use freezero() instead of memset/explicit_bzero + free. Substantially

reduces conditional logic (-218, +82).

MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c
wasn'tt quite right.  Two other tricky bits with ASN1_STRING_FLAG_NDEF and
BN_FLG_STATIC_DATA where the condition cannot be collapsed completely.

Passes regress.  ok beck

38 files changed, 109 insertions, 238 deletions

diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 711b01f149..e10af97d36 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.29 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: a_object.c,v 1.30 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -231,8 +231,7 @@ i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
                 return -1;
         i = i2t_ASN1_OBJECT(tmp, tlen, a);
         if (i > (int)(tlen - 1)) {
-                explicit_bzero(tmp, tlen);
-                free(tmp);
+                freezero(tmp, tlen);
                 if ((tmp = malloc(i + 1)) == NULL)
                         return -1;
                 tlen = i + 1;
@@ -242,8 +241,7 @@ i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
                 i = BIO_write(bp, "<INVALID>", 9);
         else
                 i = BIO_write(bp, tmp, i);
-        explicit_bzero(tmp, tlen);
-        free(tmp);
+        freezero(tmp, tlen);
         return (i);
 }
 
@@ -319,9 +317,7 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
 
         /* detach data from object */
         data = (unsigned char *)ret->data;
-        if (data != NULL)
-                explicit_bzero(data, ret->length);
-        free(data);
+        freezero(data, ret->length);
 
         data = malloc(length);
         if (data == NULL) {
@@ -380,9 +376,7 @@ ASN1_OBJECT_free(ASN1_OBJECT *a)
                 a->sn = a->ln = NULL;
         }
         if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_DATA) {
-                if (a->data != NULL)
-                        explicit_bzero((void *)a->data, a->length);
-                free((void *)a->data);
+                freezero((void *)a->data, a->length);
                 a->data = NULL;
                 a->length = 0;
         }
diff --git a/src/lib/libcrypto/asn1/a_sign.c b/src/lib/libcrypto/asn1/a_sign.c
index 4e545eb719..df955be745 100644
--- a/src/lib/libcrypto/asn1/a_sign.c
+++ b/src/lib/libcrypto/asn1/a_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_sign.c,v 1.22 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: a_sign.c,v 1.23 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -227,13 +227,7 @@ ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 
 err:
         EVP_MD_CTX_cleanup(ctx);
-        if (buf_in != NULL) {
-                explicit_bzero((char *)buf_in, inl);
-                free(buf_in);
-        }
-        if (buf_out != NULL) {
-                explicit_bzero((char *)buf_out, outll);
-                free(buf_out);
-        }
+        freezero((char *)buf_in, inl);
+        freezero((char *)buf_out, outll);
         return (outl);
 }
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index 8f8e58c095..6f0cd1080b 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_verify.c,v 1.23 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: a_verify.c,v 1.24 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -148,8 +148,7 @@ ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
                 goto err;
         }
 
-        explicit_bzero(buf_in, (unsigned int)inl);
-        free(buf_in);
+        freezero(buf_in, (unsigned int)inl);
 
         if (EVP_DigestVerifyFinal(&ctx, signature->data,
             (size_t)signature->length) <= 0) {
diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index a90873d54a..852644a781 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_lib.c,v 1.38 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: asn1_lib.c,v 1.39 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -401,9 +401,7 @@ ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
 void
 ASN1_STRING_set0(ASN1_STRING *str, void *data, int len)
 {
-        if (str->data != NULL)
-                explicit_bzero(str->data, str->length);
-        free(str->data);
+        freezero(str->data, str->length);
         str->data = data;
         str->length = len;
 }
@@ -436,10 +434,8 @@ ASN1_STRING_free(ASN1_STRING *a)
 {
         if (a == NULL)
                 return;
-        if (a->data != NULL && !(a->flags & ASN1_STRING_FLAG_NDEF)) {
-                explicit_bzero(a->data, a->length);
-                free(a->data);
-        }
+        if (a->data != NULL && !(a->flags & ASN1_STRING_FLAG_NDEF))
+                freezero(a->data, a->length);
         free(a);
 }
 
