From: Paul Eggert <eggert@cs.ucla.edu>
To: emacs-devel@gnu.org
Subject: Re: GnuTLS and zeroing keys in Emacs
Date: Sun, 16 Jul 2017 16:53:20 -0700 [thread overview]
Message-ID: <c36dcdc1-87e0-98cb-d0fe-57aa86f05116@cs.ucla.edu> (raw)
In-Reply-To: <877ez9frug.fsf@lifelogs.com>
[-- Attachment #1: Type: text/plain, Size: 498 bytes --]
Ted Zlatanov wrote:
> the best way is to either use gnutls_memset() (available since only
> 3.4.0 in lib/safe-memfuncs.c) or to copy it.
These days glibc's explicit_bzero is a better way to go, as its implementation
should be more reliable than the 'volatile' trick used by gnutls_memset. So I
installed the attached patches into master: they either use explicit_bzero, or
copy it.
I'll file a bug report with the GnuTLS folks to suggest that they use
explicit_bzero if available.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Merge-from-gnulib.patch --]
[-- Type: text/x-patch; name="0001-Merge-from-gnulib.patch", Size: 8235 bytes --]
From 252444aaa3a7cb9fc70289a5a3920f8a9d848109 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 16 Jul 2017 16:22:33 -0700
Subject: [PATCH 1/3] Merge from gnulib
This incorporates:
2017-07-16 explicit_bzero: new module
2017-07-15 getdtablesize: Add minimal support for OpenVMS.
* lib/getdtablesize.c, lib/string.in.h, m4/getdtablesize.m4:
* m4/string_h.m4:
Copy from Gnulib.
* lib/gnulib.mk.in: Regenerate.
---
lib/getdtablesize.c | 2 +-
lib/gnulib.mk.in | 6 +++++-
lib/string.in.h | 17 +++++++++++++++++
m4/getdtablesize.m4 | 54 +++++++++++++++++++++++++++++++++--------------------
m4/string_h.m4 | 2 ++
5 files changed, 59 insertions(+), 22 deletions(-)
diff --git a/lib/getdtablesize.c b/lib/getdtablesize.c
index c356cf4..a092863 100644
--- a/lib/getdtablesize.c
+++ b/lib/getdtablesize.c
@@ -1,4 +1,4 @@
-/* getdtablesize() function for platforms that don't have it.
+/* getdtablesize() function: Return maximum possible file descriptor value + 1.
Copyright (C) 2008-2017 Free Software Foundation, Inc.
Written by Bruno Haible <bruno@clisp.org>, 2008.
diff --git a/lib/gnulib.mk.in b/lib/gnulib.mk.in
index fd0f9e5..ae5ae87 100644
--- a/lib/gnulib.mk.in
+++ b/lib/gnulib.mk.in
@@ -125,6 +125,7 @@ GNULIB_DUP2 = @GNULIB_DUP2@
GNULIB_DUP3 = @GNULIB_DUP3@
GNULIB_ENVIRON = @GNULIB_ENVIRON@
GNULIB_EUIDACCESS = @GNULIB_EUIDACCESS@
+GNULIB_EXPLICIT_BZERO = @GNULIB_EXPLICIT_BZERO@
GNULIB_FACCESSAT = @GNULIB_FACCESSAT@
GNULIB_FCHDIR = @GNULIB_FCHDIR@
GNULIB_FCHMODAT = @GNULIB_FCHMODAT@
@@ -390,6 +391,7 @@ HAVE_DPRINTF = @HAVE_DPRINTF@
HAVE_DUP2 = @HAVE_DUP2@
HAVE_DUP3 = @HAVE_DUP3@
HAVE_EUIDACCESS = @HAVE_EUIDACCESS@
+HAVE_EXPLICIT_BZERO = @HAVE_EXPLICIT_BZERO@
