5 files changed, 99 insertions, 59 deletions
diff --git a/lib/explicit_bzero.c b/lib/explicit_bzero.c
index ad0bfd170ca..fc309f81d61 100644
--- a/lib/explicit_bzero.c
+++ b/lib/explicit_bzero.c
@@ -1,74 +1,27 @@
 /* Erasure of sensitive data, generic implementation.
   Copyright (C) 2016-2022 Free Software Foundation, Inc.
-   This file is part of the GNU C Library.
-   The GNU C Library is free software; you can redistribute it and/or
+   This file is free software: you can redistribute it and/or modify
-   modify it under the terms of the GNU Lesser General Public
+   it under the terms of the GNU Lesser General Public License as
-   License as published by the Free Software Foundation; either
+   published by the Free Software Foundation; either version 2.1 of the
-   version 2.1 of the License, or (at your option) any later version.
+   License, or (at your option) any later version.
-   The GNU C Library is distributed in the hope that it will be useful,
+   This file is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   Lesser General Public License for more details.
+   GNU Lesser General Public License for more details.
-   You should have received a copy of the GNU Lesser General Public
+   You should have received a copy of the GNU Lesser General Public License
-   License along with the GNU C Library; if not, see
+   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
-   <https://www.gnu.org/licenses/>.  */
-/* An assembler implementation of explicit_bzero can be created as an
+#include <config.h>
-   assembler alias of an optimized bzero implementation.
-   Architecture-specific implementations also need to define
-   __explicit_bzero_chk.  */
-#if !_LIBC
-# include <config.h>
-#endif
-/* memset_s need this define */
-#if HAVE_MEMSET_S
-# define __STDC_WANT_LIB_EXT1__ 1
-#endif
 #include <string.h>
-#if defined _WIN32 && !defined __CYGWIN__
-# define  WIN32_LEAN_AND_MEAN
-# include <windows.h>
-#endif
-#if _LIBC
-/* glibc-internal users use __explicit_bzero_chk, and explicit_bzero
-   redirects to that.  */
-# undef explicit_bzero
-#endif
 /* Set LEN bytes of S to 0.  The compiler will not delete a call to
   this function, even if S is dead after the call.  */
 void
 explicit_bzero (void *s, size_t len)
 {
-#if defined _WIN32 && !defined __CYGWIN__
+  memset_explicit (s, 0, len);
-  (void) SecureZeroMemory (s, len);
-#elif HAVE_EXPLICIT_MEMSET
-  explicit_memset (s, '\0', len);
-#elif HAVE_MEMSET_S
-  (void) memset_s (s, len, '\0', len);
-#elif defined __GNUC__ && !defined __clang__
-  memset (s, '\0', len);
-  /* Compiler barrier.  */
-  asm volatile ("" ::: "memory");
-#elif defined __clang__
-  memset (s, '\0', len);
-  /* Compiler barrier.  */
-  /* With asm ("" ::: "memory") LLVM analyzes uses of 's' and finds that the
-     whole thing is dead and eliminates it.  Use 'g' to work around this
-     problem.  See <https://bugs.llvm.org/show_bug.cgi?id=15495#c11>.  */
-  __asm__ volatile ("" : : "g"(s) : "memory");
-#else
-  /* Invoke memset through a volatile function pointer.  This defeats compiler
-     optimizations.  */
-  void * (* const volatile volatile_memset) (void *, int, size_t) = memset;
