[multiple] rename safe_memclear() -> ck_memzero()

src/Makefile.am

@@ -464,6 +464,7 @@ hdr = base64.h buffer.h burl.h network.h log.h http_kv.h keyvalue.h \
 	first.h http_chunk.h \
 	algo_hmac.h \
 	algo_md.h algo_md5.h algo_sha1.h algo_splaytree.h algo_xxhash.h \
+	ck.h \
 	http_auth.h http_cgi.h http_date.h \
 	http_header.h http_range.h http_vhostdb.h \
 	fdevent.h gw_backend.h connections.h base.h base_decls.h stat_cache.h \
@@ -477,7 +478,7 @@ hdr = base64.h buffer.h burl.h network.h log.h http_kv.h keyvalue.h \
 	sys-crypto.h sys-crypto-md.h \
 	sys-endian.h sys-mmap.h sys-socket.h sys-strings.h sys-time.h \
 	mod_cml.h mod_cml_funcs.h \
-	safe_memclear.h sock_addr.h status_counter.h \
+	sock_addr.h status_counter.h \
 	mod_magnet_cache.h \
 	ls-hpack/lshpack.h \
 	ls-hpack/lsxpack_header.h \

src/configfile.c

@@ -3,6 +3,7 @@
 #include "base.h"
 #include "burl.h"
 #include "chunk.h"
+#include "ck.h"
 #include "fdevent.h"
 #include "http_etag.h"
 #include "keyvalue.h"
@@ -11,7 +12,6 @@
 #include "configparser.h"
 #include "configfile.h"
 #include "plugin.h"
-#include "safe_memclear.h"
 #include "stat_cache.h"
 #include "sys-crypto.h"
 
@@ -2192,7 +2192,7 @@ static int config_parse_stdin(server *srv, config_t *context) {
         log_perror(srv->errh, __FILE__, __LINE__, "config read from stdin");
 
     if (dlen)
-        safe_memclear(b->ptr, dlen);
+        ck_memzero(b->ptr, dlen);
     chunk_buffer_release(b);
     return rc;
 }
@@ -2209,7 +2209,7 @@ static int config_parse_file_stream(server *srv, config_t *context, const char *
     int rc = 0;
     if (dlen) {
         rc = config_parse(srv, context, fn, data, (size_t)dlen);
-        safe_memclear(data, (size_t)dlen);
+        ck_memzero(data, (size_t)dlen);
     }
     free(data);
     return rc;

src/fdevent.c

@@ -1117,7 +1117,7 @@ int fdevent_set_so_reuseaddr (const int fd, const int opt)
 
 
 #include <sys/stat.h>
-#include "safe_memclear.h"
+#include "ck.h"
 __attribute_cold__ /*(convenience routine for use at config at startup)*/
 char *
 fdevent_load_file (const char * const fn, off_t *lim, log_error_st *errh, void *(malloc_fn)(size_t), void(free_fn)(void *))
@@ -1163,7 +1163,7 @@ fdevent_load_file (const char * const fn, off_t *lim, log_error_st *errh, void *
         log_perror(errh, __FILE__, __LINE__, "%s() %s", __func__, fn);
     if (fd >= 0) close(fd);
     if (buf) {
-        safe_memclear(buf, (size_t)sz);
+        ck_memzero(buf, (size_t)sz);
         free_fn(buf);
     }
     *lim = 0;
@@ -1199,7 +1199,7 @@ fdevent_load_file_bytes (char * const buf, const off_t sz, off_t off, const char
     if (errh)
         log_perror(errh, __FILE__, __LINE__, "%s() %s", __func__, fn);
     if (fd >= 0) close(fd);
-    safe_memclear(buf, (size_t)sz);
+    ck_memzero(buf, (size_t)sz);
     errno = errnum;
     return -1;
 }

src/mod_auth.c

@@ -12,7 +12,6 @@
 #include "http_auth.h"
 #include "http_header.h"
 #include "log.h"
-#include "safe_memclear.h"
 #include "algo_splaytree.h"
 