HAVE_FACCESSAT = @HAVE_FACCESSAT@
HAVE_FCHDIR = @HAVE_FCHDIR@
HAVE_FCHMODAT = @HAVE_FCHMODAT@
@@ -2411,6 +2413,7 @@ string.h: string.in.h $(top_builddir)/config.status $(CXXDEFS_H) $(ARG_NONNULL_H
-e 's|@''PRAGMA_SYSTEM_HEADER''@|@PRAGMA_SYSTEM_HEADER@|g' \
-e 's|@''PRAGMA_COLUMNS''@|@PRAGMA_COLUMNS@|g' \
-e 's|@''NEXT_STRING_H''@|$(NEXT_STRING_H)|g' \
+ -e 's/@''GNULIB_EXPLICIT_BZERO''@/$(GNULIB_EXPLICIT_BZERO)/g' \
-e 's/@''GNULIB_FFSL''@/$(GNULIB_FFSL)/g' \
-e 's/@''GNULIB_FFSLL''@/$(GNULIB_FFSLL)/g' \
-e 's/@''GNULIB_MBSLEN''@/$(GNULIB_MBSLEN)/g' \
@@ -2449,7 +2452,8 @@ string.h: string.in.h $(top_builddir)/config.status $(CXXDEFS_H) $(ARG_NONNULL_H
-e 's/@''GNULIB_STRSIGNAL''@/$(GNULIB_STRSIGNAL)/g' \
-e 's/@''GNULIB_STRVERSCMP''@/$(GNULIB_STRVERSCMP)/g' \
< $(srcdir)/string.in.h | \
- sed -e 's|@''HAVE_FFSL''@|$(HAVE_FFSL)|g' \
+ sed -e 's|@''HAVE_EXPLICIT_BZERO''@|$(HAVE_EXPLICIT_BZERO)|g' \
+ -e 's|@''HAVE_FFSL''@|$(HAVE_FFSL)|g' \
-e 's|@''HAVE_FFSLL''@|$(HAVE_FFSLL)|g' \
-e 's|@''HAVE_MBSLEN''@|$(HAVE_MBSLEN)|g' \
-e 's|@''HAVE_MEMCHR''@|$(HAVE_MEMCHR)|g' \
diff --git a/lib/string.in.h b/lib/string.in.h
index 9a6b311..aaff563 100644
--- a/lib/string.in.h
+++ b/lib/string.in.h
@@ -74,6 +74,23 @@
/* The definition of _GL_WARN_ON_USE is copied here. */
+/* Clear a block of memory. The compiler will not delete a call to
+ this function, even if the block is dead after the call. */
+#if @GNULIB_EXPLICIT_BZERO@
+# if ! @HAVE_EXPLICIT_BZERO@
+_GL_FUNCDECL_SYS (explicit_bzero, void,
+ (void *__dest, size_t __n) _GL_ARG_NONNULL ((1)));
+# endif
+_GL_CXXALIAS_SYS (explicit_bzero, void, (void *__dest, size_t __n));
+_GL_CXXALIASWARN (explicit_bzero);
+#elif defined GNULIB_POSIXCHECK
+# undef explicit_bzero
+# if HAVE_RAW_DECL_EXPLICIT_BZERO
+_GL_WARN_ON_USE (explicit_bzero, "explicit_bzero is unportable - "
+ "use gnulib module explicit_bzero for portability");
+# endif
+#endif
+
/* Find the index of the least-significant set bit. */
#if @GNULIB_FFSL@
# if !@HAVE_FFSL@
diff --git a/m4/getdtablesize.m4 b/m4/getdtablesize.m4
index 1af2a24..f1e4f5f 100644
--- a/m4/getdtablesize.m4
+++ b/m4/getdtablesize.m4
@@ -1,4 +1,4 @@
-# getdtablesize.m4 serial 6
+# getdtablesize.m4 serial 7
dnl Copyright (C) 2008-2017 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
@@ -12,29 +12,43 @@ AC_DEFUN
AC_CHECK_DECLS_ONCE([getdtablesize])
if test $ac_cv_func_getdtablesize = yes &&
test $ac_cv_have_decl_getdtablesize = yes; then
- # Cygwin 1.7.25 automatically increases the RLIMIT_NOFILE soft limit
- # up to an unchangeable hard limit; all other platforms correctly
- # require setrlimit before getdtablesize() can report a larger value.
