From c7418dfd589b3abe6d5642a747c1014e04bc17a9 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Fri, 20 Jun 2014 16:28:00 -0700
Subject: [PATCH] zero the poly1305 state in crypto_secretbox_chacha20poly1305*

---
 .../chacha20poly1305/secretbox_chacha20poly1305.c              | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libsodium/crypto_secretbox/chacha20poly1305/secretbox_chacha20poly1305.c b/src/libsodium/crypto_secretbox/chacha20poly1305/secretbox_chacha20poly1305.c
index edd68800..74af57ab 100644
--- a/src/libsodium/crypto_secretbox/chacha20poly1305/secretbox_chacha20poly1305.c
+++ b/src/libsodium/crypto_secretbox/chacha20poly1305/secretbox_chacha20poly1305.c
@@ -50,6 +50,7 @@ crypto_secretbox_chacha20poly1305_ad(unsigned char *c,
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
 
     crypto_onetimeauth_poly1305_final(&state, c);
+    sodium_memzero(&state, sizeof state);
 
     return 0;
 }
@@ -82,7 +83,6 @@ crypto_secretbox_chacha20poly1305_ad_open(unsigned char *m,
     if (clen < crypto_secretbox_chacha20poly1305_ZEROBYTES) {
         return -1;
     }
-
     crypto_stream_chacha20(block0, sizeof block0, n, k);
     crypto_onetimeauth_poly1305_init(&state, block0);
     sodium_memzero(block0, sizeof block0);
@@ -98,6 +98,7 @@ crypto_secretbox_chacha20poly1305_ad_open(unsigned char *m,
     crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
 
     crypto_onetimeauth_poly1305_final(&state, mac);
+    sodium_memzero(&state, sizeof state);
 
     ret = crypto_verify_16(mac, c);
     sodium_memzero(mac, sizeof mac);