crypto: Use OPENSSL_cleanse to shred the data.

memset() is not useful here, it's efficiently a noop.

PR-URL: https://github.com/nodejs/node/pull/2575
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 0e4fc45353ab681c709409dd255144a2fb79a136..eab0e0ef928573083015ae6d228ab20173bd96ad 100644 (file)
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -4723,8 +4723,8 @@ void EIO_PBKDF2(PBKDF2Request* req) {
     req->digest(),
     req->keylen(),
     reinterpret_cast<unsigned char*>(req->key())));
-  memset(req->pass(), 0, req->passlen());
-  memset(req->salt(), 0, req->saltlen());
+  OPENSSL_cleanse(req->pass(), req->passlen());
+  OPENSSL_cleanse(req->salt(), req->saltlen());
 }
 
 
@@ -4738,7 +4738,7 @@ void EIO_PBKDF2After(PBKDF2Request* req, Local<Value> argv[2]) {
   if (req->error()) {
     argv[0] = Undefined(req->env()->isolate());
     argv[1] = Encode(req->env()->isolate(), req->key(), req->keylen(), BUFFER);
-    memset(req->key(), 0, req->keylen());
+    OPENSSL_cleanse(req->key(), req->keylen());
   } else {
     argv[0] = Exception::Error(req->env()->pbkdf2_error_string());
     argv[1] = Undefined(req->env()->isolate());