Introduce polarssl_zeroize() instead of memset() for zeroization

ChangeLog

@@ -14,6 +14,8 @@ Features
 Changes
    * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
      required on some platforms (e.g. OpenBSD)
+   * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
+     against unwanted compiler optimizations
 
 Bugfix
    * Fix in debug_print_msg()

library/aes.c

@@ -53,6 +53,11 @@
 
 #if !defined(POLARSSL_AES_ALT)
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * 32-bit integer manipulation macros (little endian)
  */
@@ -633,7 +638,7 @@ int aes_setkey_dec( aes_context *ctx, const unsigned char *key,
 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
 done:
 #endif
-    memset( &cty, 0, sizeof( aes_context ) );
+    polarssl_zeroize( &cty, sizeof( aes_context ) );
 
     return( 0 );
 }

library/bignum.c

@@ -51,6 +51,11 @@
 
 #include <stdlib.h>
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #define ciL    (sizeof(t_uint))         /* chars in limb  */
 #define biL    (ciL << 3)               /* bits  in limb  */
 #define biH    (ciL << 2)               /* half limb size */
@@ -84,7 +89,7 @@ void mpi_free( mpi *X )
 
     if( X->p != NULL )
     {
-        memset( X->p, 0, X->n * ciL );
+        polarssl_zeroize( X->p, X->n * ciL );
         polarssl_free( X->p );
     }
 
@@ -113,7 +118,7 @@ int mpi_grow( mpi *X, size_t nblimbs )
         if( X->p != NULL )
         {
             memcpy( p, X->p, X->n * ciL );
-            memset( X->p, 0, X->n * ciL );
+            polarssl_zeroize( X->p, X->n * ciL );
             polarssl_free( X->p );
         }
 
@@ -153,7 +158,7 @@ int mpi_shrink( mpi *X, size_t nblimbs )
     if( X->p != NULL )
     {
         memcpy( p, X->p, i * ciL );
-        memset( X->p, 0, X->n * ciL );
+        polarssl_zeroize( X->p, X->n * ciL );
         polarssl_free( X->p );
     }
 

library/camellia.c

@@ -47,6 +47,11 @@
 
 #if !defined(POLARSSL_CAMELLIA_ALT)
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * 32-bit integer manipulation macros (big endian)
  */
@@ -463,7 +468,7 @@ int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key,
     *RK++ = *SK++;
     *RK++ = *SK++;
 
-    memset( &cty, 0, sizeof( camellia_context ) );
+    polarssl_zeroize( &cty, sizeof( camellia_context ) );
 
     return( 0 );
 }

library/ccm.c

@@ -42,6 +42,11 @@
 
 #include "polarssl/ccm.h"
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #define CCM_ENCRYPT 0
 #define CCM_DECRYPT 1
 
@@ -81,7 +86,7 @@ int ccm_init( ccm_context *ctx, cipher_id_t cipher,
 void ccm_free( ccm_context *ctx )
 {
     (void) cipher_free_ctx( &ctx->cipher_ctx );
-    memset( ctx, 0, sizeof( ccm_context ) );
+    polarssl_zeroize( ctx, sizeof( ccm_context ) );
 }
 
 /*
@@ -320,7 +325,7 @@ int ccm_auth_decrypt( ccm_context *ctx, size_t length,
 
     if( diff != 0 )
     {
-        memset( output, 0, length );
+        polarssl_zeroize( output, length );
         return( POLARSSL_ERR_CCM_AUTH_FAILED );
     }
 

library/cipher.c

@@ -57,6 +57,11 @@
 #define strcasecmp _stricmp
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 static int supported_init = 0;
 
 const int *cipher_list( void )
@@ -152,6 +157,7 @@ int cipher_free_ctx( cipher_context_t *ctx )
         return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
 
     ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
+    polarssl_zeroize( ctx, sizeof(cipher_context_t) );
 
     return 0;
 }

library/cipher_wrap.c

@@ -74,6 +74,11 @@
 
 #include <stdlib.h>
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if defined(POLARSSL_GCM_C)
 /* shared by all GCM ciphers */
 static void *gcm_ctx_alloc( void )
@@ -187,6 +192,7 @@ static void * aes_ctx_alloc( void )
 
 static void aes_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( aes_context ) );
     polarssl_free( ctx );
 }
 
@@ -540,6 +546,7 @@ static void * camellia_ctx_alloc( void )
 
 static void camellia_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( camellia_context ) );
     polarssl_free( ctx );
 }
 
@@ -948,6 +955,13 @@ static void * des3_ctx_alloc( void )
 
 static void des_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( des_context ) );
+    polarssl_free( ctx );
+}
+
+static void des3_ctx_free( void *ctx )
+{
+    polarssl_zeroize( ctx, sizeof( des3_context ) );
     polarssl_free( ctx );
 }
 
@@ -998,7 +1012,7 @@ const cipher_base_t des_ede_info = {
     des3_set2key_enc_wrap,
     des3_set2key_dec_wrap,
     des3_ctx_alloc,
-    des_ctx_free
+    des3_ctx_free
 };
 
 const cipher_info_t des_ede_ecb_info = {
@@ -1035,7 +1049,7 @@ const cipher_base_t des_ede3_info = {
     des3_set3key_enc_wrap,
     des3_set3key_dec_wrap,
     des3_ctx_alloc,
-    des_ctx_free
+    des3_ctx_free
 };
 
 const cipher_info_t des_ede3_ecb_info = {
@@ -1143,6 +1157,7 @@ static void * blowfish_ctx_alloc( void )
 
 static void blowfish_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( blowfish_context ) );
     polarssl_free( ctx );
 }
 
