From 13d96540de32c7c3016146496b3be0b9619528bb Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 11 Sep 2019 15:31:03 +0200
Subject: [PATCH] - Use explicit bzero for wiping clear buffer of hash in
 cachedb,   reported by Eric Sesterhenn from X41 D-Sec.

---
 cachedb/cachedb.c | 4 ++++
 doc/Changelog     | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index 08389a432..92217db3d 100644
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -349,7 +349,11 @@ calc_hash(struct module_qstate* qstate, char* buf, size_t len)
 	
 	/* hash the buffer */
 	secalgo_hash_sha256(clear, clen, hash);
+#ifdef HAVE_EXPLICIT_BZERO
+	explicit_bzero(clear, clen);
+#else
 	memset(clear, 0, clen);
+#endif
 
 	/* hex encode output for portability (some online dbs need
 	 * no nulls, no control characters, and so on) */
diff --git a/doc/Changelog b/doc/Changelog
index 19d4e2d8d..8fac8f128 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+11 September 2019: Wouter
+	- Use explicit bzero for wiping clear buffer of hash in cachedb,
+	  reported by Eric Sesterhenn from X41 D-Sec.
+
 9 September 2019: Wouter
 	- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
 	  LOG_DAEMON (as before) can set the syslog facility that the server
-- 
2.47.3