diff --git a/src/lib/libcrypto/bn/bn_asm.c b/src/lib/libcrypto/bn/bn_asm.c
index 49f0ba5d7b..993fbb3dc5 100644
--- a/src/lib/libcrypto/bn/bn_asm.c
+++ b/src/lib/libcrypto/bn/bn_asm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_asm.c,v 1.14 2015/02/25 15:39:49 bcook Exp $ */
+/* $OpenBSD: bn_asm.c,v 1.15 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -989,8 +989,7 @@ enter:
         }
         memcpy(rp, tp, num * sizeof(BN_ULONG));
 out:
-        explicit_bzero(tp, (num + 2) * sizeof(BN_ULONG));
-        free(tp);
+        freezero(tp, (num + 2) * sizeof(BN_ULONG));
         return 1;
 }
 #else
@@ -1081,8 +1080,7 @@ bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
         }
         memcpy(rp, tp, num * sizeof(BN_ULONG));
 out:
-        explicit_bzero(tp, (num + 2) * sizeof(BN_ULONG));
-        free(tp);
+        freezero(tp, (num + 2) * sizeof(BN_ULONG));
         return 1;
 }
 #else
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index d388758927..b778d5d67c 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.30 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.31 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -706,12 +706,10 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
         numPowers = 1 << window;
         powerbufLen = sizeof(m->d[0]) * (top * numPowers +
             ((2*top) > numPowers ? (2*top) : numPowers));
-        if ((powerbufFree = malloc(powerbufLen +
-            MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
+        if ((powerbufFree = calloc(powerbufLen +
+            MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH, 1)) == NULL)
                 goto err;
-
         powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
-        memset(powerbuf, 0, powerbufLen);
 
         /* lay down tmp and am right after powers table */
         tmp.d = (BN_ULONG *)(powerbuf + sizeof(m->d[0]) * top * numPowers);
@@ -901,10 +899,7 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 err:
         if ((in_mont == NULL) && (mont != NULL))
                 BN_MONT_CTX_free(mont);
-        if (powerbuf != NULL) {
-                explicit_bzero(powerbuf, powerbufLen);
-                free(powerbufFree);
-        }
+        freezero(powerbufFree, powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH);
         BN_CTX_end(ctx);
         return (ret);
 }
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index f2736e31c3..8aeeb5304f 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.37 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.38 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -220,10 +220,8 @@ BN_clear_free(BIGNUM *a)
         if (a == NULL)
                 return;
         bn_check_top(a);
-        if (a->d != NULL && !(BN_get_flags(a, BN_FLG_STATIC_DATA))) {
-                explicit_bzero(a->d, a->dmax * sizeof(a->d[0]));
-                free(a->d);
-        }
+        if (a->d != NULL && !(BN_get_flags(a, BN_FLG_STATIC_DATA)))
+                freezero(a->d, a->dmax * sizeof(a->d[0]));
         i = BN_get_flags(a, BN_FLG_MALLOCED);
         explicit_bzero(a, sizeof(BIGNUM));
         if (i)
@@ -393,10 +391,8 @@ bn_expand2(BIGNUM *b, int words)
                 BN_ULONG *a = bn_expand_internal(b, words);
                 if (!a)
                         return NULL;
-                if (b->d) {
-                        explicit_bzero(b->d, b->dmax * sizeof(b->d[0]));
-                        free(b->d);
-                }
+                if (b->d)
+                        freezero(b->d, b->dmax * sizeof(b->d[0]));
                 b->d = a;
                 b->dmax = words;
         }
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index 812fa6a575..8625757140 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.19 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.20 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -186,10 +186,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
         ret = 1;
 
 err:
-        if (buf != NULL) {
-                explicit_bzero(buf, bytes);
-                free(buf);
-        }
+        freezero(buf, bytes);
         bn_check_top(rnd);
         return (ret);
 }
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index 5ed893f5f9..f4e84c4478 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: buffer.c,v 1.26 2017/04/09 15:06:20 jsing Exp $ */
+/* $OpenBSD: buffer.c,v 1.27 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -89,10 +89,7 @@ BUF_MEM_free(BUF_MEM *a)
         if (a == NULL)
                 return;
 