@@ -1236,6 +1251,7 @@ static void * arc4_ctx_alloc( void )
 
 static void arc4_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( arc4_context ) );
     polarssl_free( ctx );
 }
 

library/des.c

@@ -47,6 +47,11 @@
 
 #if !defined(POLARSSL_DES_ALT)
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * 32-bit integer manipulation macros (big endian)
  */
@@ -519,7 +524,7 @@ int des3_set2key_enc( des3_context *ctx,
     uint32_t sk[96];
 
     des3_set2key( ctx->sk, sk, key );
-    memset( sk,  0, sizeof( sk ) );
+    polarssl_zeroize( sk,  sizeof( sk ) );
 
     return( 0 );
 }
@@ -533,7 +538,7 @@ int des3_set2key_dec( des3_context *ctx,
     uint32_t sk[96];
 
     des3_set2key( sk, ctx->sk, key );
-    memset( sk,  0, sizeof( sk ) );
+    polarssl_zeroize( sk,  sizeof( sk ) );
 
     return( 0 );
 }
@@ -570,7 +575,7 @@ int des3_set3key_enc( des3_context *ctx,
     uint32_t sk[96];
 
     des3_set3key( ctx->sk, sk, key );
-    memset( sk, 0, sizeof( sk ) );
+    polarssl_zeroize( sk,  sizeof( sk ) );
 
     return( 0 );
 }
@@ -584,7 +589,7 @@ int des3_set3key_dec( des3_context *ctx,
     uint32_t sk[96];
 
     des3_set3key( sk, ctx->sk, key );
-    memset( sk, 0, sizeof( sk ) );
+    polarssl_zeroize( sk,  sizeof( sk ) );
 
     return( 0 );
 }

library/dhm.c

@@ -55,6 +55,11 @@
 #define polarssl_free       free
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * helper to validate the mpi size and import it
  */
@@ -395,7 +400,7 @@ void dhm_free( dhm_context *ctx )
     mpi_free( &ctx->GX ); mpi_free( &ctx->X ); mpi_free( &ctx->G );
     mpi_free( &ctx->P );
 
-    memset( ctx, 0, sizeof( dhm_context ) );
+    polarssl_zeroize( ctx, sizeof( dhm_context ) );
 }
 
 #if defined(POLARSSL_ASN1_PARSE_C)
@@ -535,7 +540,7 @@ int dhm_parse_dhmfile( dhm_context *dhm, const char *path )
 
     ret = dhm_parse_dhm( dhm, buf, n );
 
-    memset( buf, 0, n + 1 );
+    polarssl_zeroize( buf, n + 1 );
     polarssl_free( buf );
 
     return( ret );

library/ecp.c

@@ -77,6 +77,11 @@
 #endif /* __ARMCC_VERSION */
 #endif /*_MSC_VER */
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if defined(POLARSSL_SELF_TEST)
 /*
  * Counts of point addition and doubling, and field multiplications.
@@ -344,7 +349,7 @@ void ecp_group_free( ecp_group *grp )
         polarssl_free( grp->T );
     }
 
-    memset( grp, 0, sizeof( ecp_group ) );
+    polarssl_zeroize( grp, sizeof( ecp_group ) );
 }
 
 /*

library/entropy.c

@@ -42,6 +42,11 @@
 #include "polarssl/havege.h"
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
 
 void entropy_init( entropy_context *ctx )
@@ -78,7 +83,7 @@ void entropy_init( entropy_context *ctx )
 
 void entropy_free( entropy_context *ctx )
 {
-    ((void) ctx);
+    polarssl_zeroize( ctx, sizeof( entropy_context ) );
 #if defined(POLARSSL_THREADING_C)
     polarssl_mutex_free( &ctx->mutex );
 #endif

library/gcm.c

@@ -76,6 +76,11 @@
 }
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * Precompute small multiples of H, that is set
  *      HH[i] || HL[i] = H times i,
@@ -464,7 +469,7 @@ int gcm_auth_decrypt( gcm_context *ctx,
 
     if( diff != 0 )
     {
-        memset( output, 0, length );
+        polarssl_zeroize( output, length );
         return( POLARSSL_ERR_GCM_AUTH_FAILED );
     }
 
@@ -474,7 +479,7 @@ int gcm_auth_decrypt( gcm_context *ctx,
 void gcm_free( gcm_context *ctx )
 {
     (void) cipher_free_ctx( &ctx->cipher_ctx );
-    memset( ctx, 0, sizeof( gcm_context ) );
+    polarssl_zeroize( ctx, sizeof( gcm_context ) );
 }
 
 #if defined(POLARSSL_SELF_TEST) && defined(POLARSSL_AES_C)

library/hmac_drbg.c

@@ -49,6 +49,11 @@
 #define polarssl_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * HMAC_DRBG update, using optional additional data (10.1.2.2)
  */
@@ -305,7 +310,7 @@ void hmac_drbg_free( hmac_drbg_context *ctx )
 
     md_free_ctx( &ctx->md_ctx );
 
-    memset( ctx, 0, sizeof( hmac_drbg_context ) );
+    polarssl_zeroize( ctx, sizeof( hmac_drbg_context ) );
 }
 
 #if defined(POLARSSL_FS_IO)

library/md.c

@@ -45,6 +45,11 @@
 #define strcasecmp  _stricmp
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 static const int supported_digests[] = {
 
 #if defined(POLARSSL_MD2_C)
@@ -190,7 +195,8 @@ int md_free_ctx( md_context_t *ctx )
         return POLARSSL_ERR_MD_BAD_INPUT_DATA;
 
     ctx->md_info->ctx_free_func( ctx->md_ctx );
-    ctx->md_ctx = NULL;
+
+    polarssl_zeroize( ctx, sizeof( md_context_t ) );
 
     return 0;
 }

library/md2.c

@@ -49,6 +49,11 @@
 #define polarssl_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if !defined(POLARSSL_MD2_ALT)
 
 static const unsigned char PI_SUBST[256] =
@@ -188,7 +193,7 @@ void md2( const unsigned char *input, size_t ilen, unsigned char output[16] )
     md2_update( &ctx, input, ilen );
     md2_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md2_context ) );
+    polarssl_zeroize( &ctx, sizeof( md2_context ) );
 }
 
 #if defined(POLARSSL_FS_IO)
@@ -212,7 +217,7 @@ int md2_file( const char *path, unsigned char output[16] )
 
     md2_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md2_context ) );
+    polarssl_zeroize( &ctx, sizeof( md2_context ) );
 
     if( ferror( f ) != 0 )
     {
@@ -253,7 +258,7 @@ void md2_hmac_starts( md2_context *ctx, const unsigned char *key,
     md2_starts( ctx );
     md2_update( ctx, ctx->ipad, 16 );
 