AC_CACHE_CHECK([whether getdtablesize works],
[gl_cv_func_getdtablesize_works],
- [AC_RUN_IFELSE([
- AC_LANG_PROGRAM([[#include <unistd.h>]],
- [int size = getdtablesize();
- if (dup2 (0, getdtablesize()) != -1)
- return 1;
- if (size != getdtablesize())
- return 2;
- ])],
- [gl_cv_func_getdtablesize_works=yes],
- [gl_cv_func_getdtablesize_works=no],
- [case "$host_os" in
- cygwin*) # on cygwin 1.5.25, getdtablesize() automatically grows
- gl_cv_func_getdtablesize_works="guessing no" ;;
- *) gl_cv_func_getdtablesize_works="guessing yes" ;;
- esac])
+ [dnl There are two concepts: the "maximum possible file descriptor value + 1"
+ dnl and the "maximum number of open file descriptors in a process".
+ dnl Per SUSv2 and POSIX, getdtablesize() should return the first one.
+ dnl On most platforms, the first and the second concept are the same.
+ dnl On OpenVMS, however, they are different and getdtablesize() returns
+ dnl the second one; thus the test below fails. But we don't care
+ dnl because there's no good way to write a replacement getdtablesize().
+ case "$host_os" in
+ vms*) gl_cv_func_getdtablesize_works="no (limitation)" ;;
+ *)
+ dnl Cygwin 1.7.25 automatically increases the RLIMIT_NOFILE soft
+ dnl limit up to an unchangeable hard limit; all other platforms
+ dnl correctly require setrlimit before getdtablesize() can report
+ dnl a larger value.
+ AC_RUN_IFELSE([
+ AC_LANG_PROGRAM([[#include <unistd.h>]],
+ [int size = getdtablesize();
+ if (dup2 (0, getdtablesize()) != -1)
+ return 1;
+ if (size != getdtablesize())
+ return 2;
+ ])],
+ [gl_cv_func_getdtablesize_works=yes],
+ [gl_cv_func_getdtablesize_works=no],
+ [case "$host_os" in
+ cygwin*) # on cygwin 1.5.25, getdtablesize() automatically grows
+ gl_cv_func_getdtablesize_works="guessing no" ;;
+ *) gl_cv_func_getdtablesize_works="guessing yes" ;;
+ esac
+ ])
+ ;;
+ esac
])
case "$gl_cv_func_getdtablesize_works" in
- *yes) ;;
+ *yes | "no (limitation)") ;;
*) REPLACE_GETDTABLESIZE=1 ;;
esac
else
diff --git a/m4/string_h.m4 b/m4/string_h.m4
index 3d2ad22..ac6311f 100644
--- a/m4/string_h.m4
+++ b/m4/string_h.m4
@@ -43,6 +43,7 @@ AC_DEFUN
AC_DEFUN([gl_HEADER_STRING_H_DEFAULTS],
[
+ GNULIB_EXPLICIT_BZERO=0; AC_SUBST([GNULIB_EXPLICIT_BZERO])
GNULIB_FFSL=0; AC_SUBST([GNULIB_FFSL])
GNULIB_FFSLL=0; AC_SUBST([GNULIB_FFSLL])
GNULIB_MEMCHR=0; AC_SUBST([GNULIB_MEMCHR])
@@ -82,6 +83,7 @@ AC_DEFUN
GNULIB_STRVERSCMP=0; AC_SUBST([GNULIB_STRVERSCMP])
HAVE_MBSLEN=0; AC_SUBST([HAVE_MBSLEN])
dnl Assume proper GNU behavior unless another module says otherwise.
+ HAVE_EXPLICIT_BZERO=1; AC_SUBST([HAVE_EXPLICIT_BZERO])
HAVE_FFSL=1; AC_SUBST([HAVE_FFSL])
HAVE_FFSLL=1; AC_SUBST([HAVE_FFSLL])
HAVE_MEMCHR=1; AC_SUBST([HAVE_MEMCHR])
--
2.7.4
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0002-Use-explicit_bzero-to-clear-GnuTLS-keys.patch --]
[-- Type: text/x-patch; name="0002-Use-explicit_bzero-to-clear-GnuTLS-keys.patch", Size: 10483 bytes --]
From 59f6972134f312863dc761bf66a954a8036d0d86 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 16 Jul 2017 16:22:33 -0700
Subject: [PATCH 2/3] Use explicit_bzero to clear GnuTLS keys
* admin/merge-gnulib (GNULIB_MODULES): Add explicit_bzero.
