V597: introduce a rtl_secureZeroMemory

Change-Id: Id28046eb318cd3b2ed0b813fd266617547cf6ee2

9 files changed, 50 insertions, 18 deletions

diff --git a/comphelper/source/misc/docpasswordhelper.cxx b/comphelper/source/misc/docpasswordhelper.cxx
index fdcb8a02993a..217a75edd154 100644
--- a/comphelper/source/misc/docpasswordhelper.cxx
+++ b/comphelper/source/misc/docpasswordhelper.cxx
@@ -341,7 +341,7 @@ Sequence< sal_Int8 > DocPasswordHelper::GetXLHashAsSequence(
         rtl_digest_rawMD5 ( hDigest, reinterpret_cast<sal_uInt8*>(aResultKey.getArray()), aResultKey.getLength() );
 
         // Erase KeyData array and leave.
-        memset( pKeyData, 0, sizeof(pKeyData) );
+        rtl_secureZeroMemory (pKeyData, sizeof(pKeyData));
     }
 
     return aResultKey;
diff --git a/filter/source/msfilter/mscodec.cxx b/filter/source/msfilter/mscodec.cxx
index 77c572ee07fd..260d191568ec 100644
--- a/filter/source/msfilter/mscodec.cxx
+++ b/filter/source/msfilter/mscodec.cxx
@@ -373,8 +373,8 @@ bool MSCodec_Std97::VerifyKey (
         result = (memcmp (pBuffer, pDigest, sizeof(pDigest)) == 0);
 
         // Erase Buffer and Digest arrays.
-        (void)memset (pBuffer, 0, sizeof(pBuffer));
-        (void)memset (pDigest, 0, sizeof(pDigest));
+        rtl_secureZeroMemory (pBuffer, sizeof(pBuffer));
+        rtl_secureZeroMemory (pDigest, sizeof(pDigest));
     }
 
     return result;
@@ -412,7 +412,7 @@ bool MSCodec_Std97::InitCipher (sal_uInt32 nCounter)
         pKeyData, RTL_DIGEST_LENGTH_MD5, 0, 0);
 
     // Erase KeyData array and leave.
-    (void)memset (pKeyData, 0, sizeof(pKeyData));
+    rtl_secureZeroMemory (pKeyData, sizeof(pKeyData));
 
     return (result == rtl_Cipher_E_None);
 }
@@ -532,8 +532,8 @@ void MSCodec_Std97::GetEncryptKey (
         rtl_cipher_encode (
             m_hCipher, pDigest, 16, pSaltDigest, 16);
 
-        (void)memset (pBuffer, 0, sizeof(pBuffer));
-        (void)memset (pDigest, 0, sizeof(pDigest));
+        rtl_secureZeroMemory (pBuffer, sizeof(pBuffer));
+        rtl_secureZeroMemory (pDigest, sizeof(pDigest));
     }
 }
 
diff --git a/include/rtl/alloc.h b/include/rtl/alloc.h
index 835db155ac44..bd3190d5f8c1 100644
--- a/include/rtl/alloc.h
+++ b/include/rtl/alloc.h
@@ -71,7 +71,6 @@ SAL_DLLPUBLIC void SAL_CALL rtl_freeMemory (
     void * Ptr
 ) SAL_THROW_EXTERN_C();
 
-
 /** Allocate and zero memory.
 
     A call to this function will return NULL upon the requested
@@ -84,18 +83,32 @@ SAL_DLLPUBLIC void * SAL_CALL rtl_allocateZeroMemory (
     sal_Size Bytes
 ) SAL_THROW_EXTERN_C();
 
+/** Zero memory
+
+    Fills a block of memory with zeros in a way that is guaranteed to be secure
+
+    @param  Ptr   [in] pointer to previously allocated memory.
+    @param  Bytes [in] memory size.
+
+    @since LibreOffice 4.5
+ */
+SAL_DLLPUBLIC void SAL_CALL rtl_secureZeroMemory (
+    void *   Ptr,
+    sal_Size Bytes
+) SAL_THROW_EXTERN_C();
+
 
 /** Zero and free memory.
     @param  Ptr   [in] pointer to previously allocated memory.
     @param  Bytes [in] memory size.
-    @return none. Memory is zero'ed and released. Ptr is invalid.
+    @return none. Memory is zero'ed with rtl_secureZeroMemory and released. Ptr
+                  is invalid.
  */
 SAL_DLLPUBLIC void SAL_CALL rtl_freeZeroMemory (
     void *   Ptr,
     sal_Size Bytes
 ) SAL_THROW_EXTERN_C();
 
-
 /** Allocate aligned memory.
 
