putty-source/utils/smemclr.c

/*
 * Securely wipe memory.
 *
 * The actual wiping is no different from what memset would do: the
 * point of 'securely' is to try to be sure over-clever compilers
 * won't optimise away memsets on variables that are about to be freed
 * or go out of scope. See
 * https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/771-BSI.html
 */

#include "defs.h"
#include "misc.h"

/*
 * Trivial function that is given a pointer to some memory and ignores
 * it.
 */
static void no_op(void *ptr, size_t size) {}

/*
 * Function pointer that is given a pointer to some memory, and from
 * the compiler's point of view, _might_ read it, or otherwise depend
 * on its contents.
 *
 * In fact, this function pointer always points to no_op() above. But
 * because the pointer itself is volatile-qualified, the compiler
 * isn't allowed to optimise based on the assumption that that will
 * always be the case. So it has to call through the function pointer
 * anyway, on the basis that it _might_ have magically changed at run
 * time into a pointer to some completely arbitrary function. And
 * therefore it must also avoid optimising away any observable effect
 * beforehand that a completely arbitrary function might depend on -
 * such as the zeroing of our memory region.
 */
static void (*const volatile maybe_read)(void *ptr, size_t size) = no_op;

void smemclr(void *b, size_t n)
{
    if (b && n > 0) {
        /*
         * Zero out the memory.
         */
        memset(b, 0, n);

        /*
         * Call the above function pointer, which (for all the
         * compiler knows) might check that we've really zeroed the
         * memory.
         */
        maybe_read(b, n);
    }
}
New library-style 'utils' subdirectories. Now that the new CMake build system is encouraging us to lay out the code like a set of libraries, it seems like a good idea to make them look more _like_ libraries, by putting things into separate modules as far as possible. This fixes several previous annoyances in which you had to link against some object in order to get a function you needed, but that object also contained other functions you didn't need which included link-time symbol references you didn't want to have to deal with. The usual offender was subsidiary supporting programs including misc.c for some innocuous function and then finding they had to deal with the requirements of buildinfo(). This big reorganisation introduces three new subdirectories called 'utils', one at the top level and one in each platform subdir. In each case, the directory contains basically the same files that were previously placed in the 'utils' build-time library, except that the ones that were extremely miscellaneous (misc.c, utils.c, uxmisc.c, winmisc.c, winmiscs.c, winutils.c) have been split up into much smaller pieces. 2021-04-17 14:22:20 +00:00			`/*`
			`* Securely wipe memory.`
			`*`
			`* The actual wiping is no different from what memset would do: the`
			`* point of 'securely' is to try to be sure over-clever compilers`
			`* won't optimise away memsets on variables that are about to be freed`
			`* or go out of scope. See`
			`* https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/771-BSI.html`
			`*/`

			`#include "defs.h"`
			`#include "misc.h"`

Adopt a new universal implementation of smemclr(). This new implementation uses the same optimisation-barrier technique that I used in various places in testsc: have a no-op function, and a volatile function pointer pointing at it, and then call through the function pointer, so that nothing actually happens (apart from the physical call and return) but the compiler has to assume that _anything_ might have happened. Doing this just after a memset enforces that the compiler can't have thrown away the memset, because the called function might (for example) check that all the memory really is zero and abort if not. I've been turning this over in my mind ever since coming up with the technique for testsc. I think it's far more robust than the previous smemclr technique: so much so that I'm switching to using it _everywhere_, and no longer using platform alternatives like Windows's SecureZeroMemory(). 2021-04-17 16:59:43 +00:00			`/*`
			`* Trivial function that is given a pointer to some memory and ignores`
			`* it.`
			`*/`
			`static void no_op(void *ptr, size_t size) {}`

			`/*`
			`* Function pointer that is given a pointer to some memory, and from`
			`* the compiler's point of view, _might_ read it, or otherwise depend`
			`* on its contents.`
			`*`
			`* In fact, this function pointer always points to no_op() above. But`
			`* because the pointer itself is volatile-qualified, the compiler`
			`* isn't allowed to optimise based on the assumption that that will`
			`* always be the case. So it has to call through the function pointer`
			`* anyway, on the basis that it _might_ have magically changed at run`
			`* time into a pointer to some completely arbitrary function. And`
			`* therefore it must also avoid optimising away any observable effect`
			`* beforehand that a completely arbitrary function might depend on -`
Fix typo in comment. 2021-04-19 16:14:01 +00:00			`* such as the zeroing of our memory region.`
Adopt a new universal implementation of smemclr(). This new implementation uses the same optimisation-barrier technique that I used in various places in testsc: have a no-op function, and a volatile function pointer pointing at it, and then call through the function pointer, so that nothing actually happens (apart from the physical call and return) but the compiler has to assume that _anything_ might have happened. Doing this just after a memset enforces that the compiler can't have thrown away the memset, because the called function might (for example) check that all the memory really is zero and abort if not. I've been turning this over in my mind ever since coming up with the technique for testsc. I think it's far more robust than the previous smemclr technique: so much so that I'm switching to using it _everywhere_, and no longer using platform alternatives like Windows's SecureZeroMemory(). 2021-04-17 16:59:43 +00:00			`*/`
			`static void (const volatile maybe_read)(void ptr, size_t size) = no_op;`