-    memset( sum, 0, sizeof( sum ) );
+    polarssl_zeroize( sum, sizeof( sum ) );
 }
 
 /*
@@ -278,7 +283,7 @@ void md2_hmac_finish( md2_context *ctx, unsigned char output[16] )
     md2_update( ctx, tmpbuf, 16 );
     md2_finish( ctx, output );
 
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
+    polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
 }
 
 /*
@@ -303,7 +308,7 @@ void md2_hmac( const unsigned char *key, size_t keylen,
     md2_hmac_update( &ctx, input, ilen );
     md2_hmac_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md2_context ) );
+    polarssl_zeroize( &ctx, sizeof( md2_context ) );
 }
 
 #if defined(POLARSSL_SELF_TEST)

library/md4.c

@@ -49,6 +49,11 @@
 #define polarssl_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if !defined(POLARSSL_MD4_ALT)
 
 /*
@@ -284,7 +289,7 @@ void md4( const unsigned char *input, size_t ilen, unsigned char output[16] )
     md4_update( &ctx, input, ilen );
     md4_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md4_context ) );
+    polarssl_zeroize( &ctx, sizeof( md4_context ) );
 }
 
 #if defined(POLARSSL_FS_IO)
@@ -308,7 +313,7 @@ int md4_file( const char *path, unsigned char output[16] )
 
     md4_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md4_context ) );
+    polarssl_zeroize( &ctx, sizeof( md4_context ) );
 
     if( ferror( f ) != 0 )
     {
@@ -349,7 +354,7 @@ void md4_hmac_starts( md4_context *ctx, const unsigned char *key,
     md4_starts( ctx );
     md4_update( ctx, ctx->ipad, 64 );
 
-    memset( sum, 0, sizeof( sum ) );
+    polarssl_zeroize( sum, sizeof( sum ) );
 }
 
 /*
@@ -374,7 +379,7 @@ void md4_hmac_finish( md4_context *ctx, unsigned char output[16] )
     md4_update( ctx, tmpbuf, 16 );
     md4_finish( ctx, output );
 
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
+    polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
 }
 
 /*
@@ -399,7 +404,7 @@ void md4_hmac( const unsigned char *key, size_t keylen,
     md4_hmac_update( &ctx, input, ilen );
     md4_hmac_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md4_context ) );
+    polarssl_zeroize( &ctx, sizeof( md4_context ) );
 }
 
 #if defined(POLARSSL_SELF_TEST)

library/md5.c

@@ -48,6 +48,11 @@
 #define polarssl_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if !defined(POLARSSL_MD5_ALT)
 
 /*
@@ -301,7 +306,7 @@ void md5( const unsigned char *input, size_t ilen, unsigned char output[16] )
     md5_update( &ctx, input, ilen );
     md5_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md5_context ) );
+    polarssl_zeroize( &ctx, sizeof( md5_context ) );
 }
 
 #if defined(POLARSSL_FS_IO)
@@ -325,7 +330,7 @@ int md5_file( const char *path, unsigned char output[16] )
 
     md5_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md5_context ) );
+    polarssl_zeroize( &ctx, sizeof( md5_context ) );
 
     if( ferror( f ) != 0 )
     {
@@ -366,7 +371,7 @@ void md5_hmac_starts( md5_context *ctx, const unsigned char *key,
     md5_starts( ctx );
     md5_update( ctx, ctx->ipad, 64 );
 
-    memset( sum, 0, sizeof( sum ) );
+    polarssl_zeroize( sum, sizeof( sum ) );
 }
 
 /*
@@ -391,7 +396,7 @@ void md5_hmac_finish( md5_context *ctx, unsigned char output[16] )
     md5_update( ctx, tmpbuf, 16 );
     md5_finish( ctx, output );
 
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
+    polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
 }
 
 /*
@@ -416,7 +421,7 @@ void md5_hmac( const unsigned char *key, size_t keylen,
     md5_hmac_update( &ctx, input, ilen );
     md5_hmac_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( md5_context ) );
+    polarssl_zeroize( &ctx, sizeof( md5_context ) );
 }
 
 #if defined(POLARSSL_SELF_TEST)

library/md_wrap.c

@@ -74,6 +74,11 @@
 
 #include <stdlib.h>
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if defined(POLARSSL_MD2_C)
 
 static void md2_starts_wrap( void *ctx )
@@ -132,6 +137,7 @@ static void * md2_ctx_alloc( void )
 
 static void md2_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( md2_context ) );
     polarssl_free( ctx );
 }
 
@@ -221,6 +227,7 @@ static void *md4_ctx_alloc( void )
 
 static void md4_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( md4_context ) );
     polarssl_free( ctx );
 }
 
@@ -308,6 +315,7 @@ static void * md5_ctx_alloc( void )
 
 static void md5_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( md5_context ) );
     polarssl_free( ctx );
 }
 
@@ -395,6 +403,7 @@ static void * ripemd160_ctx_alloc( void )
 
 static void ripemd160_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( ripemd160_context ) );
     polarssl_free( ctx );
 }
 
@@ -482,6 +491,7 @@ static void * sha1_ctx_alloc( void )
 
 static void sha1_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( sha1_context ) );
     polarssl_free( ctx );
 }
 
@@ -585,6 +595,7 @@ static void * sha224_ctx_alloc( void )
 
 static void sha224_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( sha256_context ) );
     polarssl_free( ctx );
 }
 
@@ -681,6 +692,7 @@ static void * sha256_ctx_alloc( void )
 
 static void sha256_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( sha256_context ) );
     polarssl_free( ctx );
 }
 
@@ -781,6 +793,7 @@ static void * sha384_ctx_alloc( void )
 
 static void sha384_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( sha512_context ) );
     polarssl_free( ctx );
 }
 
