[tor-commits] [tor/master] On win32, use SecureZeroMemory() to securely wipe buffers.

[nickm at torproject.org]

commit fb373a9ef6f07229b20cf1176522c625cd5c0a4d
Author: rl1987 <rl1987 at sdf.lonestar.org>
Date:   Sun Jan 3 17:08:21 2016 +0100

    On win32, use SecureZeroMemory() to securely wipe buffers.
    
    {Also tweak the comments. -nickm)
---
 changes/feature17986 |    3 +++
 src/common/crypto.c  |   15 ++++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/changes/feature17986 b/changes/feature17986
new file mode 100644
index 0000000..ef82bd3
--- /dev/null
+++ b/changes/feature17986
@@ -0,0 +1,3 @@
+  o Minor features:
+    - Use SecureMemoryWipe() function to securely clean memory on
+      Windows. Implements feature 17986.
diff --git a/src/common/crypto.c b/src/common/crypto.c
index e62cc0a..134e69a 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -2960,6 +2960,16 @@ memwipe(void *mem, uint8_t byte, size_t sz)
    * have this function call "memset".  A smart compiler could inline it, then
    * eliminate dead memsets, and declare itself to be clever. */
 
+#ifdef _WIN32
+  /* Here's what you do on windows. */
+  SecureZeroMemory(mem,sz);
+#elif defined(HAVE_EXPLICIT_BZERO)
+  /* The BSDs provide this. */
+  explicit_bzero(mem, sz);
+#elif defined(HAVE_MEMSET_S)
+  /* This is in the C99 standard. */
+  memset_s(mem, sz, 0, sz);
+#else
   /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
    * based on the pointer value, then uses that junk to update a global
    * variable.  It's an elaborate ruse to trick the compiler into not
@@ -2971,11 +2981,6 @@ memwipe(void *mem, uint8_t byte, size_t sz)
    * OPENSSL_cleanse() on most platforms, which ought to do the job.
    **/
 
-#ifdef HAVE_EXPLICIT_BZERO
-  explicit_bzero(mem, sz);
-#elif HAVE_MEMSET_S
-  memset_s( mem, sz, 0, sz );
-#else
   OPENSSL_cleanse(mem, sz);
 #endif