-        if (a->data != NULL) {
-                explicit_bzero(a->data, a->max);
-                free(a->data);
-        }
+        freezero(a->data, a->max);
         free(a);
 }
 
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
index d7b77470bd..f7dfaf1d9c 100644
--- a/src/lib/libcrypto/dsa/dsa_asn1.c
+++ b/src/lib/libcrypto/dsa/dsa_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_asn1.c,v 1.19 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: dsa_asn1.c,v 1.20 2017/05/02 03:59:44 deraadt Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -454,10 +454,7 @@ DSA_verify(int type, const unsigned char *dgst, int dgst_len,
                 goto err;
         ret = DSA_do_verify(dgst, dgst_len, s, dsa);
 err:
-        if (derlen > 0) {
-                explicit_bzero(der, derlen);
-                free(der);
-        }
+        freezero(der, derlen);
         DSA_SIG_free(s);
         return ret;
 }
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 5a23a9823d..595b88cefc 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ec_key.c,v 1.14 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -122,9 +122,7 @@ EC_KEY_free(EC_KEY * r)
 
         EC_EX_DATA_free_all_data(&r->method_data);
 
-        explicit_bzero((void *) r, sizeof(EC_KEY));
-
-        free(r);
+        freezero(r, sizeof(EC_KEY));
 }
 
 EC_KEY *
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index baddbf6dc8..0d062111b5 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.23 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.24 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -151,12 +151,8 @@ EC_GROUP_clear_free(EC_GROUP * group)
         BN_clear_free(&group->order);
         BN_clear_free(&group->cofactor);
 
-        if (group->seed) {
-                explicit_bzero(group->seed, group->seed_len);
-                free(group->seed);
-        }
-        explicit_bzero(group, sizeof *group);
-        free(group);
+        freezero(group->seed, group->seed_len);
+        freezero(group, sizeof *group);
 }
 
 
@@ -743,8 +739,7 @@ EC_POINT_clear_free(EC_POINT * point)
                 point->meth->point_clear_finish(point);
         else if (point->meth->point_finish != 0)
                 point->meth->point_finish(point);
-        explicit_bzero(point, sizeof *point);
-        free(point);
+        freezero(point, sizeof *point);
 }
 
 
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index e44104d21c..a565263bb6 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.20 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.21 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -177,8 +177,7 @@ ec_pre_comp_clear_free(void *pre_)
                 }
                 free(pre->points);
         }
-        explicit_bzero(pre, sizeof *pre);
-        free(pre);
+        freezero(pre, sizeof *pre);
 }
 
 
diff --git a/src/lib/libcrypto/ec/ecp_nistp224.c b/src/lib/libcrypto/ec/ecp_nistp224.c
index 38dd83b6d9..fce74578c7 100644
--- a/src/lib/libcrypto/ec/ecp_nistp224.c
+++ b/src/lib/libcrypto/ec/ecp_nistp224.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp224.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ecp_nistp224.c,v 1.19 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Written by Emilia Kasper (Google) for the OpenSSL project.
  */
@@ -1239,8 +1239,7 @@ nistp224_pre_comp_clear_free(void *pre_)
         if (i > 0)
                 return;
 
-        explicit_bzero(pre, sizeof *pre);
-        free(pre);
+        freezero(pre, sizeof *pre);
 }
 
 /******************************************************************************/
diff --git a/src/lib/libcrypto/ec/ecp_nistp256.c b/src/lib/libcrypto/ec/ecp_nistp256.c
index 4771a92efd..6f3ec3c250 100644
--- a/src/lib/libcrypto/ec/ecp_nistp256.c
+++ b/src/lib/libcrypto/ec/ecp_nistp256.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp256.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ecp_nistp256.c,v 1.18 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Written by Adam Langley (Google) for the OpenSSL project
  */
@@ -1788,8 +1788,7 @@ nistp256_pre_comp_clear_free(void *pre_)
         if (i > 0)
                 return;
 