@@ -877,6 +890,7 @@ static void * sha512_ctx_alloc( void )
 
 static void sha512_ctx_free( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( sha512_context ) );
     polarssl_free( ctx );
 }
 

library/memory_buffer_alloc.c

@@ -52,6 +52,11 @@
 #define polarssl_fprintf fprintf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #define MAGIC1       0xFF00AA55
 #define MAGIC2       0xEE119966
 #define MAX_BT 20
@@ -578,7 +583,7 @@ void memory_buffer_alloc_free()
 #if defined(POLARSSL_THREADING_C)
     polarssl_mutex_free( &heap.mutex );
 #endif
-    memset( &heap, 0, sizeof(buffer_alloc_ctx) );
+    polarssl_zeroize( &heap, sizeof(buffer_alloc_ctx) );
 }
 
 #endif /* POLARSSL_MEMORY_BUFFER_ALLOC_C */

library/pem.c

@@ -46,6 +46,11 @@
 
 #include <stdlib.h>
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if defined(POLARSSL_PEM_PARSE_C)
 void pem_init( pem_context *ctx )
 {
@@ -99,8 +104,8 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen,
     {
         memcpy( key, md5sum, keylen );
 
-        memset( &md5_ctx, 0, sizeof(  md5_ctx ) );
+        polarssl_zeroize( &md5_ctx, sizeof(  md5_ctx ) );
-        memset( md5sum, 0, 16 );
+        polarssl_zeroize( md5sum, 16 );
         return;
     }
 
@@ -121,8 +126,8 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen,
 
     memcpy( key + 16, md5sum, use_len );
 
-    memset( &md5_ctx, 0, sizeof(  md5_ctx ) );
+    polarssl_zeroize( &md5_ctx, sizeof(  md5_ctx ) );
-    memset( md5sum, 0, 16 );
+    polarssl_zeroize( md5sum, 16 );
 }
 
 #if defined(POLARSSL_DES_C)
@@ -142,8 +147,8 @@ static void pem_des_decrypt( unsigned char des_iv[8],
     des_crypt_cbc( &des_ctx, DES_DECRYPT, buflen,
                      des_iv, buf, buf );
 
-    memset( &des_ctx, 0, sizeof( des_ctx ) );
+    polarssl_zeroize( &des_ctx, sizeof( des_ctx ) );
-    memset( des_key, 0, 8 );
+    polarssl_zeroize( des_key, 8 );
 }
 
 /*
@@ -162,8 +167,8 @@ static void pem_des3_decrypt( unsigned char des3_iv[8],
     des3_crypt_cbc( &des3_ctx, DES_DECRYPT, buflen,
                      des3_iv, buf, buf );
 
-    memset( &des3_ctx, 0, sizeof( des3_ctx ) );
+    polarssl_zeroize( &des3_ctx, sizeof( des3_ctx ) );
-    memset( des3_key, 0, 24 );
+    polarssl_zeroize( des3_key, 24 );
 }
 #endif /* POLARSSL_DES_C */
 
@@ -184,8 +189,8 @@ static void pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
     aes_crypt_cbc( &aes_ctx, AES_DECRYPT, buflen,
                      aes_iv, buf, buf );
 
-    memset( &aes_ctx, 0, sizeof( aes_ctx ) );
+    polarssl_zeroize( &aes_ctx, sizeof( aes_ctx ) );
-    memset( aes_key, 0, keylen );
+    polarssl_zeroize( aes_key, keylen );
 }
 #endif /* POLARSSL_AES_C */
 
@@ -373,7 +378,7 @@ void pem_free( pem_context *ctx )
     polarssl_free( ctx->buf );
     polarssl_free( ctx->info );
 
-    memset( ctx, 0, sizeof( pem_context ) );
+    polarssl_zeroize( ctx, sizeof( pem_context ) );
 }
 #endif /* POLARSSL_PEM_PARSE_C */
 

library/pk.c

@@ -44,6 +44,11 @@
 #include "polarssl/ecdsa.h"
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * Initialise a pk_context
  */
@@ -65,9 +70,8 @@ void pk_free( pk_context *ctx )
         return;
 
     ctx->pk_info->ctx_free_func( ctx->pk_ctx );
-    ctx->pk_ctx = NULL;
 
-    ctx->pk_info = NULL;
+    polarssl_zeroize( ctx, sizeof( pk_context ) );
 }
 
 /*

library/pk_wrap.c

@@ -52,6 +52,11 @@
 #define polarssl_free       free
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if defined(POLARSSL_RSA_C)
 static int rsa_can_do( pk_type_t type )
 {
@@ -426,6 +431,7 @@ static void *rsa_alt_alloc_wrap( void )
 
 static void rsa_alt_free_wrap( void *ctx )
 {
+    polarssl_zeroize( ctx, sizeof( rsa_alt_context ) );
     polarssl_free( ctx );
 }
 

library/pkparse.c

@@ -62,6 +62,11 @@
 #define polarssl_free       free
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if defined(POLARSSL_FS_IO)
 /*
  * Load all data from a file into a given buffer.
@@ -124,7 +129,7 @@ int pk_parse_keyfile( pk_context *ctx,
         ret = pk_parse_key( ctx, buf, n,
                 (const unsigned char *) pwd, strlen( pwd ) );
 
-    memset( buf, 0, n + 1 );
+    polarssl_zeroize( buf, n + 1 );
     polarssl_free( buf );
 
     return( ret );
@@ -144,7 +149,7 @@ int pk_parse_public_keyfile( pk_context *ctx, const char *path )
 
     ret = pk_parse_public_key( ctx, buf, n );
 
-    memset( buf, 0, n + 1 );
+    polarssl_zeroize( buf, n + 1 );
     polarssl_free( buf );
 
     return( ret );

library/ripemd160.c

@@ -76,6 +76,11 @@
 }
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * RIPEMD-160 context setup
  */
@@ -363,7 +368,7 @@ void ripemd160( const unsigned char *input, size_t ilen,
     ripemd160_update( &ctx, input, ilen );
     ripemd160_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( ripemd160_context ) );
+    polarssl_zeroize( &ctx, sizeof( ripemd160_context ) );
 }
 
