mpi-genesis 1
mpi_second_cut 2 * Modified by No Such Labs. (C) 2015. See README.
mpi-genesis 3 *
mpi_second_cut 4 * This file was originally part of Gnu Privacy Guard (GPG), ver. 1.4.10,
mpi_second_cut 5 * SHA256(gnupg-1.4.10.tar.gz):
mpi_second_cut 6 * 0bfd74660a2f6cedcf7d8256db4a63c996ffebbcdc2cf54397bfb72878c5a85a
mpi_second_cut 7 * (C) 1994-2005 Free Software Foundation, Inc.
mpi-genesis 8 *
mpi_second_cut 9 * This program is free software: you can redistribute it and/or modify
mpi-genesis 10 * it under the terms of the GNU General Public License as published by
mpi_second_cut 11 * the Free Software Foundation, either version 3 of the License, or
mpi-genesis 12 * (at your option) any later version.
mpi-genesis 13 *
mpi_second_cut 14 * This program is distributed in the hope that it will be useful,
mpi-genesis 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
mpi-genesis 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
mpi-genesis 17 * GNU General Public License for more details.
mpi-genesis 18 *
mpi-genesis 19 * You should have received a copy of the GNU General Public License
mpi_second_cut 20 * along with this program. If not, see <http:
mpi-genesis 21 */
mpi-genesis 22
mpi_second_cut 23 #include "knobs.h"
mpi_second_cut 24
mpi-genesis 25 #include <stdio.h>
mpi-genesis 26 #include <stdlib.h>
mpi-genesis 27 #include <string.h>
mpi-genesis 28 #include <errno.h>
mpi-genesis 29 #include <stdarg.h>
mpi-genesis 30 #include <unistd.h>
mpi-genesis 31 #if defined(HAVE_MLOCK) || defined(HAVE_MMAP)
mpi-genesis 32 #include <sys/mman.h>
mpi-genesis 33 #include <sys/types.h>
mpi-genesis 34 #include <fcntl.h>
mpi-genesis 35 #ifdef USE_CAPABILITIES
mpi-genesis 36 #include <sys/capability.h>
mpi-genesis 37 #endif
mpi-genesis 38 #ifdef HAVE_PLOCK
mpi-genesis 39 #include <sys/lock.h>
mpi-genesis 40 #endif
mpi-genesis 41 #endif
mpi-genesis 42
mpi-genesis 43 #include "types.h"
mpi-genesis 44 #include "memory.h"
mpi-genesis 45 #include "util.h"
mpi-genesis 46
mpi-genesis 47
mpi-genesis 48 it. */
mpi-genesis 49 #if !HAVE_DECL_GETPAGESIZE
mpi-genesis 50 int getpagesize(void);
mpi-genesis 51 #endif
mpi-genesis 52
mpi-genesis 53 #if defined(MAP_ANON) && !defined(MAP_ANONYMOUS)
mpi-genesis 54 #define MAP_ANONYMOUS MAP_ANON
mpi-genesis 55 #endif
mpi-genesis 56
mpi-genesis 57 #if !defined(EPERM) && defined(ENOMEM)
mpi-genesis 58 #define EPERM ENOMEM
mpi-genesis 59 #endif
mpi-genesis 60
mpi-genesis 61
mpi-genesis 62 #define DEFAULT_POOLSIZE 16384
mpi-genesis 63
mpi-genesis 64 typedef struct memblock_struct MEMBLOCK;
mpi-genesis 65 struct memblock_struct {
mpi-genesis 66 unsigned size;
mpi-genesis 67 union {
mpi-genesis 68 MEMBLOCK *next;
mpi-genesis 69 PROPERLY_ALIGNED_TYPE aligned;
mpi-genesis 70 } u;
mpi-genesis 71 };
mpi-genesis 72
mpi-genesis 73
mpi-genesis 74
mpi-genesis 75 static void *pool;
mpi-genesis 76 static volatile int pool_okay;
mpi-genesis 77 #ifdef HAVE_MMAP
mpi-genesis 78 static volatile int pool_is_mmapped;
mpi-genesis 79 #endif
mpi-genesis 80 static size_t poolsize;
mpi-genesis 81 static size_t poollen;
mpi-genesis 82 static MEMBLOCK *unused_blocks;
mpi-genesis 83 static unsigned max_alloced;
mpi-genesis 84 static unsigned cur_alloced;
mpi-genesis 85 static unsigned max_blocks;
mpi-genesis 86 static unsigned cur_blocks;
mpi-genesis 87 static int disable_secmem;
mpi-genesis 88 static int show_warning;
mpi-genesis 89 static int no_warning;
mpi-genesis 90 static int suspend_warning;
mpi-genesis 91
mpi-genesis 92
mpi-genesis 93 static void
mpi-genesis 94 print_warn(void)
mpi-genesis 95 {
mpi-genesis 96 if (!no_warning)
mpi-genesis 97 {
mpi_second_cut 98 log_info("WARNING: using insecure memory!\n");