New library-style 'utils' subdirectories. Now that the new CMake build system is encouraging us to lay out the code like a set of libraries, it seems like a good idea to make them look more _like_ libraries, by putting things into separate modules as far as possible. This fixes several previous annoyances in which you had to link against some object in order to get a function you needed, but that object also contained other functions you didn't need which included link-time symbol references you didn't want to have to deal with. The usual offender was subsidiary supporting programs including misc.c for some innocuous function and then finding they had to deal with the requirements of buildinfo(). This big reorganisation introduces three new subdirectories called 'utils', one at the top level and one in each platform subdir. In each case, the directory contains basically the same files that were previously placed in the 'utils' build-time library, except that the ones that were extremely miscellaneous (misc.c, utils.c, uxmisc.c, winmisc.c, winmiscs.c, winutils.c) have been split up into much smaller pieces. 2021-04-17 14:22:20 +00:00			`void smemclr(void *b, size_t n)`
			`{`
			`if (b && n > 0) {`
			`/*`
			`* Zero out the memory.`
			`*/`
			`memset(b, 0, n);`

			`/*`
Adopt a new universal implementation of smemclr(). This new implementation uses the same optimisation-barrier technique that I used in various places in testsc: have a no-op function, and a volatile function pointer pointing at it, and then call through the function pointer, so that nothing actually happens (apart from the physical call and return) but the compiler has to assume that _anything_ might have happened. Doing this just after a memset enforces that the compiler can't have thrown away the memset, because the called function might (for example) check that all the memory really is zero and abort if not. I've been turning this over in my mind ever since coming up with the technique for testsc. I think it's far more robust than the previous smemclr technique: so much so that I'm switching to using it _everywhere_, and no longer using platform alternatives like Windows's SecureZeroMemory(). 2021-04-17 16:59:43 +00:00			`* Call the above function pointer, which (for all the`
			`* compiler knows) might check that we've really zeroed the`
			`* memory.`
New library-style 'utils' subdirectories. Now that the new CMake build system is encouraging us to lay out the code like a set of libraries, it seems like a good idea to make them look more _like_ libraries, by putting things into separate modules as far as possible. This fixes several previous annoyances in which you had to link against some object in order to get a function you needed, but that object also contained other functions you didn't need which included link-time symbol references you didn't want to have to deal with. The usual offender was subsidiary supporting programs including misc.c for some innocuous function and then finding they had to deal with the requirements of buildinfo(). This big reorganisation introduces three new subdirectories called 'utils', one at the top level and one in each platform subdir. In each case, the directory contains basically the same files that were previously placed in the 'utils' build-time library, except that the ones that were extremely miscellaneous (misc.c, utils.c, uxmisc.c, winmisc.c, winmiscs.c, winutils.c) have been split up into much smaller pieces. 2021-04-17 14:22:20 +00:00			`*/`
Adopt a new universal implementation of smemclr(). This new implementation uses the same optimisation-barrier technique that I used in various places in testsc: have a no-op function, and a volatile function pointer pointing at it, and then call through the function pointer, so that nothing actually happens (apart from the physical call and return) but the compiler has to assume that _anything_ might have happened. Doing this just after a memset enforces that the compiler can't have thrown away the memset, because the called function might (for example) check that all the memory really is zero and abort if not. I've been turning this over in my mind ever since coming up with the technique for testsc. I think it's far more robust than the previous smemclr technique: so much so that I'm switching to using it _everywhere_, and no longer using platform alternatives like Windows's SecureZeroMemory(). 2021-04-17 16:59:43 +00:00			`maybe_read(b, n);`
New library-style 'utils' subdirectories. Now that the new CMake build system is encouraging us to lay out the code like a set of libraries, it seems like a good idea to make them look more _like_ libraries, by putting things into separate modules as far as possible. This fixes several previous annoyances in which you had to link against some object in order to get a function you needed, but that object also contained other functions you didn't need which included link-time symbol references you didn't want to have to deal with. The usual offender was subsidiary supporting programs including misc.c for some innocuous function and then finding they had to deal with the requirements of buildinfo(). This big reorganisation introduces three new subdirectories called 'utils', one at the top level and one in each platform subdir. In each case, the directory contains basically the same files that were previously placed in the 'utils' build-time library, except that the ones that were extremely miscellaneous (misc.c, utils.c, uxmisc.c, winmisc.c, winmiscs.c, winutils.c) have been split up into much smaller pieces. 2021-04-17 14:22:20 +00:00			`}`
			`}`