 #if defined(POLARSSL_FS_IO)
@@ -387,7 +392,7 @@ int ripemd160_file( const char *path, unsigned char output[20] )
 
     ripemd160_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( ripemd160_context ) );
+    polarssl_zeroize( &ctx, sizeof( ripemd160_context ) );
 
     if( ferror( f ) != 0 )
     {
@@ -428,7 +433,7 @@ void ripemd160_hmac_starts( ripemd160_context *ctx,
     ripemd160_starts( ctx );
     ripemd160_update( ctx, ctx->ipad, 64 );
 
-    memset( sum, 0, sizeof( sum ) );
+    polarssl_zeroize( sum, sizeof( sum ) );
 }
 
 /*
@@ -453,7 +458,7 @@ void ripemd160_hmac_finish( ripemd160_context *ctx, unsigned char output[20] )
     ripemd160_update( ctx, tmpbuf, 20 );
     ripemd160_finish( ctx, output );
 
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
+    polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
 }
 
 /*
@@ -478,7 +483,7 @@ void ripemd160_hmac( const unsigned char *key, size_t keylen,
     ripemd160_hmac_update( &ctx, input, ilen );
     ripemd160_hmac_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( ripemd160_context ) );
+    polarssl_zeroize( &ctx, sizeof( ripemd160_context ) );
 }
 
 

library/sha1.c

@@ -48,6 +48,11 @@
 #define polarssl_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if !defined(POLARSSL_SHA1_ALT)
 
 /*
@@ -334,7 +339,7 @@ void sha1( const unsigned char *input, size_t ilen, unsigned char output[20] )
     sha1_update( &ctx, input, ilen );
     sha1_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha1_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha1_context ) );
 }
 
 #if defined(POLARSSL_FS_IO)
@@ -358,7 +363,7 @@ int sha1_file( const char *path, unsigned char output[20] )
 
     sha1_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha1_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha1_context ) );
 
     if( ferror( f ) != 0 )
     {
@@ -399,7 +404,7 @@ void sha1_hmac_starts( sha1_context *ctx, const unsigned char *key,
     sha1_starts( ctx );
     sha1_update( ctx, ctx->ipad, 64 );
 
-    memset( sum, 0, sizeof( sum ) );
+    polarssl_zeroize( sum, sizeof( sum ) );
 }
 
 /*
@@ -424,7 +429,7 @@ void sha1_hmac_finish( sha1_context *ctx, unsigned char output[20] )
     sha1_update( ctx, tmpbuf, 20 );
     sha1_finish( ctx, output );
 
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
+    polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
 }
 
 /*
@@ -449,7 +454,7 @@ void sha1_hmac( const unsigned char *key, size_t keylen,
     sha1_hmac_update( &ctx, input, ilen );
     sha1_hmac_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha1_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha1_context ) );
 }
 
 #if defined(POLARSSL_SELF_TEST)

library/sha256.c

@@ -48,6 +48,11 @@
 #define polarssl_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if !defined(POLARSSL_SHA256_ALT)
 
 /*
@@ -337,7 +342,7 @@ void sha256( const unsigned char *input, size_t ilen,
     sha256_update( &ctx, input, ilen );
     sha256_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha256_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha256_context ) );
 }
 
 #if defined(POLARSSL_FS_IO)
@@ -361,7 +366,7 @@ int sha256_file( const char *path, unsigned char output[32], int is224 )
 
     sha256_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha256_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha256_context ) );
 
     if( ferror( f ) != 0 )
     {
@@ -402,7 +407,7 @@ void sha256_hmac_starts( sha256_context *ctx, const unsigned char *key,
     sha256_starts( ctx, is224 );
     sha256_update( ctx, ctx->ipad, 64 );
 
-    memset( sum, 0, sizeof( sum ) );
+    polarssl_zeroize( sum, sizeof( sum ) );
 }
 
 /*
@@ -431,7 +436,7 @@ void sha256_hmac_finish( sha256_context *ctx, unsigned char output[32] )
     sha256_update( ctx, tmpbuf, hlen );
     sha256_finish( ctx, output );
 
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
+    polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
 }
 
 /*
@@ -456,7 +461,7 @@ void sha256_hmac( const unsigned char *key, size_t keylen,
     sha256_hmac_update( &ctx, input, ilen );
     sha256_hmac_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha256_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha256_context ) );
 }
 
 #if defined(POLARSSL_SELF_TEST)

library/sha512.c

@@ -48,6 +48,11 @@
 #define polarssl_printf printf
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if !defined(POLARSSL_SHA512_ALT)
 
 /*
@@ -335,7 +340,7 @@ void sha512( const unsigned char *input, size_t ilen,
     sha512_update( &ctx, input, ilen );
     sha512_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha512_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha512_context ) );
 }
 
 #if defined(POLARSSL_FS_IO)
@@ -359,7 +364,7 @@ int sha512_file( const char *path, unsigned char output[64], int is384 )
 
     sha512_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha512_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha512_context ) );
 
     if( ferror( f ) != 0 )
     {
@@ -400,7 +405,7 @@ void sha512_hmac_starts( sha512_context *ctx, const unsigned char *key,
     sha512_starts( ctx, is384 );
     sha512_update( ctx, ctx->ipad, 128 );
 
-    memset( sum, 0, sizeof( sum ) );
+    polarssl_zeroize( sum, sizeof( sum ) );
 }
 
 /*
@@ -429,7 +434,7 @@ void sha512_hmac_finish( sha512_context *ctx, unsigned char output[64] )
     sha512_update( ctx, tmpbuf, hlen );
     sha512_finish( ctx, output );
 
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
+    polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
 }
 
 /*
@@ -454,7 +459,7 @@ void sha512_hmac( const unsigned char *key, size_t keylen,
     sha512_hmac_update( &ctx, input, ilen );
     sha512_hmac_finish( &ctx, output );
 
-    memset( &ctx, 0, sizeof( sha512_context ) );
+    polarssl_zeroize( &ctx, sizeof( sha512_context ) );
 }
 
