More thorough cleaning of encryption/decryption state and buffers.

frontend/src/main.c

@@ -396,6 +396,11 @@ clean_up:
 		fclose(file_in);
 	}
 
+	slunkcrypt_bzero(buffer, BUFFER_SIZE);
+	slunkcrypt_bzero(checksum_buffer, sizeof(uint64_t));
+	slunkcrypt_bzero(&blake2s_state, sizeof(blake2s_t));
+	slunkcrypt_bzero(&nonce, sizeof(uint64_t));
+
 	return result;
 }
 
@@ -545,10 +550,10 @@ static int decrypt(const char* const passphrase, const CHR* const input_path, co
 	FPRINTF(stderr, T("\b\b\b\b\b\b\b%5.1f%%\n\n"), 100.0);
 	fflush(stderr);
 
-	const uint64_t checksum_expected = load_ui64(checksum_buffer);
+	const uint64_t checksum_stored = load_ui64(checksum_buffer);
-	if (checksum_actual != checksum_expected)
+	if (checksum_actual != checksum_stored)
 	{
-		FPRINTF(stderr, T("Error: Checksum mismatch detected! [expected: 0x%016") T(PRIX64) T(", actual: 0x%016") T(PRIX64) T("]\n\n"), checksum_expected, checksum_actual);
+		FPRINTF(stderr, T("Error: Checksum mismatch detected! [expected: 0x%016") T(PRIX64) T(", actual: 0x%016") T(PRIX64) T("]\n\n"), checksum_stored, checksum_actual);
 		FPUTS(T("Wrong passphrase or corrupted file?\n\n"), stderr);
 		goto clean_up;
 	}
@@ -575,6 +580,13 @@ clean_up:
 		fclose(file_in);
 	}
 
+	slunkcrypt_bzero(buffer, BUFFER_SIZE);
+	slunkcrypt_bzero(checksum_buffer, sizeof(uint64_t));
+	slunkcrypt_bzero(&blake2s_state, sizeof(blake2s_t));
+	slunkcrypt_bzero(&nonce, sizeof(uint64_t));
+	slunkcrypt_bzero((void*)&checksum_stored, sizeof(uint64_t));
+	slunkcrypt_bzero((void*)&checksum_actual, sizeof(uint64_t));
+
 	return result;
 }