-        explicit_bzero(pre, sizeof *pre);
-        free(pre);
+        freezero(pre, sizeof *pre);
 }
 
 /******************************************************************************/
diff --git a/src/lib/libcrypto/ec/ecp_nistp521.c b/src/lib/libcrypto/ec/ecp_nistp521.c
index 22bafe392f..6dbc266937 100644
--- a/src/lib/libcrypto/ec/ecp_nistp521.c
+++ b/src/lib/libcrypto/ec/ecp_nistp521.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nistp521.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ecp_nistp521.c,v 1.19 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Written by Adam Langley (Google) for the OpenSSL project
  */
@@ -1679,8 +1679,7 @@ nistp521_pre_comp_clear_free(void *pre_)
         if (i > 0)
                 return;
 
-        explicit_bzero(pre, sizeof(*pre));
-        free(pre);
+        freezero(pre, sizeof(*pre));
 }
 
 /******************************************************************************/
diff --git a/src/lib/libcrypto/ec/ecp_nistz256.c b/src/lib/libcrypto/ec/ecp_nistz256.c
index 848f15cb17..b3b8f74b14 100644
--- a/src/lib/libcrypto/ec/ecp_nistz256.c
+++ b/src/lib/libcrypto/ec/ecp_nistz256.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ecp_nistz256.c,v 1.2 2017/01/29 17:49:23 beck Exp $   */
+/*      $OpenBSD: ecp_nistz256.c,v 1.3 2017/05/02 03:59:44 deraadt Exp $        */
 /* Copyright (c) 2014, Intel Corporation.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -1118,11 +1118,9 @@ ecp_nistz256_pre_comp_clear_free(void *pre_)
                  * here, but the only place where we allocate this uses
                  * PRECOMP256_ROW (i.e. 64 P256_POINT_AFFINE) but sets w == 7.
                  */
-                explicit_bzero(pre->precomp, 37 * sizeof(PRECOMP256_ROW));
-                free(pre->precomp);
+                freezero(pre->precomp, 37 * sizeof(PRECOMP256_ROW));
         }
-        explicit_bzero(pre, sizeof *pre);
-        free(pre);
+        freezero(pre, sizeof *pre);
 }
 
 static int
diff --git a/src/lib/libcrypto/ecdh/ech_lib.c b/src/lib/libcrypto/ecdh/ech_lib.c
index 06e6a1ee22..2846a88612 100644
--- a/src/lib/libcrypto/ecdh/ech_lib.c
+++ b/src/lib/libcrypto/ecdh/ech_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ech_lib.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ech_lib.c,v 1.13 2017/05/02 03:59:44 deraadt Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -182,9 +182,7 @@ ecdh_data_free(void *data)
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDH, r, &r->ex_data);
 
-        explicit_bzero((void *)r, sizeof(ECDH_DATA));
-
-        free(r);
+        freezero(r, sizeof(ECDH_DATA));
 }
 
 ECDH_DATA *
diff --git a/src/lib/libcrypto/ecdsa/ecs_lib.c b/src/lib/libcrypto/ecdsa/ecs_lib.c
index ca0f51b366..4fbe1e060b 100644
--- a/src/lib/libcrypto/ecdsa/ecs_lib.c
+++ b/src/lib/libcrypto/ecdsa/ecs_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_lib.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ecs_lib.c,v 1.12 2017/05/02 03:59:44 deraadt Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
  *
@@ -169,9 +169,7 @@ ecdsa_data_free(void *data)
 #endif
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDSA, r, &r->ex_data);
 
-        explicit_bzero((void *)r, sizeof(ECDSA_DATA));
-
-        free(r);
+        freezero(r, sizeof(ECDSA_DATA));
 }
 
