gnutls_rsa_export.c gnutls_helper.c gnutls_supplemental.c \
random.c crypto-api.c gnutls_privkey.c gnutls_pcert.c \
gnutls_pubkey.c locks.c gnutls_dtls.c system_override.c \
- crypto-backend.c verify-tofu.c pin.c tpm.c fips.c
+ crypto-backend.c verify-tofu.c pin.c tpm.c fips.c \
+ safe-memset.c
if ENABLE_SELF_CHECKS
COBJECTS += crypto-selftests.c crypto-selftests-pk.c
gnutls_srp.h auth/srp.h auth/srp_passwd.h \
gnutls_helper.h gnutls_supplemental.h crypto.h random.h system.h\
locks.h gnutls_mbuffers.h gnutls_ecc.h pin.h fips.h \
- priority_options.h
+ priority_options.h safe-memset.h
if ENABLE_PKCS11
HFILES += pkcs11_int.h
return ret;
}
-void _gnutls_bzero(void *mem, size_t size)
-{
- /* The reason we use that function instead of directly
- * calling memset is to prevent the compiler
- * optimizing out certain calls that may look
- * pointless to him, but needed to erase
- * private keys. */
- memset(mem, 0, size);
-}
-
#if 0
/* don't use them. They are included for documentation.
*/
void *_gnutls_calloc(size_t nmemb, size_t size);
char *_gnutls_strdup(const char *);
-void _gnutls_bzero(void *v, size_t n);
-
#define zrelease_mpi_key(mpi) if (*mpi!=NULL) { \
_gnutls_mpi_clear(*mpi); \
_gnutls_mpi_release(mpi); \
}
-#define zeroize_key(x, size) _gnutls_bzero(x, size)
+void _gnutls_safe_memset(void *data, int c, size_t size);
+
+#define zeroize_key(x, size) _gnutls_safe_memset(x, 0, size)
#define zeroize_temp_key zeroize_key
#define zrelease_temp_mpi_key zrelease_mpi_key
--- /dev/null
+/*
+ * Copyright (C) 2014 Red Hat
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#ifdef TEST_SAFE_MEMSET
+# include <string.h>
+#else
+# include <gnutls_int.h>
+#endif
+
+/* This is based on a nice trick for safe memset,
+ * sent by David Jacobson in the openssl-dev mailing list.
+ */
+
+void _gnutls_safe_memset(void *data, int c, size_t size)
+{
+ volatile unsigned volatile_zero = 0;
+ volatile char *vdata = (volatile char*)data;
+
+ do {
+ memset(data, c, size);
+ } while(vdata[volatile_zero] != c);
+}
+
+#ifdef TEST_SAFE_MEMSET
+int main()
+{
+ char x[64];
+
+ safe_memset(x, 0, sizeof(x));
+
+ return 0;
+
+}
+
+#endif