rmd_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rmd_one.c,v 1.8 2015/09/10 15:03:59 jsing Exp $ */
+/* $OpenBSD: rmd_one.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -72,7 +72,7 @@ unsigned char *RIPEMD160(const unsigned char *d, size_t n,
                return NULL;
        RIPEMD160_Update(&c,d,n);
        RIPEMD160_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index 940964cac3..76863e7220 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.39 2015/06/13 08:38:10 doug Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -110,6 +110,7 @@
 */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/opensslconf.h>
@@ -242,7 +243,7 @@ err:
                BN_CTX_free(ctx);
        }
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, num);
+                explicit_bzero(buf, num);
                free(buf);
        }
        return r;
@@ -472,7 +473,7 @@ err:
                BN_CTX_free(ctx);
        }
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, num);
+                explicit_bzero(buf, num);
                free(buf);
        }
        return r;
@@ -607,7 +608,7 @@ err:
                BN_CTX_free(ctx);
        }
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, num);
+                explicit_bzero(buf, num);
                free(buf);
        }
        return r;
@@ -712,7 +713,7 @@ err:
                BN_CTX_free(ctx);
        }
        if (buf != NULL) {
-                OPENSSL_cleanse(buf, num);
+                explicit_bzero(buf, num);
                free(buf);
        }
        return r;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_saos.c b/src/lib/libssl/src/crypto/rsa/rsa_saos.c
index 3a07a7af4a..0a4f37a3da 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_saos.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_saos.c,v 1.17 2015/07/19 18:29:31 miod Exp $ */
+/* $OpenBSD: rsa_saos.c,v 1.18 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -97,7 +97,7 @@ RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
        else
                *siglen = i;
-        OPENSSL_cleanse(s, (unsigned int)j + 1);
+        explicit_bzero(s, (unsigned int)j + 1);
        free(s);
        return ret;
 }
@@ -142,7 +142,7 @@ RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
 err:
        M_ASN1_OCTET_STRING_free(sig);
        if (s != NULL) {
-                OPENSSL_cleanse(s, (unsigned int)siglen);
+                explicit_bzero(s, (unsigned int)siglen);
                free(s);
        }
        return ret;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_sign.c b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
index db63c5f038..7be08f544b 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_sign.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.24 2015/07/19 18:29:31 miod Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.25 2015/09/10 15:56:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -137,7 +137,7 @@ RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                *siglen = i;
        if (type != NID_md5_sha1) {
-                OPENSSL_cleanse(tmps, (unsigned int)j + 1);
+                explicit_bzero(tmps, (unsigned int)j + 1);
                free(tmps);
        }
        return (ret);
@@ -237,7 +237,7 @@ err:
        if (sig != NULL)
                X509_SIG_free(sig);
        if (s != NULL) {
-                OPENSSL_cleanse(s, (unsigned int)siglen);
+                explicit_bzero(s, (unsigned int)siglen);
                free(s);
        }
        return ret;
diff --git a/src/lib/libssl/src/crypto/sha/sha1_one.c b/src/lib/libssl/src/crypto/sha/sha1_one.c
index f6b5e4bacf..91602ee503 100644
--- a/src/lib/libssl/src/crypto/sha/sha1_one.c
+++ b/src/lib/libssl/src/crypto/sha/sha1_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha1_one.c,v 1.11 2014/07/10 22:45:58 jsing Exp $ */
+/* $OpenBSD: sha1_one.c,v 1.12 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -75,7 +75,7 @@ unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
                return NULL;
        SHA1_Update(&c,d,n);
        SHA1_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
 #endif
diff --git a/src/lib/libssl/src/crypto/sha/sha256.c b/src/lib/libssl/src/crypto/sha/sha256.c
index c5ab56852f..d584660369 100644
--- a/src/lib/libssl/src/crypto/sha/sha256.c
+++ b/src/lib/libssl/src/crypto/sha/sha256.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha256.c,v 1.8 2014/08/18 19:11:48 bcook Exp $ */
+/* $OpenBSD: sha256.c,v 1.9 2015/09/10 15:56:26 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
 * according to the OpenSSL license [found in ../../LICENSE].
