Introduce a new utility function smemclr(), which memsets things to

zero but does it in such a way that over-clever compilers hopefully won't helpfully optimise the call away if you do it just before freeing something or letting it go out of scope. Use this for (hopefully) every memset whose job is to destroy sensitive data that might otherwise be left lying around in the process's memory. [originally from svn r9586]
2025-06-30 19:12:48 -05:00 · 2012-07-22 19:51:50 +00:00
parent acf8a5385d
commit aa5bae8916
21 changed files with 140 additions and 89 deletions
--- a/windows/winmisc.c
+++ b/windows/winmisc.c
@ -68,6 +68,14 @@ Filename *filename_deserialise(void *vdata, int maxsize, int *used)
    return filename_from_str(data);
 }

+/*
+ * Windows implementation of smemclr (see misc.c) using SecureZeroMemory.
+ */
+void smemclr(void *b, size_t n) {
+    if (b && n > 0)
+        SecureZeroMemory(b, n);
+}
+
 char *get_username(void)
 {
    DWORD namelen;
--- a/windows/winpgen.c
+++ b/windows/winpgen.c
@ -958,7 +958,7 @@ static int CALLBACK MainDlgProc(HWND hwnd, UINT msg,
 		 * Seed the entropy pool
 		 */
 		random_add_heavynoise(state->entropy, state->entropy_size);
-		memset(state->entropy, 0, state->entropy_size);
+		smemclr(state->entropy, state->entropy_size);
 		sfree(state->entropy);
 		state->collecting_entropy = FALSE;

--- a/windows/winpgnt.c
+++ b/windows/winpgnt.c
@ -174,7 +174,7 @@ static void forget_passphrases(void)
 {
    while (count234(passphrases) > 0) {
 	char *pp = index234(passphrases, 0);
-	memset(pp, 0, strlen(pp));
+	smemclr(pp, strlen(pp));
 	delpos234(passphrases, 0);
 	free(pp);
    }
@ -968,7 +968,7 @@ static void answer_msg(void *msg)
 	    MD5Init(&md5c);
 	    MD5Update(&md5c, response_source, 48);
 	    MD5Final(response_md5, &md5c);
-	    memset(response_source, 0, 48);	/* burn the evidence */
+	    smemclr(response_source, 48);	/* burn the evidence */
 	    freebn(response);	       /* and that evidence */
 	    freebn(challenge);	       /* yes, and that evidence */
 	    freebn(reqkey.exponent);   /* and free some memory ... */
--- a/windows/winstuff.h
+++ b/windows/winstuff.h
@ -75,6 +75,8 @@ struct FontSpec *fontspec_new(const char *name,
 #define BOXRESULT (DLGWINDOWEXTRA + sizeof(LONG_PTR))
 #define DF_END 0x0001

+#define PLATFORM_HAS_SMEMCLR /* inhibit cross-platform one in misc.c */
+
 /*
 * Dynamically linked functions. These come in two flavours:
 *