On 15/05/2026 16:40, Rafael Sadowski wrote:
> Hi,
> 
> The following diff replaces bzero with explicit_bzero in the SSL
> password callback. Since ssl_password_cb handles sensitive data a
> standard bzero could be optimized away by the compiler.
> 
> Additionally, this ensures the buffer is cleared if strlcpy fails due to
> truncation, preventing password fragments from lingering in memory.
> 
> OK?
> 

Seems a sensible thing to do. Tested and running fine.

OK renaud@

> Rafael
> 
> Index: ssl.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/ssl.c,v
> diff -u -p -r1.38 ssl.c
> --- ssl.c	2 Mar 2026 19:28:01 -0000	1.38
> +++ ssl.c	15 May 2026 14:35:33 -0000
> @@ -38,11 +38,13 @@ ssl_password_cb(char *buf, int size, int
>   {
>   	size_t	len;
>   	if (u == NULL) {
> -		bzero(buf, size);
> +		explicit_bzero(buf, size);
>   		return (0);
>   	}
> -	if ((len = strlcpy(buf, u, size)) >= (size_t)size)
> +	if ((len = strlcpy(buf, u, size)) >= (size_t)size) {
> +		explicit_bzero(buf, size);
>   		return (0);
> +	}
>   	return (len);
>   }
>   
>