===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/kexgexs.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- src/usr.bin/ssh/kexgexs.c	2018/09/13 02:08:33	1.34
+++ src/usr.bin/ssh/kexgexs.c	2018/10/04 00:04:41	1.35
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.34 2018/09/13 02:08:33 djm Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.35 2018/10/04 00:04:41 djm Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -233,6 +233,7 @@
 	if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
 		r = kex_send_newkeys(ssh);
  out:
+	explicit_bzero(hash, sizeof(hash));
 	DH_free(kex->dh);
 	kex->dh = NULL;
 	BN_clear_free(dh_client_pub);