X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fxalloc.h;h=c8cfbebfb1bae47c921ff0207e0e19e06c543e19;hb=c44b08613508c993e7fd9f625e0b1b4775efffed;hp=96b9592bf9f47169d2d885df2594861676d5f95d;hpb=efca41606d4083eade90047d57cb963eb3b7e731;p=tinc

diff --git a/src/xalloc.h b/src/xalloc.h
index 96b9592b..c8cfbebf 100644
--- a/src/xalloc.h
+++ b/src/xalloc.h
@@ -23,6 +23,8 @@
 
 #include "system.h"
 
+#include <assert.h>
+
 static inline void *xmalloc(size_t n) ATTR_MALLOC;
 static inline void *xmalloc(size_t n) {
 	void *p = malloc(n);
@@ -96,4 +98,51 @@ static inline int xasprintf(char **strp, const char *fmt, ...) {
 	return result;
 }
 
+// Zero out a block of memory containing sensitive information using whatever secure
+// erase function is available on the platform (or an unreliable fallback if none are).
+// The pointer must not be NULL. Length can be zero, in which case the call is a noop.
+static inline void memzero(void *buf, size_t buflen) ATTR_NONNULL;
+static inline void memzero(void *buf, size_t buflen) {
+	assert(buf);
+
+	if(!buflen) {
+		return;
+	}
+
+#if defined(HAVE_EXPLICIT_BZERO)
+	explicit_bzero(buf, buflen);
+#elif defined(HAVE_EXPLICIT_MEMSET)
+	explicit_memset(buf, 0, buflen);
+#elif defined(HAVE_MEMSET_S)
+	errno_t err = memset_s(buf, buflen, 0, buflen);
+	assert(err == 0);
+#elif defined(HAVE_WINDOWS)
+	SecureZeroMemory(buf, buflen);
+#else
+	volatile uint8_t *p = buf;
+
+	while(buflen--) {
+		*p++ = 0;
+	}
+
 #endif
+}
+
+// Zero out a buffer of size `len` located at `ptr` and free() it.
+// Does nothing if called on NULL.
+static inline void xzfree(void *ptr, size_t len) {
+	if(ptr) {
+		memzero(ptr, len);
+		free(ptr);
+	}
+}
+
+// Zero out a NULL-terminated string using memzero() and then free it.
+// Does nothing if called on NULL.
+static inline void free_string(char *str) {
+	if(str) {
+		xzfree(str, strlen(str));
+	}
+}
+
+#endif // TINC_XALLOC_H