* lib/explicit_bzero.c, m4/explicit_bzero.m4: New files.
* lib/gnulib.mk.in, m4/gnulib-comp.m4: Regenerate.
* src/gnutls.c (clear_storage): New function.
(gnutls_symmetric_aead): Use it instead of memset.
---
admin/merge-gnulib | 2 +-
lib/explicit_bzero.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
lib/gnulib.mk.in | 13 ++++++++++++-
m4/explicit_bzero.m4 | 22 ++++++++++++++++++++++
m4/gnulib-comp.m4 | 9 +++++++++
src/gnutls.c | 20 ++++++++++++++++++--
6 files changed, 110 insertions(+), 4 deletions(-)
create mode 100644 lib/explicit_bzero.c
create mode 100644 m4/explicit_bzero.m4
diff --git a/admin/merge-gnulib b/admin/merge-gnulib
index 85921ba..2b1a16a 100755
--- a/admin/merge-gnulib
+++ b/admin/merge-gnulib
@@ -30,7 +30,7 @@ GNULIB_MODULES=
careadlinkat close-stream
count-leading-zeros count-one-bits count-trailing-zeros
crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512
- diffseq dtoastr dtotimespec dup2 environ execinfo faccessat
+ diffseq dtoastr dtotimespec dup2 environ execinfo explicit_bzero faccessat
fcntl fcntl-h fdatasync fdopendir
filemode filevercmp flexmember fstatat fsync
getloadavg getopt-gnu gettime gettimeofday gitlog-to-changelog
diff --git a/lib/explicit_bzero.c b/lib/explicit_bzero.c
new file mode 100644
index 0000000..262c68f
--- /dev/null
+++ b/lib/explicit_bzero.c
@@ -0,0 +1,48 @@
+/* Erasure of sensitive data, generic implementation.
+ Copyright (C) 2016-2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+/* An assembler implementation of explicit_bzero can be created as an
+ assembler alias of an optimized bzero implementation.
+ Architecture-specific implementations also need to define
+ __explicit_bzero_chk. */
+
+#if !_LIBC
+# include <config.h>
+#endif
+
+#include <string.h>
+
+/* glibc-internal users use __explicit_bzero_chk, and explicit_bzero
+ redirects to that. */
+#undef explicit_bzero
+
+/* Set LEN bytes of S to 0. The compiler will not delete a call to
+ this function, even if S is dead after the call. */
+void
+explicit_bzero (void *s, size_t len)
+{
+#ifdef HAVE_EXPLICIT_MEMSET
+ explicit_memset (s, 0, len);
+#else
+ memset (s, '\0', len);
+# ifdef __GNUC__
+ /* Compiler barrier. */
+ asm volatile ("" ::: "memory");