@@ -49,7 +49,7 @@ unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
        SHA224_Init(&c);
        SHA256_Update(&c,d,n);
        SHA256_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
@@ -62,7 +62,7 @@ unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
        SHA256_Init(&c);
        SHA256_Update(&c,d,n);
        SHA256_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libssl/src/crypto/sha/sha512.c b/src/lib/libssl/src/crypto/sha/sha512.c
index ad72b7e6f1..7a55c0acc9 100644
--- a/src/lib/libssl/src/crypto/sha/sha512.c
+++ b/src/lib/libssl/src/crypto/sha/sha512.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha512.c,v 1.13 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: sha512.c,v 1.14 2015/09/10 15:56:26 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
 * according to the OpenSSL license [found in ../../LICENSE].
@@ -248,7 +248,7 @@ unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
        SHA384_Init(&c);
        SHA512_Update(&c,d,n);
        SHA512_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
@@ -261,7 +261,7 @@ unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
        SHA512_Init(&c);
        SHA512_Update(&c,d,n);
        SHA512_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
diff --git a/src/lib/libssl/src/crypto/sha/sha_one.c b/src/lib/libssl/src/crypto/sha/sha_one.c
index 1d3fc35f05..ad04021eb1 100644
--- a/src/lib/libssl/src/crypto/sha/sha_one.c
+++ b/src/lib/libssl/src/crypto/sha/sha_one.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha_one.c,v 1.8 2014/07/10 22:45:58 jsing Exp $ */
+/* $OpenBSD: sha_one.c,v 1.9 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -75,7 +75,7 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md)
                return NULL;
        SHA_Update(&c,d,n);
        SHA_Final(md,&c);
-        OPENSSL_cleanse(&c,sizeof(c));
+        explicit_bzero(&c,sizeof(c));
        return(md);
        }
 #endif
diff --git a/src/lib/libssl/src/crypto/ui/ui_openssl.c b/src/lib/libssl/src/crypto/ui/ui_openssl.c
index b3d2971a02..9562c2c937 100644
--- a/src/lib/libssl/src/crypto/ui/ui_openssl.c
+++ b/src/lib/libssl/src/crypto/ui/ui_openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui_openssl.c,v 1.24 2015/07/16 02:46:49 guenther Exp $ */
+/* $OpenBSD: ui_openssl.c,v 1.25 2015/09/10 15:56:26 jsing Exp $ */
 /* Written by Richard Levitte (richard@levitte.org) and others
 * for the OpenSSL project 2001.
 */
@@ -286,7 +286,7 @@ error:
        if (ps >= 1)
                popsig();
-        OPENSSL_cleanse(result, BUFSIZ);
+        explicit_bzero(result, BUFSIZ);
        return ok;
 }
diff --git a/src/lib/libssl/src/crypto/ui/ui_util.c b/src/lib/libssl/src/crypto/ui/ui_util.c
index e5cee913b2..d1040c9826 100644
--- a/src/lib/libssl/src/crypto/ui/ui_util.c
+++ b/src/lib/libssl/src/crypto/ui/ui_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui_util.c,v 1.9 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ui_util.c,v 1.10 2015/09/10 15:56:26 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -67,7 +67,7 @@ UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int verify)
        ret = UI_UTIL_read_pw(buf, buff, (length > BUFSIZ) ? BUFSIZ : length,
            prompt, verify);
-        OPENSSL_cleanse(buff, BUFSIZ);
+        explicit_bzero(buff, BUFSIZ);
        return (ret);
 }
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 23d6b372c9..2b736b9243 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.48 2015/09/02 17:59:15 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.49 2015/09/10 15:56:26 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -731,7 +731,7 @@ dtls1_send_client_key_exchange(SSL *s)
                            s->method->ssl3_enc->generate_master_secret(s,
                            s->session->master_key,
                            tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+                        explicit_bzero(tmp_buf, sizeof tmp_buf);
                } else if (alg_k & SSL_kDHE) {