-  (void) volatile_memset (s, '\0', len);
-#endif
 }
diff --git a/lib/gnulib.mk.in b/lib/gnulib.mk.in
index 9af8fd0c579..a3ab50f396f 100644
--- a/lib/gnulib.mk.in
+++ b/lib/gnulib.mk.in
@@ -286,6 +286,7 @@ GL_COND_OBJ_LCHMOD_CONDITION = @GL_COND_OBJ_LCHMOD_CONDITION@
 GL_COND_OBJ_LSTAT_CONDITION = @GL_COND_OBJ_LSTAT_CONDITION@
 GL_COND_OBJ_MEMPCPY_CONDITION = @GL_COND_OBJ_MEMPCPY_CONDITION@
 GL_COND_OBJ_MEMRCHR_CONDITION = @GL_COND_OBJ_MEMRCHR_CONDITION@
+GL_COND_OBJ_MEMSET_EXPLICIT_CONDITION = @GL_COND_OBJ_MEMSET_EXPLICIT_CONDITION@
 GL_COND_OBJ_MINI_GMP_GNULIB_CONDITION = @GL_COND_OBJ_MINI_GMP_GNULIB_CONDITION@
 GL_COND_OBJ_MKOSTEMP_CONDITION = @GL_COND_OBJ_MKOSTEMP_CONDITION@
 GL_COND_OBJ_NANOSLEEP_CONDITION = @GL_COND_OBJ_NANOSLEEP_CONDITION@
@@ -485,6 +486,7 @@ GL_GNULIB_MEMCHR = @GL_GNULIB_MEMCHR@
 GL_GNULIB_MEMMEM = @GL_GNULIB_MEMMEM@
 GL_GNULIB_MEMPCPY = @GL_GNULIB_MEMPCPY@
 GL_GNULIB_MEMRCHR = @GL_GNULIB_MEMRCHR@
+GL_GNULIB_MEMSET_EXPLICIT = @GL_GNULIB_MEMSET_EXPLICIT@
 GL_GNULIB_MKDIR = @GL_GNULIB_MKDIR@
 GL_GNULIB_MKDIRAT = @GL_GNULIB_MKDIRAT@
 GL_GNULIB_MKDTEMP = @GL_GNULIB_MKDTEMP@
@@ -749,6 +751,7 @@ HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@
 HAVE_MBSLEN = @HAVE_MBSLEN@
 HAVE_MBTOWC = @HAVE_MBTOWC@
 HAVE_MEMPCPY = @HAVE_MEMPCPY@
+HAVE_MEMSET_EXPLICIT = @HAVE_MEMSET_EXPLICIT@
 HAVE_MKDIRAT = @HAVE_MKDIRAT@
 HAVE_MKDTEMP = @HAVE_MKDTEMP@
 HAVE_MKFIFO = @HAVE_MKFIFO@
@@ -2536,6 +2539,16 @@ endif
 endif
 ## end   gnulib module memrchr
+## begin gnulib module memset_explicit
+ifeq (,$(OMIT_GNULIB_MODULE_memset_explicit))
+ifneq (,$(GL_COND_OBJ_MEMSET_EXPLICIT_CONDITION))
+libgnu_a_SOURCES += memset_explicit.c
+endif
+endif
+## end   gnulib module memset_explicit
 ## begin gnulib module minmax
 ifeq (,$(OMIT_GNULIB_MODULE_minmax))
@@ -3362,6 +3375,7 @@ string.h: string.in.h $(top_builddir)/config.status $(CXXDEFS_H) $(ARG_NONNULL_H
              -e 's/@''GNULIB_MEMMEM''@/$(GL_GNULIB_MEMMEM)/g' \
              -e 's/@''GNULIB_MEMPCPY''@/$(GL_GNULIB_MEMPCPY)/g' \
              -e 's/@''GNULIB_MEMRCHR''@/$(GL_GNULIB_MEMRCHR)/g' \
+              -e 's/@''GNULIB_MEMSET_EXPLICIT''@/$(GL_GNULIB_MEMSET_EXPLICIT)/g' \
              -e 's/@''GNULIB_RAWMEMCHR''@/$(GL_GNULIB_RAWMEMCHR)/g' \
              -e 's/@''GNULIB_STPCPY''@/$(GL_GNULIB_STPCPY)/g' \
              -e 's/@''GNULIB_STPNCPY''@/$(GL_GNULIB_STPNCPY)/g' \
@@ -3393,6 +3407,7 @@ string.h: string.in.h $(top_builddir)/config.status $(CXXDEFS_H) $(ARG_NONNULL_H
              -e 's|@''HAVE_DECL_MEMMEM''@|$(HAVE_DECL_MEMMEM)|g' \
              -e 's|@''HAVE_MEMPCPY''@|$(HAVE_MEMPCPY)|g' \
              -e 's|@''HAVE_DECL_MEMRCHR''@|$(HAVE_DECL_MEMRCHR)|g' \
+              -e 's|@''HAVE_MEMSET_EXPLICIT''@|$(HAVE_MEMSET_EXPLICIT)|g' \
              -e 's|@''HAVE_RAWMEMCHR''@|$(HAVE_RAWMEMCHR)|g' \
              -e 's|@''HAVE_STPCPY''@|$(HAVE_STPCPY)|g' \
              -e 's|@''HAVE_STPNCPY''@|$(HAVE_STPNCPY)|g' \
diff --git a/lib/memset_explicit.c b/lib/memset_explicit.c
new file mode 100644
index 00000000000..eabeb3ec2b8
--- /dev/null
+++ b/lib/memset_explicit.c
@@ -0,0 +1,55 @@
+/* Erase sensitive data from memory.