 #if defined(POLARSSL_SELF_TEST)

library/ssl_cli.c

@@ -55,6 +55,13 @@ typedef UINT32 uint32_t;
 #include <time.h>
 #endif
 
+#if defined(POLARSSL_SSL_SESSION_TICKETS)
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+#endif
+
 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
 static void ssl_write_hostname_ext( ssl_context *ssl,
                                     unsigned char *buf,
@@ -2466,6 +2473,8 @@ static int ssl_parse_new_session_ticket( ssl_context *ssl )
     if( ticket_len == 0)
         return( 0 );
 
+    polarssl_zeroize( ssl->session_negotiate->ticket,
+                      ssl->session_negotiate->ticket_len );
     polarssl_free( ssl->session_negotiate->ticket );
     ssl->session_negotiate->ticket = NULL;
     ssl->session_negotiate->ticket_len = 0;

library/ssl_srv.c

@@ -52,6 +52,11 @@
 #endif
 
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  * Serialize a session in the following format:
  *  0   .   n-1     session structure, n = sizeof(ssl_session)
@@ -337,7 +342,7 @@ static int ssl_parse_ticket( ssl_context *ssl,
 
     ssl_session_free( ssl->session_negotiate );
     memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
-    memset( &session, 0, sizeof( ssl_session ) );
+    polarssl_zeroize( &session, sizeof( ssl_session ) );
 
     return( 0 );
 }

library/ssl_tls.c

@@ -61,6 +61,11 @@
 #define strcasecmp _stricmp
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 /*
  * Convert max_fragment_length codes to length.
@@ -175,11 +180,11 @@ static int ssl3_prf( const unsigned char *secret, size_t slen,
         md5_finish( &md5, dstbuf + i * 16 );
     }
 
-    memset( &md5,  0, sizeof( md5  ) );
+    polarssl_zeroize( &md5,  sizeof( md5  ) );
-    memset( &sha1, 0, sizeof( sha1 ) );
+    polarssl_zeroize( &sha1, sizeof( sha1 ) );
 
-    memset( padding, 0, sizeof( padding ) );
+    polarssl_zeroize( padding, sizeof( padding ) );
-    memset( sha1sum, 0, sizeof( sha1sum ) );
+    polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
 
     return( 0 );
 }
@@ -241,8 +246,8 @@ static int tls1_prf( const unsigned char *secret, size_t slen,
             dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
     }
 
-    memset( tmp, 0, sizeof( tmp ) );
+    polarssl_zeroize( tmp, sizeof( tmp ) );
-    memset( h_i, 0, sizeof( h_i ) );
+    polarssl_zeroize( h_i, sizeof( h_i ) );
 
     return( 0 );
 }
@@ -284,8 +289,8 @@ static int tls_prf_sha256( const unsigned char *secret, size_t slen,
             dstbuf[i + j]  = h_i[j];
     }
 
-    memset( tmp, 0, sizeof( tmp ) );
+    polarssl_zeroize( tmp, sizeof( tmp ) );
-    memset( h_i, 0, sizeof( h_i ) );
+    polarssl_zeroize( h_i, sizeof( h_i ) );
 
     return( 0 );
 }
@@ -326,8 +331,8 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen,
             dstbuf[i + j]  = h_i[j];
     }
 
-    memset( tmp, 0, sizeof( tmp ) );
+    polarssl_zeroize( tmp, sizeof( tmp ) );
-    memset( h_i, 0, sizeof( h_i ) );
+    polarssl_zeroize( h_i, sizeof( h_i ) );
 
     return( 0 );
 }
@@ -466,7 +471,7 @@ int ssl_derive_keys( ssl_context *ssl )
                             "master secret",
                             handshake->randbytes, 64, session->master, 48 );
 
-        memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
+        polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
     }
     else
         SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
@@ -477,7 +482,7 @@ int ssl_derive_keys( ssl_context *ssl )
     memcpy( tmp, handshake->randbytes, 64 );
     memcpy( handshake->randbytes, tmp + 32, 32 );
     memcpy( handshake->randbytes + 32, tmp, 32 );
-    memset( tmp, 0, sizeof( tmp ) );
+    polarssl_zeroize( tmp, sizeof( tmp ) );
 
     /*
      *  SSLv3:
@@ -500,7 +505,7 @@ int ssl_derive_keys( ssl_context *ssl )
     SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
     SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
 
-    memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
+    polarssl_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
 
     /*
      * Determine the appropriate key, IV and MAC length.
@@ -699,7 +704,7 @@ int ssl_derive_keys( ssl_context *ssl )
     }
 #endif /* POLARSSL_CIPHER_MODE_CBC */
 
-    memset( keyblk, 0, sizeof( keyblk ) );
+    polarssl_zeroize( keyblk, sizeof( keyblk ) );
 
 #if defined(POLARSSL_ZLIB_SUPPORT)
     // Initialize compression
@@ -2846,12 +2851,12 @@ static void ssl_calc_finished_ssl(
 
     SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
 
-    memset(  &md5, 0, sizeof(  md5_context ) );
+    polarssl_zeroize(  &md5, sizeof(  md5_context ) );
-    memset( &sha1, 0, sizeof( sha1_context ) );
+    polarssl_zeroize( &sha1, sizeof( sha1_context ) );
 
-    memset(  padbuf, 0, sizeof(  padbuf ) );
+    polarssl_zeroize(  padbuf, sizeof(  padbuf ) );
-    memset(  md5sum, 0, sizeof(  md5sum ) );
+    polarssl_zeroize(  md5sum, sizeof(  md5sum ) );
-    memset( sha1sum, 0, sizeof( sha1sum ) );
+    polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
 
     SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
 }
@@ -2904,10 +2909,10 @@ static void ssl_calc_finished_tls(
 
     SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
 
-    memset(  &md5, 0, sizeof(  md5_context ) );
+    polarssl_zeroize(  &md5, sizeof(  md5_context ) );
-    memset( &sha1, 0, sizeof( sha1_context ) );
+    polarssl_zeroize( &sha1, sizeof( sha1_context ) );
 
-    memset(  padbuf, 0, sizeof(  padbuf ) );
+    polarssl_zeroize(  padbuf, sizeof(  padbuf ) );
 
     SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
 }
@@ -2953,9 +2958,9 @@ static void ssl_calc_finished_tls_sha256(
 
     SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
 
-    memset( &sha256, 0, sizeof( sha256_context ) );
+    polarssl_zeroize( &sha256, sizeof( sha256_context ) );
 
-    memset(  padbuf, 0, sizeof(  padbuf ) );
+    polarssl_zeroize(  padbuf, sizeof(  padbuf ) );
 
     SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
 }
@@ -3000,9 +3005,9 @@ static void ssl_calc_finished_tls_sha384(
 
     SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
 
-    memset( &sha512, 0, sizeof( sha512_context ) );
+    polarssl_zeroize( &sha512, sizeof( sha512_context ) );
 
-    memset(  padbuf, 0, sizeof(  padbuf ) );
+    polarssl_zeroize(  padbuf, sizeof( padbuf ) );
 
     SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
 }
@@ -4402,7 +4407,7 @@ void ssl_transform_free( ssl_transform *transform )
     md_free_ctx( &transform->md_ctx_enc );
     md_free_ctx( &transform->md_ctx_dec );
 
-    memset( transform, 0, sizeof( ssl_transform ) );
+    polarssl_zeroize( transform, sizeof( ssl_transform ) );
 }
 
 #if defined(POLARSSL_X509_CRT_PARSE_C)
@@ -4459,7 +4464,7 @@ void ssl_handshake_free( ssl_handshake_params *handshake )
     }
 #endif /* POLARSSL_X509_CRT_PARSE_C && POLARSSL_SSL_SERVER_NAME_INDICATION */
 
-    memset( handshake, 0, sizeof( ssl_handshake_params ) );
+    polarssl_zeroize( handshake, sizeof( ssl_handshake_params ) );
 }
 
 void ssl_session_free( ssl_session *session )
@@ -4476,7 +4481,7 @@ void ssl_session_free( ssl_session *session )
     polarssl_free( session->ticket );
 #endif
 
-    memset( session, 0, sizeof( ssl_session ) );
+    polarssl_zeroize( session, sizeof( ssl_session ) );
 }
 
 /*
@@ -4488,20 +4493,20 @@ void ssl_free( ssl_context *ssl )
 
     if( ssl->out_ctr != NULL )
     {
-        memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
+        polarssl_zeroize( ssl->out_ctr, SSL_BUFFER_LEN );
         polarssl_free( ssl->out_ctr );
     }
 
     if( ssl->in_ctr != NULL )
     {
-        memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
+        polarssl_zeroize( ssl->in_ctr, SSL_BUFFER_LEN );
         polarssl_free( ssl->in_ctr );
     }
 
 #if defined(POLARSSL_ZLIB_SUPPORT)
     if( ssl->compress_buf != NULL )
     {
-        memset( ssl->compress_buf, 0, SSL_BUFFER_LEN );
+        polarssl_zeroize( ssl->compress_buf, SSL_BUFFER_LEN );
         polarssl_free( ssl->compress_buf );
     }
 #endif
@@ -4541,7 +4546,7 @@ void ssl_free( ssl_context *ssl )
 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
     if ( ssl->hostname != NULL )
     {
-        memset( ssl->hostname, 0, ssl->hostname_len );
+        polarssl_zeroize( ssl->hostname, ssl->hostname_len );
         polarssl_free( ssl->hostname );
         ssl->hostname_len = 0;
     }
@@ -4550,8 +4555,8 @@ void ssl_free( ssl_context *ssl )
 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
     if( ssl->psk != NULL )
     {
-        memset( ssl->psk, 0, ssl->psk_len );
+        polarssl_zeroize( ssl->psk, ssl->psk_len );
-        memset( ssl->psk_identity, 0, ssl->psk_identity_len );
+        polarssl_zeroize( ssl->psk_identity, ssl->psk_identity_len );
         polarssl_free( ssl->psk );
         polarssl_free( ssl->psk_identity );
         ssl->psk_len = 0;
@@ -4574,7 +4579,7 @@ void ssl_free( ssl_context *ssl )
     SSL_DEBUG_MSG( 2, ( "<= free" ) );
 
     /* Actually clear after last debug message */
-    memset( ssl, 0, sizeof( ssl_context ) );
+    polarssl_zeroize( ssl, sizeof( ssl_context ) );
 }
 
 #if defined(POLARSSL_PK_C)

library/x509_crl.c

@@ -68,6 +68,11 @@
 #include <stdio.h>
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  *  Version  ::=  INTEGER  {  v1(0), v2(1)  }
  */
@@ -552,7 +557,7 @@ int x509_crl_parse_file( x509_crl *chain, const char *path )
 
     ret = x509_crl_parse( chain, buf, n );
 
-    memset( buf, 0, n + 1 );
+    polarssl_zeroize( buf, n + 1 );
     polarssl_free( buf );
 
     return( ret );
@@ -725,7 +730,7 @@ void x509_crl_free( x509_crl *crl )
         {
             name_prv = name_cur;
             name_cur = name_cur->next;
-            memset( name_prv, 0, sizeof( x509_name ) );
+            polarssl_zeroize( name_prv, sizeof( x509_name ) );
             polarssl_free( name_prv );
         }
 
@@ -734,13 +739,13 @@ void x509_crl_free( x509_crl *crl )
         {
             entry_prv = entry_cur;
             entry_cur = entry_cur->next;
-            memset( entry_prv, 0, sizeof( x509_crl_entry ) );
+            polarssl_zeroize( entry_prv, sizeof( x509_crl_entry ) );
             polarssl_free( entry_prv );
         }
 
         if( crl_cur->raw.p != NULL )
         {
-            memset( crl_cur->raw.p, 0, crl_cur->raw.len );
+            polarssl_zeroize( crl_cur->raw.p, crl_cur->raw.len );
             polarssl_free( crl_cur->raw.p );
         }
 
@@ -754,7 +759,7 @@ void x509_crl_free( x509_crl *crl )
         crl_prv = crl_cur;
         crl_cur = crl_cur->next;
 
