projects / authen-passphrase-scrypt.git / blame
| Commit | Line | Data |
|---|---|---|
| 0c1f3509 MG |
1 | #ifndef _INSECURE_MEMZERO_H_ |
| 2 | #define _INSECURE_MEMZERO_H_ | |
| 3 | ||
| 4 | #include <stddef.h> | |
| 5 | ||
| 6 | /* Pointer to memory-zeroing function. */ | |
| 7 | extern void (* volatile insecure_memzero_ptr)(volatile void *, size_t); | |
| 8 | ||
| 9 | /** | |
| 10 | * insecure_memzero(buf, len): | |
| 11 | * Attempt to zero ${len} bytes at ${buf} in spite of optimizing compilers' | |
| 12 | * best (standards-compliant) attempts to remove the buffer-zeroing. In | |
| 13 | * particular, to avoid performing the zeroing, a compiler would need to | |
| 14 | * use optimistic devirtualization; recognize that non-volatile objects do not | |
| 15 | * need to be treated as volatile, even if they are accessed via volatile | |
| 16 | * qualified pointers; and perform link-time optimization; in addition to the | |
| 17 | * dead-code elimination which often causes buffer-zeroing to be elided. | |
| 18 | * | |
| 19 | * Note however that zeroing a buffer does not guarantee that the data held | |
| 20 | * in the buffer is not stored elsewhere; in particular, there may be copies | |
| 21 | * held in CPU registers or in anonymous allocations on the stack, even if | |
| 22 | * every named variable is successfully sanitized. Solving the "wipe data | |
| 23 | * from the system" problem will require a C language extension which does not | |
| 24 | * yet exist. | |
| 25 | * | |
| 26 | * For more information, see: | |
| 27 | * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html | |
| 28 | * http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html | |
| 29 | */ | |
| 30 | static inline void | |
| 31 | insecure_memzero(volatile void * buf, size_t len) | |
| 32 | { | |
| 33 | ||
| 34 | (insecure_memzero_ptr)(buf, len); | |
| 35 | } | |
| 36 | ||
| 37 | #endif /* !_INSECURE_MEMZERO_H_ */ |