mpi-genesis 99 }
mpi-genesis 100 }
mpi-genesis 101
mpi-genesis 102
mpi-genesis 103 static void
mpi-genesis 104 lock_pool( void *p, size_t n )
mpi-genesis 105 {
mpi-genesis 106 #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK)
mpi-genesis 107 int err;
mpi-genesis 108
mpi-genesis 109 cap_set_proc( cap_from_text("cap_ipc_lock+ep") );
mpi-genesis 110 err = mlock( p, n );
mpi-genesis 111 if( err && errno )
mpi-genesis 112 err = errno;
mpi-genesis 113 cap_set_proc( cap_from_text("cap_ipc_lock+p") );
mpi-genesis 114
mpi-genesis 115 if( err ) {
mpi-genesis 116 if( errno != EPERM
mpi-genesis 117 #ifdef EAGAIN /* OpenBSD returns this */
mpi-genesis 118 && errno != EAGAIN
mpi-genesis 119 #endif
mpi-genesis 120 #ifdef ENOSYS /* Some SCOs return this (function not implemented) */
mpi-genesis 121 && errno != ENOSYS
mpi-genesis 122 #endif
mpi-genesis 123 #ifdef ENOMEM /* Linux can return this */
mpi-genesis 124 && errno != ENOMEM
mpi-genesis 125 #endif
mpi-genesis 126 )
mpi-genesis 127 log_error("can't lock memory: %s\n", strerror(err));
mpi-genesis 128 show_warning = 1;
mpi-genesis 129 }
mpi-genesis 130
mpi-genesis 131 #elif defined(HAVE_MLOCK)
mpi-genesis 132 uid_t uid;
mpi-genesis 133 int err;
mpi-genesis 134
mpi-genesis 135 uid = getuid();
mpi-genesis 136
mpi-genesis 137 #ifdef HAVE_BROKEN_MLOCK
mpi-genesis 138
mpi-genesis 139 entire data segment. */
mpi-genesis 140 #ifdef HAVE_PLOCK
mpi-genesis 141 # ifdef _AIX
mpi-genesis 142
mpi-genesis 143 the strange requirement to somehow set the stack limit first.
mpi-genesis 144 The problem might turn out in indeterministic program behaviour
mpi-genesis 145 and hanging processes which can somehow be solved when enough
mpi-genesis 146 processes are clogging up the memory. To get this problem out
mpi-genesis 147 of the way we simply don't try to lock the memory at all.
mpi-genesis 148 */
mpi-genesis 149 errno = EPERM;
mpi-genesis 150 err = errno;
mpi-genesis 151 # else /* !_AIX */
mpi-genesis 152 err = plock( DATLOCK );
mpi-genesis 153 if( err && errno )
mpi-genesis 154 err = errno;
mpi-genesis 155 # endif /*_AIX*/
mpi-genesis 156 #else /*!HAVE_PLOCK*/
mpi-genesis 157 if( uid ) {
mpi-genesis 158 errno = EPERM;
mpi-genesis 159 err = errno;
mpi-genesis 160 }
mpi-genesis 161 else {
mpi-genesis 162 err = mlock( p, n );
mpi-genesis 163 if( err && errno )
mpi-genesis 164 err = errno;
mpi-genesis 165 }
mpi-genesis 166 #endif /*!HAVE_PLOCK*/
mpi-genesis 167 #else
mpi-genesis 168 err = mlock( p, n );
mpi-genesis 169 if( err && errno )
mpi-genesis 170 err = errno;
mpi-genesis 171 #endif
mpi-genesis 172
mpi-genesis 173 if( uid && !geteuid() ) {
mpi-genesis 174
mpi-genesis 175 * Note: setuid(0) should always fail */
mpi-genesis 176 if( setuid( uid ) || getuid() != geteuid() || !setuid(0) )
mpi-genesis 177 log_fatal("failed to reset uid: %s\n", strerror(errno));
mpi-genesis 178 }
mpi-genesis 179
mpi-genesis 180 if( err ) {
mpi-genesis 181 if( errno != EPERM
mpi-genesis 182 #ifdef EAGAIN /* OpenBSD returns this */
mpi-genesis 183 && errno != EAGAIN
mpi-genesis 184 #endif
mpi-genesis 185 #ifdef ENOSYS /* Some SCOs return this (function not implemented) */
mpi-genesis 186 && errno != ENOSYS
mpi-genesis 187 #endif
mpi-genesis 188 #ifdef ENOMEM /* Linux can return this */
mpi-genesis 189 && errno != ENOMEM
mpi-genesis 190 #endif
mpi-genesis 191 )
mpi-genesis 192 log_error("can't lock memory: %s\n", strerror(err));
mpi-genesis 193 show_warning = 1;
mpi-genesis 194 }
mpi-genesis 195
mpi-genesis 196 #elif defined ( __QNX__ )
mpi-genesis 197
mpi-genesis 198 * not make much sense. However it is still of use because it
mpi-genesis 199 * wipes out the memory on a free().