 ECDSA_DATA *
diff --git a/src/lib/libcrypto/ecdsa/ecs_vrf.c b/src/lib/libcrypto/ecdsa/ecs_vrf.c
index a4b627ace6..270af94c0d 100644
--- a/src/lib/libcrypto/ecdsa/ecs_vrf.c
+++ b/src/lib/libcrypto/ecdsa/ecs_vrf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_vrf.c,v 1.5 2015/02/08 13:35:07 jsing Exp $ */
+/* $OpenBSD: ecs_vrf.c,v 1.6 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project
  */
@@ -107,10 +107,7 @@ ECDSA_verify(int type, const unsigned char *dgst, int dgst_len,
         ret = ECDSA_do_verify(dgst, dgst_len, s, eckey);
 
 err:
-        if (derlen > 0) {
-                explicit_bzero(der, derlen);
-                free(der);
-        }
+        freezero(der, derlen);
         ECDSA_SIG_free(s);
         return (ret);
 }
diff --git a/src/lib/libcrypto/evp/bio_enc.c b/src/lib/libcrypto/evp/bio_enc.c
index 1920c6d180..7c7cf9a8b3 100644
--- a/src/lib/libcrypto/evp/bio_enc.c
+++ b/src/lib/libcrypto/evp/bio_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_enc.c,v 1.19 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: bio_enc.c,v 1.20 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -135,8 +135,7 @@ enc_free(BIO *a)
                 return (0);
         b = (BIO_ENC_CTX *)a->ptr;
         EVP_CIPHER_CTX_cleanup(&(b->cipher));
-        explicit_bzero(a->ptr, sizeof(BIO_ENC_CTX));
-        free(a->ptr);
+        freezero(a->ptr, sizeof(BIO_ENC_CTX));
         a->ptr = NULL;
         a->init = 0;
         a->flags = 0;
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index ee1f955959..7471c1e822 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest.c,v 1.27 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: digest.c,v 1.28 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -193,8 +193,7 @@ EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
         if (ctx->digest != type) {
                 if (ctx->digest && ctx->digest->ctx_size && ctx->md_data &&
                     !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
-                        explicit_bzero(ctx->md_data, ctx->digest->ctx_size);
-                        free(ctx->md_data);
+                        freezero(ctx->md_data, ctx->digest->ctx_size);
                         ctx->md_data = NULL;
                 }
                 ctx->digest = type;
@@ -360,10 +359,8 @@ EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
             !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
                 ctx->digest->cleanup(ctx);
         if (ctx->digest && ctx->digest->ctx_size && ctx->md_data &&
-            !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
-                explicit_bzero(ctx->md_data, ctx->digest->ctx_size);
-                free(ctx->md_data);
-        }
+            !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE))
+                freezero(ctx->md_data, ctx->digest->ctx_size);
         EVP_PKEY_CTX_free(ctx->pctx);
 #ifndef OPENSSL_NO_ENGINE
         if (ctx->engine)
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 97cb5154a5..7c713db026 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.33 2017/01/31 13:17:21 inoguchi Exp $ */
+/* $OpenBSD: e_aes.c,v 1.34 2017/05/02 03:59:44 deraadt Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -1422,8 +1422,7 @@ aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx)
 {
         struct aead_aes_gcm_ctx *gcm_ctx = ctx->aead_state;
 
-        explicit_bzero(gcm_ctx, sizeof(*gcm_ctx));
-        free(gcm_ctx);
+        freezero(gcm_ctx, sizeof(*gcm_ctx));
 }
 
 static int
diff --git a/src/lib/libcrypto/evp/e_chacha20poly1305.c b/src/lib/libcrypto/evp/e_chacha20poly1305.c
index e135f9a104..051d5548b5 100644
--- a/src/lib/libcrypto/evp/e_chacha20poly1305.c
+++ b/src/lib/libcrypto/evp/e_chacha20poly1305.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha20poly1305.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: e_chacha20poly1305.c,v 1.16 2017/05/02 03:59:44 deraadt Exp $ */
 