 /**
@@ -75,7 +74,7 @@ static void
 http_auth_cache_entry_free (void *data)
 {
     http_auth_cache_entry * const ae = data;
-    safe_memclear(ae->pwdigest, ae->dlen);
+    ck_memzero(ae->pwdigest, ae->dlen);
     free(ae);
 }
 
@@ -828,7 +827,7 @@ static handler_t mod_auth_check_basic(request_st * const r, void *p_d, const str
 		break;
 	}
 
-	safe_memclear(pw, pwlen);
+	ck_memzero(pw, pwlen);
 	buffer_free(username);
 	return rc;
 }
@@ -1474,7 +1473,7 @@ static handler_t mod_auth_check_digest(request_st * const r, void *p_d, const st
 	mod_auth_digest_mutate(&ai,m,uri,nonce,cnonce,nc,qop);
 
 	if (!ck_memeq_const_time_fixed_len(rdigest, ai.digest, ai.dlen)) {
-		/*safe_memclear(ai.digest, ai.dlen);*//* skip clear since mutated */
+		/*ck_memzero(ai.digest, ai.dlen);*//*skip clear since mutated*/
 		/* digest not ok */
 		log_error(r->conf.errh, __FILE__, __LINE__,
 		  "digest: auth failed for %s: wrong password, IP: %s",
@@ -1484,7 +1483,7 @@ static handler_t mod_auth_check_digest(request_st * const r, void *p_d, const st
 		buffer_free(b);
 		return mod_auth_send_401_unauthorized_digest(r, require, 0);
 	}
-	/*safe_memclear(ai.digest, ai.dlen);*//* skip clear since mutated */
+	/*ck_memzero(ai.digest, ai.dlen);*//* skip clear since mutated */
 
 	/* value is our allow-rules */
 	if (!http_auth_match_rules(require, username, NULL, NULL)) {

src/mod_authn_dbi.c

@@ -39,7 +39,6 @@
 #include <stdlib.h>
 
 #include "sys-crypto-md.h"
-#include "safe_memclear.h"
 #include "base.h"
 #include "ck.h"
 #include "http_auth.h"
@@ -337,7 +336,7 @@ mod_authn_crypt_cmp (const char *reqpw, const char *userpw, unsigned long userpw
     char *crypted = crypt(reqpw, userpw);
     size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0;
     int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1;
-    if (crypwlen) safe_memclear(crypted, crypwlen);
+    if (crypwlen) ck_memzero(crypted, crypwlen);
     return rc;
 
  #else
@@ -365,7 +364,7 @@ mod_authn_crypt_cmp (const char *reqpw, const char *userpw, unsigned long userpw
     size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0;
     int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1;
 
-    safe_memclear(crypted, crypwlen);
+    ck_memzero(crypted, crypwlen);
   #if defined(HAVE_CRYPT_R)
    #if 1 /* (must free() if allocated above) */
     free(crypt_tmp_data);

src/mod_authn_file.c

@@ -18,8 +18,6 @@
 
 #include "sys-crypto-md.h" /* USE_LIB_CRYPTO */
 
-#include "safe_memclear.h"
-
 #include "base.h"
 #include "ck.h"
 #include "plugin.h"
@@ -270,7 +268,7 @@ static int mod_authn_file_htdigest_get(request_st * const r, void *p_d, http_aut
     if (NULL == data) return -1;
 
     int rc = mod_authn_file_htdigest_get_loop(data, auth_fn, ai, r->conf.errh);
-    safe_memclear(data, (size_t)dlen);
+    ck_memzero(data, (size_t)dlen);
     free(data);
     return rc;
 }
@@ -296,7 +294,7 @@ static handler_t mod_authn_file_htdigest_basic(request_st * const r, void *p_d,
     if (mod_authn_file_htdigest_get(r, p_d, &ai)) return HANDLER_ERROR;
 
     if (ai.dlen > sizeof(htdigest)) {
-        safe_memclear(ai.digest, ai.dlen);
+        ck_memzero(ai.digest, ai.dlen);
         return HANDLER_ERROR;/*(should not happen)*/
     }
     memcpy(htdigest, ai.digest, ai.dlen); /*(save digest before reuse of ai)*/
@@ -306,8 +304,8 @@ static handler_t mod_authn_file_htdigest_basic(request_st * const r, void *p_d,
     int rc = (ck_memeq_const_time_fixed_len(htdigest, ai.digest, ai.dlen)
            && http_auth_match_rules(require, username->ptr, NULL, NULL));
 
