Use explicit_bzero() if available #148
Conversation
This isn't much of an issue: |
|
Yeah, this requires I'm not sure it's worth it to maintain this extra complexity for unclear benefits. |
|
Sorry, I'm going to close this, we prefer to avoid non-POSIX functions. |
You cannot reliably zero memory without avoiding non-POSIX functions. explicit_bzero is nowadays implemented by OpenBSD, musl libc, and glibc (i.e. it is widely available). If you rely on the volatile keyword, chances are that the zero'ing is optimized out by the compiler. For more background information refer to https://media.ccc.de/v/35c3-9788-memsad |
|
Since this issue has been closed for a couple of years now, I have opened #353 with a somewhat simpler implementation in the hopes of resuming the discussion there. |
Use explicit_bzero() if available
The 'volatile' solution may not work as expected
Quote from https://www.gnu.org/software/libc/manual/html_node/Erasing-Sensitive-Data.html:
Declaring sensitive variables as volatile will make both the above problems worse; a volatile variable will be stored in memory for its entire lifetime, and the compiler will make more copies of it than it would otherwise have. Attempting to erase a normal variable “by hand” through a volatile-qualified pointer doesn’t work at all—because the variable itself is not volatile, some compilers will ignore the qualification on the pointer and remove the erasure anyway.