 /*
  * Copyright (c) 2015 Reyk Floter <reyk@openbsd.org>
@@ -83,8 +83,7 @@ aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx)
 {
         struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
 
-        explicit_bzero(c20_ctx->key, sizeof(c20_ctx->key));
-        free(c20_ctx);
+        freezero(c20_ctx, sizeof(c20_ctx));
 }
 
 static void
diff --git a/src/lib/libcrypto/evp/p_open.c b/src/lib/libcrypto/evp/p_open.c
index 1eb238dfde..57a46706b9 100644
--- a/src/lib/libcrypto/evp/p_open.c
+++ b/src/lib/libcrypto/evp/p_open.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_open.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: p_open.c,v 1.19 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -109,9 +109,7 @@ EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
         ret = 1;
 
 err:
-        if (key != NULL)
-                explicit_bzero(key, size);
-        free(key);
+        freezero(key, size);
         return (ret);
 }
 
diff --git a/src/lib/libcrypto/gost/gostr341001_key.c b/src/lib/libcrypto/gost/gostr341001_key.c
index 0a42a15378..0af39f21bf 100644
--- a/src/lib/libcrypto/gost/gostr341001_key.c
+++ b/src/lib/libcrypto/gost/gostr341001_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341001_key.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: gostr341001_key.c,v 1.8 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
  * Copyright (c) 2005-2006 Cryptocom LTD
@@ -105,8 +105,7 @@ GOST_KEY_free(GOST_KEY *r)
         EC_POINT_free(r->pub_key);
         BN_clear_free(r->priv_key);
 
-        explicit_bzero((void *)r, sizeof(GOST_KEY));
-        free(r);
+        freezero(r, sizeof(GOST_KEY));
 }
 
 int
diff --git a/src/lib/libcrypto/hmac/hm_pmeth.c b/src/lib/libcrypto/hmac/hm_pmeth.c
index c5ac6c00c0..390725fa25 100644
--- a/src/lib/libcrypto/hmac/hm_pmeth.c
+++ b/src/lib/libcrypto/hmac/hm_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hm_pmeth.c,v 1.9 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: hm_pmeth.c,v 1.10 2017/05/02 03:59:44 deraadt Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2007.
  */
@@ -122,12 +122,7 @@ pkey_hmac_cleanup(EVP_PKEY_CTX *ctx)
         HMAC_PKEY_CTX *hctx = ctx->data;
 
         HMAC_CTX_cleanup(&hctx->ctx);
-        if (hctx->ktmp.data) {
-                if (hctx->ktmp.length)
-                        explicit_bzero(hctx->ktmp.data, hctx->ktmp.length);
-                free(hctx->ktmp.data);
-                hctx->ktmp.data = NULL;
-        }
+        freezero(hctx->ktmp.data, hctx->ktmp.length);
         free(hctx);
 }
 
diff --git a/src/lib/libcrypto/malloc-wrapper.c b/src/lib/libcrypto/malloc-wrapper.c
index 6ba0aad7e4..12867387bf 100644
--- a/src/lib/libcrypto/malloc-wrapper.c
+++ b/src/lib/libcrypto/malloc-wrapper.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: malloc-wrapper.c,v 1.5 2017/04/28 22:46:40 beck Exp $ */
+/* $OpenBSD: malloc-wrapper.c,v 1.6 2017/05/02 03:59:44 deraadt Exp $ */
 /*
  * Copyright (c) 2014 Bob Beck
  *
@@ -165,8 +165,7 @@ CRYPTO_realloc_clean(void *ptr, int old_len, int num, const char *file,
         ret = malloc(num);
         if (ret && ptr && old_len > 0) {
                 memcpy(ret, ptr, old_len);
-                explicit_bzero(ptr, old_len);
-                free(ptr);
+                freezero(ptr, old_len);
         }
         return ret;
 }
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index 95ee755f83..c080d9c16a 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.15 2016/11/04 17:30:30 miod Exp $ */
+/* $OpenBSD: gcm128.c,v 1.16 2017/05/02 03:59:44 deraadt Exp $ */
 /* ====================================================================
  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
  *
@@ -1538,8 +1538,5 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
 