     A call to this function will return NULL upon the requested
diff --git a/oox/source/core/binarycodec.cxx b/oox/source/core/binarycodec.cxx
index 84d5c737bd1e..43eb3dca1dd5 100644
--- a/oox/source/core/binarycodec.cxx
+++ b/oox/source/core/binarycodec.cxx
@@ -347,8 +347,8 @@ bool BinaryCodec_RCF::verifyKey( const sal_uInt8 pnVerifier[ 16 ], const sal_uIn
     bool bResult = memcmp( pnBuffer, pnDigest, sizeof( pnDigest ) ) == 0;
 
     // erase buffer and digest arrays and leave
-    (void)memset( pnBuffer, 0, sizeof( pnBuffer ) );
-    (void)memset( pnDigest, 0, sizeof( pnDigest ) );
+    rtl_secureZeroMemory (pnBuffer, sizeof(pnBuffer));
+    rtl_secureZeroMemory (pnDigest, sizeof(pnDigest));
     return bResult;
 }
 
@@ -379,7 +379,7 @@ bool BinaryCodec_RCF::startBlock( sal_Int32 nCounter )
         rtl_cipher_init( mhCipher, rtl_Cipher_DirectionDecode, pnKeyData, RTL_DIGEST_LENGTH_MD5, 0, 0 );
 
     // rrase key data array and leave
-    (void)memset( pnKeyData, 0, sizeof( pnKeyData ) );
+    rtl_secureZeroMemory (pnKeyData, sizeof(pnKeyData));
     return eResult == rtl_Cipher_E_None;
 }
 
diff --git a/sal/rtl/alloc_cache.cxx b/sal/rtl/alloc_cache.cxx
index 5944043eebb3..578ce33f19ac 100644
--- a/sal/rtl/alloc_cache.cxx
+++ b/sal/rtl/alloc_cache.cxx
@@ -1314,6 +1314,15 @@ rtl_cache_wsupdate_fini();
 
 #if defined(SAL_UNX)
 
+void SAL_CALL
+rtl_secureZeroMemory (void *Ptr, sal_Size Bytes) SAL_THROW_EXTERN_C()
+{
+    //currently glibc doesn't implement memset_s
+    volatile char *p = reinterpret_cast<volatile char*>(Ptr);
+    while (Bytes--)
+        *p++ = 0;
+}
+
 #include <sys/time.h>
 
 static void *
@@ -1369,6 +1378,12 @@ rtl_cache_wsupdate_fini()
 
 #elif defined(SAL_W32)
 
+void SAL_CALL
+rtl_secureZeroMemory (void *Ptr, sal_Size Bytes) SAL_THROW_EXTERN_C()
+{
+    RtlSecureZeroMemory(Ptr, Bytes);
+}
+
 static DWORD WINAPI
 rtl_cache_wsupdate_all (void * arg);
 
diff --git a/sal/rtl/alloc_global.cxx b/sal/rtl/alloc_global.cxx
index 69313708e3e5..60dbc9c85b78 100644
--- a/sal/rtl/alloc_global.cxx
+++ b/sal/rtl/alloc_global.cxx
@@ -374,7 +374,7 @@ void SAL_CALL rtl_freeZeroMemory (void * p, sal_Size n) SAL_THROW_EXTERN_C()
 {
     if (p != 0)
     {
-        memset (p, 0, n);
+        rtl_secureZeroMemory (p, n);
         rtl_freeMemory (p);
     }
 }
diff --git a/sal/rtl/digest.cxx b/sal/rtl/digest.cxx
index 5aba0ea91b67..d8f4c7119142 100644
--- a/sal/rtl/digest.cxx
+++ b/sal/rtl/digest.cxx
@@ -2071,7 +2071,7 @@ static void __rtl_digest_updatePBKDF2 (
         for (k = 0; k < DIGEST_CBLOCK_PBKDF2; k++) T[k] ^= U[k];
     }
 
-    memset (U, 0, DIGEST_CBLOCK_PBKDF2);
+    rtl_secureZeroMemory (U, DIGEST_CBLOCK_PBKDF2);
 }
 
 /*========================================================================
@@ -2124,7 +2124,7 @@ rtlDigestError SAL_CALL rtl_digest_PBKDF2 (
 
         /* DK ||= T_(i) */
         memcpy (pKeyData, T, nKeyLen);
-        memset (T, 0, DIGEST_CBLOCK_PBKDF2);
+        rtl_secureZeroMemory (T, DIGEST_CBLOCK_PBKDF2);
     }
 
     memset (&digest, 0, sizeof (digest));
diff --git a/sal/util/sal.map b/sal/util/sal.map
index 6acd9c44470e..2a87243e4813 100644
--- a/sal/util/sal.map
+++ b/sal/util/sal.map
@@ -678,6 +678,11 @@ LIBO_UDK_4.3 { # symbols available in >= LibO 4.3
         osl_areCommandArgsSet;
 } LIBO_UDK_4.2;
 
+LIBO_UDK_4.5 { # symbols available in >= LibO 4.5
+    global:
+        rtl_secureZeroMemory;
+} LIBO_UDK_4.3;
+
 PRIVATE_1.0 {
     global:
         osl_detail_ObjectRegistry_storeAddresses;
diff --git a/vcl/source/gdi/pdfwriter_impl2.cxx b/vcl/source/gdi/pdfwriter_impl2.cxx
index 403d3e5b54aa..1bcd5cf5fe8c 100644
--- a/vcl/source/gdi/pdfwriter_impl2.cxx
+++ b/vcl/source/gdi/pdfwriter_impl2.cxx
@@ -1220,9 +1220,8 @@ uno::Reference< beans::XMaterialHolder > PDFWriterImpl::initEncryption( const OU
             xResult.clear();
 
         // trash temporary padded cleartext PWDs
-        memset( aPadOPW, 0, sizeof(aPadOPW) );
-        memset( aPadUPW, 0, sizeof(aPadUPW) );
-
+        rtl_secureZeroMemory (aPadOPW, sizeof(aPadOPW));
+        rtl_secureZeroMemory (aPadUPW, sizeof(aPadUPW));
     }
     return xResult;
 }