Add unsafe_memzero/1

src/enacl.erl

@@ -92,7 +92,8 @@
 -export([
 	hash/1,
 	verify_16/2,
-	verify_32/2
+	verify_32/2,
+  unsafe_memzero/1
 ]).
 
 %% Libsodium specific functions (which are also part of the "undocumented" interface to NaCl
@@ -214,6 +215,17 @@ verify_16(_, _) -> error(badarg).
 verify_32(X, Y) when is_binary(X), is_binary(Y) -> enacl_nif:crypto_verify_32(X, Y);
 verify_32(_, _) -> error(badarg).
 
+%% @doc unsafe_memzero/1 ipmlements guaranteed zero'ing of binary data.
+%%
+%% <p><bold>WARNING:</bold> Take great care. This way be dragons.</p>
+%% <p>This is verify unsafe. If any copies of the binary have been made they are unaffected.
+%% This is intended for use with cryptographic keys where they are only shared within
+%% a running process without copies. This allows removing, eg, symmetric session keys. </p>
+%% @end
+-spec unsafe_memzero(binary()) -> atom().
+unsafe_memzero(X) when is_binary(X) -> enacl_nif:sodium_memzero(X);
+unsafe_memzero(_) -> error(badarg).
+
 %% Public Key Crypto
 %% ---------------------
 %% @doc box_keypair/0 creates a new Public/Secret keypair.

src/enacl_nif.erl

@@ -109,7 +109,8 @@
 	crypto_hash/1,
 	crypto_hash_b/1,
 	crypto_verify_16/2,
-	crypto_verify_32/2
+	crypto_verify_32/2,
+	sodium_memzero/1
 ]).
 
 %% Access to the RNG
@@ -220,6 +221,7 @@ crypto_hash(Input) when is_binary(Input) -> erlang:nif_error(nif_not_loaded).
 crypto_hash_b(Input) when is_binary(Input) -> erlang:nif_error(nif_not_loaded).
 crypto_verify_16(_X, _Y) -> erlang:nif_error(nif_not_loaded).
 crypto_verify_32(_X, _Y) -> erlang:nif_error(nif_not_loaded).
+sodium_memzero(Input) when is_binary(Input) -> erlang:nif_error(nif_not_loaded).
 
 randombytes(_RequestedSize) -> erlang:nif_error(nif_not_loaded).