]>
Commit | Line | Data |
---|---|---|
1 | #ifndef _INSECURE_MEMZERO_H_ | |
2 | #define _INSECURE_MEMZERO_H_ | |
3 | ||
4 | #include <stddef.h> | |
5 | ||
6 | /* Pointer to memory-zeroing function. */ | |
7 | extern void (* volatile insecure_memzero_ptr)(volatile void *, size_t); | |
8 | ||
9 | /** | |
10 | * insecure_memzero(buf, len): | |
11 | * Attempt to zero ${len} bytes at ${buf} in spite of optimizing compilers' | |
12 | * best (standards-compliant) attempts to remove the buffer-zeroing. In | |
13 | * particular, to avoid performing the zeroing, a compiler would need to | |
14 | * use optimistic devirtualization; recognize that non-volatile objects do not | |
15 | * need to be treated as volatile, even if they are accessed via volatile | |
16 | * qualified pointers; and perform link-time optimization; in addition to the | |
17 | * dead-code elimination which often causes buffer-zeroing to be elided. | |
18 | * | |
19 | * Note however that zeroing a buffer does not guarantee that the data held | |
20 | * in the buffer is not stored elsewhere; in particular, there may be copies | |
21 | * held in CPU registers or in anonymous allocations on the stack, even if | |
22 | * every named variable is successfully sanitized. Solving the "wipe data | |
23 | * from the system" problem will require a C language extension which does not | |
24 | * yet exist. | |
25 | * | |
26 | * For more information, see: | |
27 | * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html | |
28 | * http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html | |
29 | */ | |
30 | static inline void | |
31 | insecure_memzero(volatile void * buf, size_t len) | |
32 | { | |
33 | ||
34 | (insecure_memzero_ptr)(buf, len); | |
35 | } | |
36 | ||
37 | #endif /* !_INSECURE_MEMZERO_H_ */ |