Index: head/sys/crypto/rijndael/rijndael-api-fst.c
===================================================================
--- head/sys/crypto/rijndael/rijndael-api-fst.c
+++ head/sys/crypto/rijndael/rijndael-api-fst.c
@@ -36,7 +36,6 @@
 
 int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen,
 	const char *keyMaterial) {
-	u_int8_t cipherKey[RIJNDAEL_MAXKB];
 
 	if (key == NULL) {
 		return BAD_KEY_INSTANCE;
@@ -59,13 +58,12 @@
 	}
 
 	/* initialize key schedule: */
-	memcpy(cipherKey, key->keyMaterial, keyLen/8);
 	if (direction == DIR_ENCRYPT) {
-		key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen);
+		key->Nr = rijndaelKeySetupEnc(key->rk, key->keyMaterial, keyLen);
 	} else {
-		key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen);
+		key->Nr = rijndaelKeySetupDec(key->rk, key->keyMaterial, keyLen);
 	}
-	rijndaelKeySetupEnc(key->ek, cipherKey, keyLen);
+	rijndaelKeySetupEnc(key->ek, key->keyMaterial, keyLen);
 	return TRUE;
 }
 
@@ -186,6 +184,7 @@
 		return BAD_CIPHER_STATE;
 	}
 
+	explicit_bzero(block, sizeof(block));
 	return 128*numBlocks;
 }
 
@@ -258,6 +257,7 @@
 		return BAD_CIPHER_STATE;
 	}
 
+	explicit_bzero(block, sizeof(block));
 	return 16*(numBlocks + 1);
 }
 
@@ -357,12 +357,13 @@
 		return BAD_CIPHER_STATE;
 	}
 
+	explicit_bzero(block, sizeof(block));
 	return 128*numBlocks;
 }
 
 int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
 		const BYTE *input, int inputOctets, BYTE *outBuffer) {
-	int i, numBlocks, padLen;
+	int i, numBlocks, padLen, rval;
 	u_int8_t block[16];
 	u_int32_t iv[4];
 
@@ -392,11 +393,13 @@
 		rijndaelDecrypt(key->rk, key->Nr, input, block);
 		padLen = block[15];
 		if (padLen >= 16) {
-			return BAD_DATA;
+			rval = BAD_DATA;
+			goto out;
 		}
 		for (i = 16 - padLen; i < 16; i++) {
 			if (block[i] != padLen) {
-				return BAD_DATA;
+				rval = BAD_DATA;
+				goto out;
 			}
 		}
 		memcpy(outBuffer, block, 16 - padLen);
@@ -424,11 +427,13 @@
 		((u_int32_t*)block)[3] ^= iv[3];
 		padLen = block[15];
 		if (padLen <= 0 || padLen > 16) {
-			return BAD_DATA;
+			rval = BAD_DATA;
+			goto out;
 		}
 		for (i = 16 - padLen; i < 16; i++) {
 			if (block[i] != padLen) {
-				return BAD_DATA;
+				rval = BAD_DATA;
+				goto out;
 			}
 		}
 		memcpy(outBuffer, block, 16 - padLen);
@@ -438,5 +443,9 @@
 		return BAD_CIPHER_STATE;
 	}
 
-	return 16*numBlocks - padLen;
+	rval = 16*numBlocks - padLen;
+
+out:
+	explicit_bzero(block, sizeof(block));
+	return rval;
 }