+   Copyright 2022 Free Software Foundation, Inc.
+   This file is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Lesser General Public License as
+   published by the Free Software Foundation; either version 2.1 of the
+   License, or (at your option) any later version.
+   This file is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Lesser General Public License for more details.
+   You should have received a copy of the GNU Lesser General Public License
+   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
+#include <config.h>
+/* memset_s need this define */
+#if HAVE_MEMSET_S
+# define __STDC_WANT_LIB_EXT1__ 1
+#endif
+#include <string.h>
+/* Set S's bytes to C, where S has LEN bytes.  The compiler will not
+   optimize effects away, even if S is dead after the call.  */
+void *
+memset_explicit (void *s, int c, size_t len)
+{
+#if HAVE_EXPLICIT_MEMSET
+  return explicit_memset (s, c, len);
+#elif HAVE_MEMSET_S
+  (void) memset_s (s, len, c, len);
+  return s;
+#elif defined __GNUC__ && !defined __clang__
+  memset (s, c, len);
+  /* Compiler barrier.  */
+  __asm__ volatile ("" ::: "memory");
+  return s;
+#elif defined __clang__
+  memset (s, c, len);
+  /* Compiler barrier.  */
+  /* With asm ("" ::: "memory") LLVM analyzes uses of 's' and finds that the
+     whole thing is dead and eliminates it.  Use 'g' to work around this
+     problem.  See <https://bugs.llvm.org/show_bug.cgi?id=15495#c11>.  */
+  __asm__ volatile ("" : : "g"(s) : "memory");
+  return s;
+#else
+  /* Invoke memset through a volatile function pointer.  This defeats compiler
+     optimizations.  */
+  void * (* const volatile volatile_memset) (void *, int, size_t) = memset;
+  return volatile_memset (s, c, len);
+#endif
+}
diff --git a/lib/string.in.h b/lib/string.in.h
index e56f6db0c9c..21356914e21 100644
--- a/lib/string.in.h
+++ b/lib/string.in.h
@@ -347,6 +347,23 @@ _GL_WARN_ON_USE (memrchr, "memrchr is unportable - "
 # endif
 #endif
+/* Overwrite a block of memory.  The compiler will not optimize
+   effects away, even if the block is dead after the call.  */
+#if @GNULIB_MEMSET_EXPLICIT@
+# if ! @HAVE_MEMSET_EXPLICIT@
+_GL_FUNCDECL_SYS (memset_explicit, void *,
+                  (void *__dest, int __c, size_t __n) _GL_ARG_NONNULL ((1)));
+# endif
+_GL_CXXALIAS_SYS (memset_explicit, void *, (void *__dest, int __c, size_t __n));
+_GL_CXXALIASWARN (memset_explicit);
+#elif defined GNULIB_POSIXCHECK
+# undef memset_explicit
+# if HAVE_RAW_DECL_MEMSET_EXPLICIT
+_GL_WARN_ON_USE (memset_explicit, "memset_explicit is unportable - "
+                 "use gnulib module memset_explicit for portability");
+# endif
+#endif
 /* Find the first occurrence of C in S.  More efficient than
   memchr(S,C,N), at the expense of undefined behavior if C does not
   occur within N bytes.  */
diff --git a/lib/verify.h b/lib/verify.h
index 99af802993e..5225a8e616d 100644
--- a/lib/verify.h
+++ b/lib/verify.h
@@ -37,7 +37,7 @@
          && (4 < __GNUC__ + (6 <= __GNUC_MINOR__) || 5 <= __clang_major__)))
 #  define _GL_HAVE__STATIC_ASSERT 1
 # endif
-# if (202000 <= __STDC_VERSION__ \
+# if (202311 <= __STDC_VERSION__ \
      || (!defined __STRICT_ANSI__ && 9 <= __GNUC__))
 #  define _GL_HAVE__STATIC_ASSERT1 1
 # endif