util: Introduce virsecureerase module

The module will provide functions for disposing secrets stored in
memory.

Note that for now it's implemented using memset, which is not really
secure.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 8138780237a0c882cffc8d48d1b033e27665abad..fa0c0887e9cdc45353da8b07a126358e13933117 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -3175,6 +3175,10 @@ virSecretLookupFormatSecret;
 virSecretLookupParseSecret;
 
 
+# util/virsecureerase.h
+virSecureErase;
+
+
 # util/virsocket.h
 virSocketRecvFD;
 virSocketSendFD;

diff --git a/src/util/meson.build b/src/util/meson.build
index c077c5cc99f7bb61eb1cbdf3c97e5b01380f28b1..e89d32c33d9389becf89d53b63d5ca3b08c9f63b 100644 (file)
--- a/src/util/meson.build
+++ b/src/util/meson.build
@@ -86,6 +86,7 @@ util_sources = [
   'virscsivhost.c',
   'virseclabel.c',
   'virsecret.c',
+  'virsecureerase.c',
   'virsocket.c',
   'virsocketaddr.c',
   'virstoragefile.c',

diff --git a/src/util/virsecureerase.c b/src/util/virsecureerase.c
new file mode 100644 (file)
index 0000000..1dc3bb4
--- /dev/null
+++ b/src/util/virsecureerase.c
@@ -0,0 +1,44 @@
+/*
+ * virsecureerase.c: Secure clearing of memory
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#include "virsecureerase.h"
+
+/**
+ * virSecureErase:
+ * @ptr: pointer to memory to clear
+ * @size: size of memory to clear
+ *
+ * Clear @size bytes of memory at @ptr.
+ *
+ * Note that for now this is implemented using memset which is not secure as
+ * it can be optimized out.
+ *
+ * Also note that there are possible leftover direct uses of memset.
+ */
+void
+virSecureErase(void *ptr,
+               size_t size)
+{
+    if (!ptr || size == 0)
+        return;
+
+    memset(ptr, 0, size);
+}

diff --git a/src/util/virsecureerase.h b/src/util/virsecureerase.h
new file mode 100644 (file)
index 0000000..66d7e28
--- /dev/null
+++ b/src/util/virsecureerase.h
@@ -0,0 +1,25 @@
+/*
+ * virsecureerase.h: Secure clearing of memory
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#pragma once
+
+#include "internal.h"
+
+void
+virSecureErase(void *ptr, size_t size);