Lacking a proof that--for this implementation--exposure of Montgomery

multiplication or RSA blinding parameters doesn't permit retroactive
timing analysis of the secrets, we'll do the stupidly cheap thing and
cleanse them before freeing them.

ok deraadt@

1 files changed, 3 insertions, 3 deletions

diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 133c597c33..456a80bde6 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -345,9 +345,9 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
         if(mont == NULL)
             return;
 
-        BN_free(&(mont->RR));
-        BN_free(&(mont->N));
-        BN_free(&(mont->Ni));
+        BN_clear_free(&(mont->RR));
+        BN_clear_free(&(mont->N));
+        BN_clear_free(&(mont->Ni));
         if (mont->flags & BN_FLG_MALLOCED)
                 free(mont);
         }