| 1 | #ifndef _INSECURE_MEMZERO_H_ |
| 2 | #define _INSECURE_MEMZERO_H_ |
| 3 | |
| 4 | #include <stddef.h> |
| 5 | |
| 6 | /* Pointer to memory-zeroing function. */ |
| 7 | extern void (* volatile insecure_memzero_ptr)(volatile void *, size_t); |
| 8 | |
| 9 | /** |
| 10 | * insecure_memzero(buf, len): |
| 11 | * Attempt to zero ${len} bytes at ${buf} in spite of optimizing compilers' |
| 12 | * best (standards-compliant) attempts to remove the buffer-zeroing. In |
| 13 | * particular, to avoid performing the zeroing, a compiler would need to |
| 14 | * use optimistic devirtualization; recognize that non-volatile objects do not |
| 15 | * need to be treated as volatile, even if they are accessed via volatile |
| 16 | * qualified pointers; and perform link-time optimization; in addition to the |
| 17 | * dead-code elimination which often causes buffer-zeroing to be elided. |
| 18 | * |
| 19 | * Note however that zeroing a buffer does not guarantee that the data held |
| 20 | * in the buffer is not stored elsewhere; in particular, there may be copies |
| 21 | * held in CPU registers or in anonymous allocations on the stack, even if |
| 22 | * every named variable is successfully sanitized. Solving the "wipe data |
| 23 | * from the system" problem will require a C language extension which does not |
| 24 | * yet exist. |
| 25 | * |
| 26 | * For more information, see: |
| 27 | * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html |
| 28 | * http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html |
| 29 | */ |
| 30 | static inline void |
| 31 | insecure_memzero(volatile void * buf, size_t len) |
| 32 | { |
| 33 | |
| 34 | (insecure_memzero_ptr)(buf, len); |
| 35 | } |
| 36 | |
| 37 | #endif /* !_INSECURE_MEMZERO_H_ */ |