+# endif
+#endif
+}
diff --git a/lib/gnulib.mk.in b/lib/gnulib.mk.in
index ae5ae87..e20487b 100644
--- a/lib/gnulib.mk.in
+++ b/lib/gnulib.mk.in
@@ -21,7 +21,7 @@
# the same distribution terms as the rest of that program.
#
# Generated by gnulib-tool.
-# Reproduce by: gnulib-tool --import --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=close --avoid=dup --avoid=fchdir --avoid=fstat --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=open --avoid=openat-die --avoid=opendir --avoid=raise --avoid=save-cwd --avoid=select --avoid=setenv --avoid=sigprocmask --avoid=stat --avoid=stdarg --avoid=stdbool --avoid=threadlib --avoid=tzset --avoid=unsetenv --avoid=utime --avoid=utime-h --gnu-make --makefile-name=gnulib.mk.in --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt binary-io byteswap c-ctype c-strcase careadlinkat close-stream count-leading-zeros count-one-bits count-trailing-zeros crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 diffseq dtoastr dtotimespec dup2 environ execinfo faccessat fcntl fcntl-h fdatasync fdopendir filemode filevercmp flexmember fstatat fsync getloadavg getopt-gnu gettime gettimeofday gitlog-to-changelog ignore-value intprops largefile lstat manywarnings memrchr minmax mkostemp mktime pipe2 pselect pthread_sigmask putenv qcopy-acl readlink readlinkat sig2str socklen stat-time std-gnu11 stdalign stddef stdio stpcpy strftime strtoimax symlink sys_stat sys_time time time_r time_rz timegm timer-time timespec-add timespec-sub unlocked-io update-copyright utimens vla warnings
+# Reproduce by: gnulib-tool --import --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=close --avoid=dup --avoid=fchdir --avoid=fstat --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=open --avoid=openat-die --avoid=opendir --avoid=raise --avoid=save-cwd --avoid=select --avoid=setenv --avoid=sigprocmask --avoid=stat --avoid=stdarg --avoid=stdbool --avoid=threadlib --avoid=tzset --avoid=unsetenv --avoid=utime --avoid=utime-h --gnu-make --makefile-name=gnulib.mk.in --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt binary-io byteswap c-ctype c-strcase careadlinkat close-stream count-leading-zeros count-one-bits count-trailing-zeros crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 diffseq dtoastr dtotimespec dup2 environ execinfo explicit_bzero faccessat fcntl fcntl-h fdatasync fdopendir filemode filevercmp flexmember fstatat fsync getloadavg getopt-gnu gettime gettimeofday gitlog-to-changelog ignore-value intprops largefile lstat manywarnings memrchr minmax mkostemp mktime pipe2 pselect pthread_sigmask putenv qcopy-acl readlink readlinkat sig2str socklen stat-time std-gnu11 stdalign stddef stdio stpcpy strftime strtoimax symlink sys_stat sys_time time time_r time_rz timegm timer-time timespec-add timespec-sub unlocked-io update-copyright utimens vla warnings
MOSTLYCLEANFILES += core *.stackdump
@@ -1358,6 +1358,17 @@ EXTRA_libgnu_a_SOURCES += execinfo.c
endif
## end gnulib module execinfo
+## begin gnulib module explicit_bzero
+ifeq (,$(OMIT_GNULIB_MODULE_explicit_bzero))
+
+
+EXTRA_DIST += explicit_bzero.c
+
+EXTRA_libgnu_a_SOURCES += explicit_bzero.c
+
+endif
+## end gnulib module explicit_bzero
+
## begin gnulib module faccessat
ifeq (,$(OMIT_GNULIB_MODULE_faccessat))
diff --git a/m4/explicit_bzero.m4 b/m4/explicit_bzero.m4
new file mode 100644
index 0000000..f9dc678
--- /dev/null
+++ b/m4/explicit_bzero.m4
@@ -0,0 +1,22 @@
+dnl Copyright 2017 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+
+AC_DEFUN([gl_FUNC_EXPLICIT_BZERO],
+[
+ AC_REQUIRE([gl_HEADER_STRING_H_DEFAULTS])
+
+ dnl Persuade glibc <string.h> to declare explicit_bzero.
+ AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS])
+
+ AC_CHECK_FUNCS_ONCE([explicit_bzero])
+ if test $ac_cv_func_explicit_bzero = no; then
+ HAVE_EXPLICIT_BZERO=0
+ fi
+])
+
+AC_DEFUN([gl_PREREQ_EXPLICIT_BZERO],
+[
+ AC_CHECK_FUNCS([explicit_memset])
+])
diff --git a/m4/gnulib-comp.m4 b/m4/gnulib-comp.m4
index 107645d..038d78a 100644
--- a/m4/gnulib-comp.m4
+++ b/m4/gnulib-comp.m4
@@ -72,6 +72,7 @@ AC_DEFUN
# Code from module errno:
# Code from module euidaccess:
# Code from module execinfo:
+ # Code from module explicit_bzero:
# Code from module extensions:
# Code from module extern-inline:
# Code from module faccessat:
@@ -210,6 +211,12 @@ AC_DEFUN
gl_UNISTD_MODULE_INDICATOR([environ])
gl_HEADER_ERRNO_H
gl_EXECINFO_H
+ gl_FUNC_EXPLICIT_BZERO
+ if test $HAVE_EXPLICIT_BZERO = 0; then
+ AC_LIBOBJ([explicit_bzero])
+ gl_PREREQ_EXPLICIT_BZERO
+ fi
+ gl_STRING_MODULE_INDICATOR([explicit_bzero])
AC_REQUIRE([gl_EXTERN_INLINE])
gl_FUNC_FACCESSAT
if test $HAVE_FACCESSAT = 0; then
@@ -837,6 +844,7 @@ AC_DEFUN
lib/euidaccess.c
lib/execinfo.c
lib/execinfo.in.h
+ lib/explicit_bzero.c
lib/faccessat.c
lib/fcntl.c
lib/fcntl.in.h
@@ -967,6 +975,7 @@ AC_DEFUN
m4/errno_h.m4
m4/euidaccess.m4
m4/execinfo.m4
+ m4/explicit_bzero.m4
m4/extensions.m4
m4/extern-inline.m4
m4/faccessat.m4
diff --git a/src/gnutls.c b/src/gnutls.c
index e6f01a9..7d19f90 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1883,6 +1883,22 @@ The alist key is the cipher name. */)
return ciphers;
}
+/* Zero out STORAGE (even if it will become inaccessible. It has
+ STORAGE_LENGTH bytes. The goal is to improve security a bit, in
+ case an Emacs module or some buggy part of Emacs attempts to
+ inspect STORAGE later to retrieve a secret.