 void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
 {
-        if (ctx) {
-                explicit_bzero(ctx,sizeof(*ctx));
-                free(ctx);
-        }
+        freezero(ctx, sizeof(*ctx));
 }
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index b2c72e1d76..0f7c36d21c 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.44 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.45 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -425,10 +425,7 @@ err:
         explicit_bzero(iv, sizeof(iv));
         explicit_bzero((char *)&ctx, sizeof(ctx));
         explicit_bzero(buf, PEM_BUFSIZE);
-        if (data != NULL) {
-                explicit_bzero(data, (unsigned int)dsize);
-                free(data);
-        }
+        freezero(data, (unsigned int)dsize);
         return (ret);
 }
 
@@ -626,8 +623,7 @@ PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
         EVP_EncodeFinal(&ctx, buf, &outl);
         if ((outl > 0) && (BIO_write(bp, (char *)buf, outl) != outl))
                 goto err;
-        explicit_bzero(buf, PEM_BUFSIZE * 8);
-        free(buf);
+        freezero(buf, PEM_BUFSIZE * 8);
         buf = NULL;
         if ((BIO_write(bp, "-----END ", 9) != 9) ||
             (BIO_write(bp, name, nlen) != nlen) ||
@@ -636,10 +632,7 @@ PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data,
         return (i + outl);
 
 err:
-        if (buf) {
-                explicit_bzero(buf, PEM_BUFSIZE * 8);
-                free(buf);
-        }
+        freezero(buf, PEM_BUFSIZE * 8);
         PEMerror(reason);
         return (0);
 }
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index 6651ef9419..89181a25f7 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pkey.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: pem_pkey.c,v 1.23 2017/05/02 03:59:44 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -143,8 +143,7 @@ p8err:
                 PEMerror(ERR_R_ASN1_LIB);
 err:
         free(nm);
-        explicit_bzero(data, len);
-        free(data);
+        freezero(data, len);
         return (ret);
 }
 
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index 5ed8df585f..18de5d52a4 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.19 2017/05/02 03:59:44 deraadt Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -828,10 +828,7 @@ b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
         ret = do_PVK_body(&p, saltlen, keylen, cb, u);
 
 err:
-        if (buf) {
-                explicit_bzero(buf, buflen);
-                free(buf);
-        }
+        freezero(buf, buflen);
         return ret;
 }
 
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index fd710771a5..d419a9d835 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_key.c,v 1.25 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: p12_key.c,v 1.26 2017/05/02 03:59:45 deraadt Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -88,10 +88,7 @@ PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
             id, iter, n, out, md_type);
         if (ret <= 0)
                 return 0;
-        if (unipass) {
-                explicit_bzero(unipass, uniplen);
-                free(unipass);
-        }
+        freezero(unipass, uniplen);
         return ret;
 }
 
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 484620a686..24ab957b4c 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.41 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.42 2017/05/02 03:59:45 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -231,10 +231,7 @@ pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri,
 
         ret = 1;
 
-        if (*pek) {
-                explicit_bzero(*pek, *peklen);
-                free(*pek);
-        }
+        freezero(*pek, *peklen);
 
         *pek = ek;
         *peklen = eklen;
@@ -577,8 +574,7 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                          */
                         if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) {
                                 /* Use random key as MMA defence */
-                                explicit_bzero(ek, eklen);
-                                free(ek);
+                                freezero(ek, eklen);
                                 ek = tkey;
                                 eklen = tkeylen;
                                 tkey = NULL;
@@ -589,16 +585,10 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                 if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0)
                         goto err;
 
