OPENSSL_cleanse should use memset_s

[briansmith]

WE should juse use memset_s. If necessary, we can supply a default implementation of memset_s for platforms that don't provide it, if any. Alternatively, we can drop support for older versions of compilers that don't supply it.

void OPENSSL_cleanse(void *ptr, size_t len) {
#if defined(OPENSSL_WINDOWS)
    SecureZeroMemory(ptr, len);
#else
    memset(ptr, 0, len);

#if !defined(OPENSSL_NO_ASM)
  /* As best as we can tell, this is sufficient to break any optimisations that
     might try to eliminate "superfluous" memsets. If there's an easy way to
     detect memset_s, it would be better to use that. */
  __asm__ __volatile__("" : : "r"(ptr) : "memory");
#endif
#endif  /* !OPENSSL_NO_ASM */
}

[briansmith]

See pyca/cryptography#7 and http://www.daemonology.net/blog/2014-09-05-erratum.html (especially the comments).

[briansmith]

In particular, let's get rid of the nasty asm.

[briansmith]

OpenSSL has some assembly language implementations we might be able to use. Also, Apple Clang (and GCC?) has memset_s.

See https://mta.openssl.org/pipermail/openssl-dev/2015-October/003264.html and that whole thread.

[briansmith]

Closed in favor of briansmith/ring-ffi#3. See b76f52c. Basically, we'll move these kinds of defenses into ring-ffi as much as possible.

[noloader]

... WE should juse use memset_s....

Sorry to poke around when not asked for...

You probably can't use memset_s to achieve your goals. I'm guessing your goals include wiping sensitive material from memory, portability across platforms and surviving optimization.

You can't use it because the Glibc folks refuse to provide it. Also see Issue 17879: Library is missing memset_s.

[briansmith]

Thanks for the comment, @noloader. I am aware that glibc doesn't provide it, but it is easy enough to add a polyfill in assembly language. Anyway, that's better discussed in briansmith/ring-ffi#3 now.