-    safe_memclear(htdigest, ai.dlen);
-    safe_memclear(ai.digest, ai.dlen);
+    ck_memzero(htdigest, ai.dlen);
+    ck_memzero(ai.digest, ai.dlen);
     return rc ? HANDLER_GO_ON : HANDLER_ERROR;
 }
 
@@ -368,7 +366,7 @@ static int mod_authn_file_htpasswd_get(const buffer *auth_fn, const char *userna
         }
     } while (*n && *(f_user = n+1));
 
-    safe_memclear(data, (size_t)dlen);
+    ck_memzero(data, (size_t)dlen);
     free(data);
     return rc;
 }
@@ -383,7 +381,7 @@ static handler_t mod_authn_file_plain_digest(request_st * const r, void *p_d, ht
         /* generate password from plain-text */
         mod_authn_file_digest(ai, CONST_BUF_LEN(password_buf));
     }
-    safe_memclear(password_buf->ptr, password_buf->size);
+    ck_memzero(password_buf->ptr, password_buf->size);
     buffer_free(password_buf);
     return (0 == rc) ? HANDLER_GO_ON : HANDLER_ERROR;
 }
@@ -399,7 +397,7 @@ static handler_t mod_authn_file_plain_basic(request_st * const r, void *p_d, con
           ? 0
           : -1;
     }
-    safe_memclear(password_buf->ptr, password_buf->size);
+    ck_memzero(password_buf->ptr, password_buf->size);
     buffer_free(password_buf);
     return 0 == rc && http_auth_match_rules(require, username->ptr, NULL, NULL)
       ? HANDLER_GO_ON
@@ -587,7 +585,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_
     /*
      * Don't leave anything around in vm they could use.
      */
-    safe_memclear(final, sizeof(final));
+    ck_memzero(final, sizeof(final));
 
     /* FIXME
      */
@@ -713,7 +711,7 @@ static handler_t mod_authn_file_htpasswd_basic(request_st * const r, void *p_d,
         }
       #endif
     }
-    safe_memclear(password->ptr, password->size);
+    ck_memzero(password->ptr, password->size);
     buffer_free(password);
     return 0 == rc && http_auth_match_rules(require, username->ptr, NULL, NULL)
       ? HANDLER_GO_ON

src/mod_authn_mysql.c

@@ -34,7 +34,6 @@
 #include "http_auth.h"
 #include "log.h"
 #include "plugin.h"
-#include "safe_memclear.h"
 
 #include <stdlib.h>
 #include <string.h>
@@ -300,7 +299,7 @@ static int mod_authn_mysql_password_cmp(const char *userpw, unsigned long userpw
         char *crypted = crypt(reqpw, userpw);
         size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0;
         int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1;
-        if (crypwlen) safe_memclear(crypted, crypwlen);
+        if (crypwlen) ck_memzero(crypted, crypwlen);
         return rc;
     }
     else

src/mod_mbedtls.c

@@ -85,12 +85,12 @@
 #endif
 
 #include "base.h"
+#include "ck.h"
 #include "fdevent.h"
 #include "http_header.h"
 #include "http_kv.h"
 #include "log.h"
 #include "plugin.h"
-#include "safe_memclear.h"
 
 typedef struct {
     /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
@@ -817,7 +817,7 @@ mod_mbedtls_x509_crl_parse_file (mbedtls_x509_crl *chain, const char *fn)
 
     rc = mbedtls_x509_crl_parse(chain, (unsigned char *)data, (size_t)dlen+1);
 