+
+ Calls to this function document when storage containing a secret is
+ known to go out of scope. This function is not guaranteed to erase
+ the secret, as copies of STORAGE may well be accessible elsewhere
+ on the machine. */
+
+static void
+clear_storage (void *storage, ptrdiff_t storage_length)
+{
+ explicit_bzero (storage, storage_length);
+}
+
static Lisp_Object
gnutls_symmetric_aead (bool encrypting, gnutls_cipher_algorithm_t gca,
Lisp_Object cipher,
@@ -1949,7 +1965,7 @@ gnutls_symmetric_aead (bool encrypting, gnutls_cipher_algorithm_t gca,
if (ret < GNUTLS_E_SUCCESS)
{
- memset (storage, 0, storage_length);
+ clear_storage (storage, storage_length);
SAFE_FREE ();
gnutls_aead_cipher_deinit (acipher);
if (encrypting)
@@ -1963,7 +1979,7 @@ gnutls_symmetric_aead (bool encrypting, gnutls_cipher_algorithm_t gca,
gnutls_aead_cipher_deinit (acipher);
Lisp_Object output = make_unibyte_string (storage, storage_length);
- memset (storage, 0, storage_length);
+ clear_storage (storage, storage_length);
SAFE_FREE ();
return list2 (output, actual_iv);
#else
--
2.7.4
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #4: 0003-Use-memset-not-bzero.patch --]
[-- Type: text/x-patch; name="0003-Use-memset-not-bzero.patch", Size: 1131 bytes --]
From b740b02d2311cb5a3dd61767f824f3bfa770184e Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 16 Jul 2017 16:22:33 -0700
Subject: [PATCH 3/3] Use memset, not bzero
* src/ftcrfont.c (ftcrfont_glyph_extents): Use memset instead
of the (less-portable) bzero.
---
src/ftcrfont.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/ftcrfont.c b/src/ftcrfont.c
index d720057..9b592e6 100644
--- a/src/ftcrfont.c
+++ b/src/ftcrfont.c
@@ -81,9 +81,9 @@ ftcrfont_glyph_extents (struct font *font,
ftcrfont_info->metrics =
xrealloc (ftcrfont_info->metrics,
sizeof (struct font_metrics *) * (row + 1));
- bzero (ftcrfont_info->metrics + ftcrfont_info->metrics_nrows,
- (sizeof (struct font_metrics *)
- * (row + 1 - ftcrfont_info->metrics_nrows)));
+ memset (ftcrfont_info->metrics + ftcrfont_info->metrics_nrows, 0,
+ (sizeof (struct font_metrics *)
+ * (row + 1 - ftcrfont_info->metrics_nrows)));
ftcrfont_info->metrics_nrows = row + 1;
}
if (ftcrfont_info->metrics[row] == NULL)
--
2.7.4
next prev parent reply other threads:[~2017-07-16 23:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-14 23:42 GnuTLS and zeroing keys in Emacs Paul Eggert
2017-07-15 19:00 ` Ted Zlatanov
2017-07-16 23:53 ` Paul Eggert [this message]
2017-07-17 13:52 ` Ted Zlatanov
2017-07-17 0:29 ` Paul Eggert
2017-07-17 14:07 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c36dcdc1-87e0-98cb-d0fe-57aa86f05116@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.