-        memset( crl_prv, 0, sizeof( x509_crl ) );
+        polarssl_zeroize( crl_prv, sizeof( x509_crl ) );
         if( crl_prv != crl )
             polarssl_free( crl_prv );
     }

library/x509_crt.c

@@ -80,6 +80,11 @@
 #endif
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
  */
@@ -946,7 +951,7 @@ int x509_crt_parse_file( x509_crt *chain, const char *path )
 
     ret = x509_crt_parse( chain, buf, n );
 
-    memset( buf, 0, n + 1 );
+    polarssl_zeroize( buf, n + 1 );
     polarssl_free( buf );
 
     return( ret );
@@ -1930,7 +1935,7 @@ void x509_crt_free( x509_crt *crt )
         {
             name_prv = name_cur;
             name_cur = name_cur->next;
-            memset( name_prv, 0, sizeof( x509_name ) );
+            polarssl_zeroize( name_prv, sizeof( x509_name ) );
             polarssl_free( name_prv );
         }
 
@@ -1939,7 +1944,7 @@ void x509_crt_free( x509_crt *crt )
         {
             name_prv = name_cur;
             name_cur = name_cur->next;
-            memset( name_prv, 0, sizeof( x509_name ) );
+            polarssl_zeroize( name_prv, sizeof( x509_name ) );
             polarssl_free( name_prv );
         }
 
@@ -1948,7 +1953,7 @@ void x509_crt_free( x509_crt *crt )
         {
             seq_prv = seq_cur;
             seq_cur = seq_cur->next;
-            memset( seq_prv, 0, sizeof( x509_sequence ) );
+            polarssl_zeroize( seq_prv, sizeof( x509_sequence ) );
             polarssl_free( seq_prv );
         }
 
@@ -1957,13 +1962,13 @@ void x509_crt_free( x509_crt *crt )
         {
             seq_prv = seq_cur;
             seq_cur = seq_cur->next;
-            memset( seq_prv, 0, sizeof( x509_sequence ) );
+            polarssl_zeroize( seq_prv, sizeof( x509_sequence ) );
             polarssl_free( seq_prv );
         }
 
         if( cert_cur->raw.p != NULL )
         {
-            memset( cert_cur->raw.p, 0, cert_cur->raw.len );
+            polarssl_zeroize( cert_cur->raw.p, cert_cur->raw.len );
             polarssl_free( cert_cur->raw.p );
         }
 
@@ -1977,7 +1982,7 @@ void x509_crt_free( x509_crt *crt )
         cert_prv = cert_cur;
         cert_cur = cert_cur->next;
 
-        memset( cert_prv, 0, sizeof( x509_crt ) );
+        polarssl_zeroize( cert_prv, sizeof( x509_crt ) );
         if( cert_prv != crt )
             polarssl_free( cert_prv );
     }

library/x509_csr.c

@@ -62,6 +62,11 @@
 #include <stdio.h>
 #endif
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 /*
  *  Version  ::=  INTEGER  {  v1(0)  }
  */
@@ -295,7 +300,7 @@ int x509_csr_parse_file( x509_csr *csr, const char *path )
 
     ret = x509_csr_parse( csr, buf, n );
 
-    memset( buf, 0, n + 1 );
+    polarssl_zeroize( buf, n + 1 );
     polarssl_free( buf );
 
     return( ret );
@@ -429,17 +434,17 @@ void x509_csr_free( x509_csr *csr )
     {
         name_prv = name_cur;
         name_cur = name_cur->next;
-        memset( name_prv, 0, sizeof( x509_name ) );
+        polarssl_zeroize( name_prv, sizeof( x509_name ) );
         polarssl_free( name_prv );
     }
 
     if( csr->raw.p != NULL )
     {
-        memset( csr->raw.p, 0, csr->raw.len );
+        polarssl_zeroize( csr->raw.p, csr->raw.len );
         polarssl_free( csr->raw.p );
     }
 
-    memset( csr, 0, sizeof( x509_csr ) );
+    polarssl_zeroize( csr, sizeof( x509_csr ) );
 }
 
 #endif /* POLARSSL_X509_CSR_PARSE_C */

library/x509write_crt.c

@@ -46,6 +46,11 @@
 #include "polarssl/pem.h"
 #endif /* POLARSSL_PEM_WRITE_C */
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 void x509write_crt_init( x509write_cert *ctx )
 {
     memset( ctx, 0, sizeof(x509write_cert) );
@@ -62,7 +67,7 @@ void x509write_crt_free( x509write_cert *ctx )
     asn1_free_named_data_list( &ctx->issuer );
     asn1_free_named_data_list( &ctx->extensions );
 
-    memset( ctx, 0, sizeof(x509write_cert) );
+    polarssl_zeroize( ctx, sizeof(x509write_cert) );
 }
 
 void x509write_crt_set_version( x509write_cert *ctx, int version )

library/x509write_csr.c

@@ -47,6 +47,11 @@
 #include <string.h>
 #include <stdlib.h>
 
+/* Implementation that should never be optimized out by the compiler */
+static void polarssl_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
 void x509write_csr_init( x509write_csr *ctx )
 {
     memset( ctx, 0, sizeof(x509write_csr) );
@@ -57,7 +62,7 @@ void x509write_csr_free( x509write_csr *ctx )
     asn1_free_named_data_list( &ctx->subject );
     asn1_free_named_data_list( &ctx->extensions );
 
-    memset( ctx, 0, sizeof(x509write_csr) );
+    polarssl_zeroize( ctx, sizeof(x509write_csr) );
 }
 
 void x509write_csr_set_md_alg( x509write_csr *ctx, md_type_t md_alg )

tests/suites/test_suite_md.function

@@ -261,8 +261,6 @@ void md_hmac_multi( char *text_md_name, int trunc_size, char *hex_key_string,
 
     hexify( hash_str, output, md_get_size(md_info) );
     TEST_ASSERT( strncmp( (char *) hash_str, hex_hash_string, trunc_size * 2 ) == 0 );
-
-    TEST_ASSERT ( 0 == md_free_ctx( &ctx ) );
 }
 /* END_CASE */