                        DH *dh_srvr, *dh_clnt;
diff --git a/src/lib/libssl/src/ssl/d1_lib.c b/src/lib/libssl/src/ssl/d1_lib.c
index b269efe469..e7eca4a8cd 100644
--- a/src/lib/libssl/src/ssl/d1_lib.c
+++ b/src/lib/libssl/src/ssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.29 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.30 2015/09/10 15:56:26 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -203,7 +203,7 @@ dtls1_free(SSL *s)
        pqueue_free(s->d1->sent_messages);
        pqueue_free(s->d1->buffered_app_data.q);
-        OPENSSL_cleanse(s->d1, sizeof *s->d1);
+        explicit_bzero(s->d1, sizeof *s->d1);
        free(s->d1);
        s->d1 = NULL;
 }
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 1d1a0c77f0..e4ce8163ac 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.125 2015/09/02 17:59:15 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.126 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1933,7 +1933,7 @@ ssl3_send_client_key_exchange(SSL *s)
                        s->session->master_key_length =
                            s->method->ssl3_enc->generate_master_secret(
                            s, s->session->master_key, tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+                        explicit_bzero(tmp_buf, sizeof tmp_buf);
                } else if (alg_k & SSL_kDHE) {
                        DH *dh_srvr, *dh_clnt;
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index bfa719df5f..515072a99e 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_enc.c,v 1.61 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: s3_enc.c,v 1.62 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -209,7 +209,7 @@ ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
                km += MD5_DIGEST_LENGTH;
        }
-        OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
+        explicit_bzero(smd, SHA_DIGEST_LENGTH);
        EVP_MD_CTX_cleanup(&m5);
        EVP_MD_CTX_cleanup(&s1);
        return 1;
@@ -392,7 +392,7 @@ void
 ssl3_cleanup_key_block(SSL *s)
 {
        if (s->s3->tmp.key_block != NULL) {
-                OPENSSL_cleanse(s->s3->tmp.key_block,
+                explicit_bzero(s->s3->tmp.key_block,
                    s->s3->tmp.key_block_length);
                free(s->s3->tmp.key_block);
                s->s3->tmp.key_block = NULL;
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 42396a21e9..4e6b123698 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.101 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2066,7 +2066,7 @@ ssl3_free(SSL *s)
        ssl3_free_digest_list(s);
        free(s->s3->alpn_selected);
-        OPENSSL_cleanse(s->s3, sizeof *s->s3);
+        explicit_bzero(s->s3, sizeof *s->s3);
        free(s->s3);
        s->s3 = NULL;
 }
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 3f9f6720fa..b2c4f8e0d2 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.115 2015/09/01 13:38:27 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.116 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1725,7 +1725,7 @@ ssl3_get_client_key_exchange(SSL *s)
                    s->method->ssl3_enc->generate_master_secret(s,
                    s->session->master_key,
                    p, i);
-                OPENSSL_cleanse(p, i);
+                explicit_bzero(p, i);
        } else if (alg_k & SSL_kDHE) {
                if (2 > n)
                        goto truncated;
@@ -1776,7 +1776,7 @@ ssl3_get_client_key_exchange(SSL *s)
                s->session->master_key_length =
                    s->method->ssl3_enc->generate_master_secret(
                        s, s->session->master_key, p, i);
-                OPENSSL_cleanse(p, i);
+                explicit_bzero(p, i);
        } else
        if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) {
@@ -1920,7 +1920,7 @@ ssl3_get_client_key_exchange(SSL *s)
                s->session->master_key_length = s->method->ssl3_enc-> \
                    generate_master_secret(s, s->session->master_key, p, i);
-                OPENSSL_cleanse(p, i);
