Wipe (some) secrets from memory after use

[tinc] / src / xalloc.h

diff --git a/src/xalloc.h b/src/xalloc.h
index 96b9592..c8cfbeb 100644 (file)
--- a/src/xalloc.h
+++ b/src/xalloc.h
@@ -23,6 +23,8 @@
 
 #include "system.h"
 
+#include <assert.h>
+
 static inline void *xmalloc(size_t n) ATTR_MALLOC;
 static inline void *xmalloc(size_t n) {
        void *p = malloc(n);
@@ -96,4 +98,51 @@ static inline int xasprintf(char **strp, const char *fmt, ...) {
        return result;
 }
 
+// Zero out a block of memory containing sensitive information using whatever secure
+// erase function is available on the platform (or an unreliable fallback if none are).
+// The pointer must not be NULL. Length can be zero, in which case the call is a noop.
+static inline void memzero(void *buf, size_t buflen) ATTR_NONNULL;
+static inline void memzero(void *buf, size_t buflen) {
+       assert(buf);
+
+       if(!buflen) {
+               return;
+       }
+
+#if defined(HAVE_EXPLICIT_BZERO)
+       explicit_bzero(buf, buflen);
+#elif defined(HAVE_EXPLICIT_MEMSET)
+       explicit_memset(buf, 0, buflen);
+#elif defined(HAVE_MEMSET_S)
+       errno_t err = memset_s(buf, buflen, 0, buflen);
+       assert(err == 0);
+#elif defined(HAVE_WINDOWS)
+       SecureZeroMemory(buf, buflen);
+#else
+       volatile uint8_t *p = buf;
+
+       while(buflen--) {
+               *p++ = 0;
+       }
+
 #endif
+}
+
+// Zero out a buffer of size `len` located at `ptr` and free() it.
+// Does nothing if called on NULL.
+static inline void xzfree(void *ptr, size_t len) {
+       if(ptr) {
+               memzero(ptr, len);
+               free(ptr);
+       }
+}
+
+// Zero out a NULL-terminated string using memzero() and then free it.
+// Does nothing if called on NULL.
+static inline void free_string(char *str) {
+       if(str) {
+               xzfree(str, strlen(str));
+       }
+}
+
+#endif // TINC_XALLOC_H