-                if (ek) {
-                        explicit_bzero(ek, eklen);
-                        free(ek);
-                        ek = NULL;
-                }
-                if (tkey) {
-                        explicit_bzero(tkey, tkeylen);
-                        free(tkey);
-                        tkey = NULL;
-                }
+                freezero(ek, eklen);
+                ek = NULL;
+                freezero(tkey, tkeylen);
+                tkey = NULL;
 
                 if (out == NULL)
                         out = etmp;
@@ -623,14 +613,8 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 
         if (0) {
 err:
-                if (ek) {
-                        explicit_bzero(ek, eklen);
-                        free(ek);
-                }
-                if (tkey) {
-                        explicit_bzero(tkey, tkeylen);
-                        free(tkey);
-                }
+                freezero(ek, eklen);
+                freezero(tkey, tkeylen);
                 if (out != NULL)
                         BIO_free_all(out);
                 if (btmp != NULL)
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index f9f620ae23..6c3da0d656 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.48 2017/04/28 22:46:40 beck Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.49 2017/05/02 03:59:45 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -244,10 +244,7 @@ err:
                 BN_CTX_end(ctx);
                 BN_CTX_free(ctx);
         }
-        if (buf != NULL) {
-                explicit_bzero(buf, num);
-                free(buf);
-        }
+        freezero(buf, num);
         return r;
 }
 
@@ -468,10 +465,7 @@ err:
                 BN_CTX_end(ctx);
                 BN_CTX_free(ctx);
         }
-        if (buf != NULL) {
-                explicit_bzero(buf, num);
-                free(buf);
-        }
+        freezero(buf, num);
         return r;
 }
 
@@ -597,10 +591,7 @@ err:
                 BN_CTX_end(ctx);
                 BN_CTX_free(ctx);
         }
-        if (buf != NULL) {
-                explicit_bzero(buf, num);
-                free(buf);
-        }
+        freezero(buf, num);
         return r;
 }
 
@@ -700,10 +691,7 @@ err:
                 BN_CTX_end(ctx);
                 BN_CTX_free(ctx);
         }
-        if (buf != NULL) {
-                explicit_bzero(buf, num);
-                free(buf);
-        }
+        freezero(buf, num);
         return r;
 }
 
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index 10184b6c18..e1fbdcb5df 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_saos.c,v 1.22 2017/04/28 22:46:40 beck Exp $ */
+/* $OpenBSD: rsa_saos.c,v 1.23 2017/05/02 03:59:45 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -96,8 +96,7 @@ RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
         else
                 *siglen = i;
 
-        explicit_bzero(s, (unsigned int)j + 1);
-        free(s);
+        freezero(s, (unsigned int)j + 1);
         return ret;
 }
 
@@ -137,9 +136,6 @@ RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
                 ret = 1;
 err:
         ASN1_OCTET_STRING_free(sig);
-        if (s != NULL) {
-                explicit_bzero(s, (unsigned int)siglen);
-                free(s);
-        }
+        freezero(s, (unsigned int)siglen);
         return ret;
 }
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 818b88c604..6e9e869f0a 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.28 2017/04/28 22:46:40 beck Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.29 2017/05/02 03:59:45 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -135,10 +135,8 @@ RSA_sign(int type, const unsigned char *m, unsigned int m_len,
         else
                 *siglen = i;
 
-        if (type != NID_md5_sha1) {
-                explicit_bzero(tmps, (unsigned int)j + 1);
-                free(tmps);
-        }
+        if (type != NID_md5_sha1)
+                freezero(tmps, (unsigned int)j + 1);
         return (ret);
 }
 
@@ -232,12 +230,8 @@ int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
                         ret = 1;
         }
 err:
-        if (sig != NULL)
-                X509_SIG_free(sig);
-        if (s != NULL) {
-                explicit_bzero(s, (unsigned int)siglen);
-                free(s);
-        }
+        X509_SIG_free(sig);
+        freezero(s, (unsigned int)siglen);
         return ret;
 }
 
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 65063117e2..3945da75ac 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.38 2017/04/30 02:10:22 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.39 2017/05/02 03:59:45 deraadt Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -188,9 +188,7 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
  fail:
         if (fd != -1)
                 close(fd);
-        if (*buf != NULL)
-                explicit_bzero(*buf, *len);
-        free(*buf);
+        freezero(*buf, *len);
         *buf = NULL;
         *len = 0;