+                explicit_bzero(p, i);
                return (ret);
        } else
        if (alg_k & SSL_kGOST) {
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index a688b9ef41..5d18c8a0b4 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.47 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -694,8 +694,8 @@ SSL_SESSION_free(SSL_SESSION *ss)
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
-        OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
+        explicit_bzero(ss->master_key, sizeof ss->master_key);
-        OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
+        explicit_bzero(ss->session_id, sizeof ss->session_id);
        if (ss->sess_cert != NULL)
                ssl_sess_cert_free(ss->sess_cert);
        if (ss->peer != NULL)
@@ -708,7 +708,7 @@ SSL_SESSION_free(SSL_SESSION *ss)
        free(ss->tlsext_ecpointformatlist);
        ss->tlsext_ellipticcurvelist_length = 0;
        free(ss->tlsext_ellipticcurvelist);
-        OPENSSL_cleanse(ss, sizeof(*ss));
+        explicit_bzero(ss, sizeof(*ss));
        free(ss);
 }
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index a3a5d4dd7d..5d2b8eaf89 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.80 2015/08/27 14:16:57 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.81 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -226,7 +226,7 @@ err:
        EVP_PKEY_free(mac_key);
        EVP_MD_CTX_cleanup(&ctx);
        EVP_MD_CTX_cleanup(&ctx_tmp);
-        OPENSSL_cleanse(A1, sizeof(A1));
+        explicit_bzero(A1, sizeof(A1));
        return ret;
 }
@@ -659,7 +659,7 @@ tls1_setup_key_block(SSL *s)
 err:
        if (tmp_block) {
-                OPENSSL_cleanse(tmp_block, key_block_len);
+                explicit_bzero(tmp_block, key_block_len);
                free(tmp_block);
        }
        return (ret);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index a688b9ef41..5d18c8a0b4 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.47 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -694,8 +694,8 @@ SSL_SESSION_free(SSL_SESSION *ss)
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
-        OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
+        explicit_bzero(ss->master_key, sizeof ss->master_key);
-        OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
+        explicit_bzero(ss->session_id, sizeof ss->session_id);
        if (ss->sess_cert != NULL)
                ssl_sess_cert_free(ss->sess_cert);
        if (ss->peer != NULL)
@@ -708,7 +708,7 @@ SSL_SESSION_free(SSL_SESSION *ss)
        free(ss->tlsext_ecpointformatlist);
        ss->tlsext_ellipticcurvelist_length = 0;
        free(ss->tlsext_ellipticcurvelist);
-        OPENSSL_cleanse(ss, sizeof(*ss));
+        explicit_bzero(ss, sizeof(*ss));
        free(ss);
 }
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index a3a5d4dd7d..5d2b8eaf89 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.80 2015/08/27 14:16:57 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.81 2015/09/10 15:56:26 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -226,7 +226,7 @@ err:
        EVP_PKEY_free(mac_key);
        EVP_MD_CTX_cleanup(&ctx);
        EVP_MD_CTX_cleanup(&ctx_tmp);
-        OPENSSL_cleanse(A1, sizeof(A1));
+        explicit_bzero(A1, sizeof(A1));
        return ret;
 }
@@ -659,7 +659,7 @@ tls1_setup_key_block(SSL *s)
 err:
        if (tmp_block) {
-                OPENSSL_cleanse(tmp_block, key_block_len);
+                explicit_bzero(tmp_block, key_block_len);
                free(tmp_block);
        }
        return (ret);
author	jsing <>	2015-09-10 15:56:26 +0000
committer	jsing <>	2015-09-10 15:56:26 +0000
commit	1b9402de2dd1b97eca2be1996ed51c82f0663c92 (patch)
tree	27c1922db8e3f519794fe6a13a1dfba3d4759090
parent	e1b77a3f14ebb06ead650e78b43ddd6546237b0a (diff)
download	openbsd-1b9402de2dd1b97eca2be1996ed51c82f0663c92.tar.gz openbsd-1b9402de2dd1b97eca2be1996ed51c82f0663c92.tar.bz2 openbsd-1b9402de2dd1b97eca2be1996ed51c82f0663c92.zip