From a000fa8e43ffc48c5e770f5759e0cc957e5dda2f Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 20 Jul 2025 08:55:49 +0000
Subject: Zero stack based IV and buffer when aes_ctr32_encrypt_generic()
 completes.

ok tb@
---
 src/lib/libcrypto/aes/aes.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/lib/libcrypto')

diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c
index 45b7a3b109..cbfb548b3b 100644
--- a/src/lib/libcrypto/aes/aes.c
+++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes.c,v 1.11 2025/07/13 06:01:33 jsing Exp $ */
+/* $OpenBSD: aes.c,v 1.12 2025/07/20 08:55:49 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -196,6 +196,9 @@ aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
 		out += 16;
 		blocks--;
 	}
+
+	explicit_bzero(buf, sizeof(buf));
+	explicit_bzero(iv, sizeof(iv));
 }
 
 #ifdef HAVE_AES_CTR32_ENCRYPT_INTERNAL
-- 
cgit v1.2.3-55-g6feb