-    if (dlen) safe_memclear(data, (size_t)dlen);
+    if (dlen) ck_memzero(data, (size_t)dlen);
     free(data);
 
     return rc;
@@ -890,7 +890,7 @@ mod_mbedtls_x509_crt_parse_acme (mbedtls_x509_crt *chain, const char *fn)
 
     mbedtls_pem_free(&pem);
 
-    if (dlen) safe_memclear(data, (size_t)dlen);
+    if (dlen) ck_memzero(data, (size_t)dlen);
     free(data);
 
     return rc;
@@ -909,7 +909,7 @@ mod_mbedtls_x509_crt_parse_file (mbedtls_x509_crt *chain, const char *fn)
 
     rc = mbedtls_x509_crt_parse(chain, (unsigned char *)data, (size_t)dlen+1);
 
-    if (dlen) safe_memclear(data, (size_t)dlen);
+    if (dlen) ck_memzero(data, (size_t)dlen);
     free(data);
 
     return rc;
@@ -928,7 +928,7 @@ mod_mbedtls_pk_parse_keyfile (mbedtls_pk_context *ctx, const char *fn, const cha
                               (const unsigned char *)pwd,
                               pwd ? strlen(pwd) : 0);
 
-    if (dlen) safe_memclear(data, (size_t)dlen);
+    if (dlen) ck_memzero(data, (size_t)dlen);
     free(data);
 
     return rc;

src/mod_nss.c

@@ -110,12 +110,12 @@
 #endif
 
 #include "base.h"
+#include "ck.h"
 #include "fdevent.h"
 #include "http_header.h"
 #include "http_kv.h"
 #include "log.h"
 #include "plugin.h"
-#include "safe_memclear.h"
 
 typedef struct {
     /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
@@ -358,8 +358,8 @@ mod_nss_secitem_wipe (SECItem * const d)
     /* safer than SECITEM_ZfreeItem() */
     if (NULL == d) return;
     if (d->data) {
-        if (d->len) safe_memclear(d->data, d->len); /*safer than PORT_Memset()*/
-        PORT_Free(d->data); /* safe_memclear() is safer than PORT_ZFree() */
+        if (d->len) ck_memzero(d->data, d->len); /*safer than PORT_Memset()*/
+        PORT_Free(d->data); /* ck_memzero() is safer than PORT_ZFree() */
         d->data = NULL;
     }
     d->len = 0;

src/mod_openssl.c

@@ -85,13 +85,13 @@
 #endif
 
 #include "base.h"
+#include "ck.h"
 #include "fdevent.h"
 #include "http_date.h"
 #include "http_header.h"
 #include "http_kv.h"
 #include "log.h"
 #include "plugin.h"
-#include "safe_memclear.h"
 
 typedef struct {
     /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
@@ -1279,7 +1279,7 @@ mod_openssl_load_pem_file (const char *file, log_error_st *errh, STACK_OF(X509)
     if (NULL == in) {
         log_error(errh, __FILE__, __LINE__,
           "SSL: BIO_new/BIO_read_filename('%s') failed", file);
-        if (dlen) safe_memclear(data, dlen);
+        if (dlen) ck_memzero(data, dlen);
         free(data);
         return NULL;
     }
@@ -1295,7 +1295,7 @@ mod_openssl_load_pem_file (const char *file, log_error_st *errh, STACK_OF(X509)
     }
 
     BIO_free(in);
-    if (dlen) safe_memclear(data, dlen);
+    if (dlen) ck_memzero(data, dlen);
     free(data);
     return x;
 }
@@ -1313,7 +1313,7 @@ mod_openssl_evp_pkey_load_pem_file (const char *file, log_error_st *errh)
         x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
         BIO_free(in);
     }
-    if (dlen) safe_memclear(data, dlen);
+    if (dlen) ck_memzero(data, dlen);
     free(data);
 
     if (NULL == in)

src/mod_wolfssl.c

@@ -93,7 +93,7 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NA
 #endif
 
 #if LIBWOLFSSL_VERSION_HEX < 0x04006000 || defined(WOLFSSL_NO_FORCE_ZERO)
-#define wolfSSL_OPENSSL_cleanse(x,sz) safe_memclear((x),(sz))
+#define wolfSSL_OPENSSL_cleanse(x,sz) ck_memzero((x),(sz))
 #endif
 
