wolfcrypt/src/memory.c and wolfssl/wolfcrypt/memory.h: add WOLFSSL_API void wc_ForceZero().

2025-08-12 09:04:48 +02:00 · 2025-08-07 21:57:56 -05:00
parent a01d4c2d5f
commit a821e4cfa2
4 changed files with 41 additions and 1 deletions
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -880,6 +880,7 @@ WOLFSSL_USER_MUTEX
 WOLFSSL_USER_THREADING
 WOLFSSL_USE_ESP32C3_CRYPT_HASH_HW
 WOLFSSL_USE_FLASHMEM
+WOLFSSL_USE_FORCE_ZERO
 WOLFSSL_USE_OPTIONS_H
 WOLFSSL_VALIDATE_DH_KEYGEN
 WOLFSSL_WC_LMS_SERIALIZE_STATE
--- a/wolfcrypt/src/memory.c
+++ b/wolfcrypt/src/memory.c
@@ -1660,6 +1660,40 @@ void __attribute__((no_instrument_function))
 }
 #endif

+#ifndef WOLFSSL_NO_FORCE_ZERO
+/* Exported version of ForceZero() that takes a size_t. */
+void wc_ForceZero(void *mem, size_t len)
+{
+    byte *zb = (byte *)mem;
+    unsigned long *zl;
+
+    XFENCE();
+
+    while ((wc_ptr_t)zb & (wc_ptr_t)(sizeof(unsigned long) - 1U)) {
+        if (len == 0)
+            return;
+        *zb++ = 0;
+        --len;
+    }
+
+    zl = (unsigned long *)zb;
+
+    while (len > sizeof(unsigned long)) {
+        *zl++ = 0;
+        len -= sizeof(unsigned long);
+    }
+
+    zb = (byte *)zl;
+
+    while (len) {
+        *zb++ = 0;
+        --len;
+    }
+
+    XFENCE();
+}
+#endif
+
 #ifdef WC_DEBUG_CIPHER_LIFECYCLE
 static const byte wc_debug_cipher_lifecycle_tag_value[] =
    { 'W', 'o', 'l', 'f' };
--- a/wolfssl/wolfcrypt/memory.h
+++ b/wolfssl/wolfcrypt/memory.h
@@ -342,6 +342,10 @@ WOLFSSL_LOCAL void wc_MemZero_Add(const char* name, const void* addr,
 WOLFSSL_LOCAL void wc_MemZero_Check(void* addr, size_t len);
 #endif

+#ifndef WOLFSSL_NO_FORCE_ZERO
+WOLFSSL_API void wc_ForceZero(void *mem, size_t len);
+#endif
+
 #ifdef WC_DEBUG_CIPHER_LIFECYCLE
 WOLFSSL_LOCAL int wc_debug_CipherLifecycleInit(void **CipherLifecycleTag,
                                               void *heap);
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -4038,7 +4038,8 @@ extern void uITRON4_free(void *p) ;
 #if defined(WOLFCRYPT_ONLY) && defined(NO_AES) && !defined(WOLFSSL_SHA384) && \
    !defined(WOLFSSL_SHA512) && defined(WC_NO_RNG) && \
    !defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_SP_MATH_ALL) \
-    && !defined(USE_FAST_MATH) && defined(NO_SHA256)
+    && !defined(USE_FAST_MATH) && defined(NO_SHA256) && \
+    !defined(WOLFSSL_USE_FORCE_ZERO)
    #undef  WOLFSSL_NO_FORCE_ZERO
    #define WOLFSSL_NO_FORCE_ZERO
 #endif