chunk_cat/cata/create_cat/length accept the sensitive data clearing mode 's'

src/libstrongswan/chunk.c

@@ -72,6 +72,7 @@ size_t chunk_length(const char* mode, ...)
 		{
 			case 'm':
 			case 'c':
+			case 's':
 			{
 				chunk_t ch = va_arg(chunks, chunk_t);
 				length += ch.len;
@@ -97,25 +98,31 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
 	va_start(chunks, mode);
 	while (TRUE)
 	{
-		bool free_chunk = FALSE;
+		bool free_chunk = FALSE, clear_chunk = FALSE;
+		chunk_t ch;
+		
 		switch (*mode++)
 		{
+			case 's':
+				clear_chunk = TRUE;
+				/* FALL */
 			case 'm':
-			{
 				free_chunk = TRUE;
-			}
+				/* FALL */
 			case 'c':
-			{
+				ch = va_arg(chunks, chunk_t);
-				chunk_t ch = va_arg(chunks, chunk_t);
 				memcpy(ptr, ch.ptr, ch.len); 
 				ptr += ch.len;
 				construct.len += ch.len;
-				if (free_chunk)
+				if (clear_chunk)
+				{
+					chunk_clear(&ch);
+				}
+				else if (free_chunk)
 				{
 					free(ch.ptr);
 				}
 				continue;
-			}
 			default:
 				break;
 		}

src/libstrongswan/chunk.h

@@ -69,9 +69,11 @@ chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk);
 size_t chunk_length(const char *mode, ...);
 
 /**
- * Concatenate chunks into a chunk pointing to "ptr",
+ * Concatenate chunks into a chunk pointing to "ptr".
- * "mode" is a string of "c" (copy) and "m" (move), which says
+ *
- * how to handle the chunks in "..."
+ * The mode string specifies the number of chunks, and how to handle each of
+ * them with a single character: 'c' for copy (allocate new chunk), 'm' for move
+ * (free given chunk) or 's' for sensitive-move (clear given chunk, then free).
  */
 chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...);