 #if LIBWOLFSSL_VERSION_HEX < 0x04002000 /*(exact version needed not checked)*/
@@ -103,12 +103,12 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NA
 #endif
 
 #include "base.h"
+#include "ck.h"
 #include "fdevent.h"
 #include "http_header.h"
 #include "http_kv.h"
 #include "log.h"
 #include "plugin.h"
-#include "safe_memclear.h"
 
 typedef struct {
     /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
@@ -692,7 +692,7 @@ mod_wolfssl_load_pem_file (const char *fn, log_error_st *errh, buffer ***chain)
             errno = EIO;
     } while (0);
 
-    if (dlen) safe_memclear(data, dlen);
+    if (dlen) ck_memzero(data, dlen);
     free(data);
 
     if (rc < 0) {
@@ -745,7 +745,7 @@ mod_wolfssl_evp_pkey_load_pem_file (const char *fn, log_error_st *errh)
         rc = 0;
     } while (0);
 
-    if (dlen) safe_memclear(data, dlen);
+    if (dlen) ck_memzero(data, dlen);
     free(data);
 
     if (rc < 0) {
@@ -775,7 +775,7 @@ mod_wolfssl_CTX_use_certificate_chain_file (WOLFSSL_CTX *ssl_ctx, const char *fn
                                                       (unsigned char *)data,
                                                       (long)dlen);
 
-    if (dlen) safe_memclear(data, dlen);
+    if (dlen) ck_memzero(data, dlen);
     free(data);
 
     if (rc == WOLFSSL_SUCCESS)
@@ -912,7 +912,7 @@ mod_wolfssl_load_cacrls (WOLFSSL_CTX *ssl_ctx, const buffer *ssl_ca_crl_file, se
     rc = wolfSSL_CTX_LoadCRLBuffer(ssl_ctx, (byte *)data, (long)dlen,
                                    WOLFSSL_FILETYPE_PEM);
 
-    if (dlen) safe_memclear(data, dlen);
+    if (dlen) ck_memzero(data, dlen);
     free(data);
 
     if (rc == WOLFSSL_SUCCESS)
@@ -941,7 +941,7 @@ mod_wolfssl_load_verify_locn (SSL_CTX *ssl_ctx, const buffer *b, server *srv)
     int rc = wolfSSL_CTX_load_verify_buffer(ssl_ctx, (unsigned char *)data,
                                             (long)dlen, WOLFSSL_FILETYPE_PEM);
 
-    if (dlen) safe_memclear(data, dlen);
+    if (dlen) ck_memzero(data, dlen);
     free(data);
 
     if (rc == WOLFSSL_SUCCESS)
@@ -2043,7 +2043,7 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
             if (0 == rc)
                   wolfSSL_CTX_SetTmpDH_buffer(s->ssl_ctx, (unsigned char *)data,
                                               (long)dlen, WOLFSSL_FILETYPE_PEM);
-            if (dlen) safe_memclear(data, dlen);
+            if (dlen) ck_memzero(data, dlen);
             free(data);
             if (rc < 0) {
                 log_error(srv->errh, __FILE__, __LINE__,

src/rand.c

@@ -8,8 +8,8 @@
 
 #include "rand.h"
 #include "buffer.h"
+#include "ck.h"
 #include "fdevent.h"
-#include "safe_memclear.h"
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -496,5 +496,5 @@ void li_rand_cleanup (void)
     mbedtls_entropy_free(&entropy);
   #endif
   #endif
-    safe_memclear(xsubi, sizeof(xsubi));
+    ck_memzero(xsubi, sizeof(xsubi));
 }

src/safe_memclear.h

@@ -1,8 +0,0 @@
-#ifndef _SAFE_MEMCLEAR_H_
-#define _SAFE_MEMCLEAR_H_
-#include "first.h"
-
-#include "ck.h"
-#define safe_memclear ck_memzero
-
-#endif