mpi-genesis 200 * Therefore it is sufficient to suppress the warning
mpi-genesis 201 */
mpi-genesis 202 #elif defined (HAVE_DOSISH_SYSTEM) || defined (__CYGWIN__)
mpi-genesis 203
mpi-genesis 204 * this whole Windows !@#$% and their user base are inherently insecure
mpi-genesis 205 */
mpi-genesis 206 #else
mpi-genesis 207 log_info("Please note that you don't have secure memory on this system\n");
mpi-genesis 208 #endif
mpi-genesis 209 }
mpi-genesis 210
mpi-genesis 211
mpi-genesis 212 static void
mpi-genesis 213 init_pool( size_t n)
mpi-genesis 214 {
mpi-genesis 215 long int pgsize_val;
mpi-genesis 216 size_t pgsize;
mpi-genesis 217
mpi-genesis 218 poolsize = n;
mpi-genesis 219
mpi-genesis 220 if( disable_secmem )
mpi-genesis 221 log_bug("secure memory is disabled");
mpi-genesis 222
mpi-genesis 223 #if defined(HAVE_SYSCONF) && defined(_SC_PAGESIZE)
mpi-genesis 224 pgsize_val = sysconf (_SC_PAGESIZE);
mpi-genesis 225 #elif defined(HAVE_GETPAGESIZE)
mpi-genesis 226 pgsize_val = getpagesize ();
mpi-genesis 227 #else
mpi-genesis 228 pgsize_val = -1;
mpi-genesis 229 #endif
mpi-genesis 230 pgsize = (pgsize_val != -1 && pgsize_val > 0)? pgsize_val : 4096;
mpi-genesis 231
mpi-genesis 232
mpi-genesis 233 #ifdef HAVE_MMAP
mpi-genesis 234 poolsize = (poolsize + pgsize -1 ) & ~(pgsize-1);
mpi-genesis 235 #ifdef MAP_ANONYMOUS
mpi-genesis 236 pool = mmap( 0, poolsize, PROT_READ|PROT_WRITE,
mpi-genesis 237 MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
mpi-genesis 238 #else /* map /dev/zero instead */
mpi-genesis 239 { int fd;
mpi-genesis 240
mpi-genesis 241 fd = open("/dev/zero", O_RDWR);
mpi-genesis 242 if( fd == -1 ) {
mpi-genesis 243 log_error("can't open /dev/zero: %s\n", strerror(errno) );
mpi-genesis 244 pool = (void*)-1;
mpi-genesis 245 }
mpi-genesis 246 else {
mpi-genesis 247 pool = mmap( 0, poolsize, PROT_READ|PROT_WRITE,
mpi-genesis 248 MAP_PRIVATE, fd, 0);
mpi-genesis 249 close (fd);
mpi-genesis 250 }
mpi-genesis 251 }
mpi-genesis 252 #endif
mpi-genesis 253 if( pool == (void*)-1 )
mpi-genesis 254 log_info("can't mmap pool of %u bytes: %s - using malloc\n",
mpi-genesis 255 (unsigned)poolsize, strerror(errno));
mpi-genesis 256 else {
mpi-genesis 257 pool_is_mmapped = 1;
mpi-genesis 258 pool_okay = 1;
mpi-genesis 259 }
mpi-genesis 260
mpi-genesis 261 #endif
mpi-genesis 262 if( !pool_okay ) {
mpi-genesis 263 pool = malloc( poolsize );
mpi-genesis 264 if( !pool )
mpi-genesis 265 log_fatal("can't allocate memory pool of %u bytes\n",
mpi-genesis 266 (unsigned)poolsize);
mpi-genesis 267 else
mpi-genesis 268 pool_okay = 1;
mpi-genesis 269 }
mpi-genesis 270 lock_pool( pool, poolsize );
mpi-genesis 271 poollen = 0;
mpi-genesis 272 }
mpi-genesis 273
mpi-genesis 274
mpi-genesis 275
mpi-genesis 276 static void
mpi-genesis 277 compress_pool(void)
mpi-genesis 278 {
mpi-genesis 279
mpi-genesis 280 }
mpi-genesis 281
mpi-genesis 282 void
mpi-genesis 283 secmem_set_flags( unsigned flags )
mpi-genesis 284 {
mpi-genesis 285 int was_susp = suspend_warning;
mpi-genesis 286
mpi-genesis 287 no_warning = flags & 1;
mpi-genesis 288 suspend_warning = flags & 2;
mpi-genesis 289
mpi-genesis 290
mpi-genesis 291 if( was_susp && !suspend_warning && show_warning ) {
mpi-genesis 292 show_warning = 0;
mpi-genesis 293 print_warn();
mpi-genesis 294 }
mpi-genesis 295 }
mpi-genesis 296
mpi-genesis 297 unsigned
mpi-genesis 298 secmem_get_flags(void)
mpi-genesis 299 {
mpi-genesis 300 unsigned flags;
mpi-genesis 301
mpi-genesis 302 flags = no_warning ? 1:0;
mpi-genesis 303 flags |= suspend_warning ? 2:0;
mpi-genesis 304 return flags;
mpi-genesis 305 }
mpi-genesis 306
mpi-genesis 307
mpi-genesis 308 int
mpi-genesis 309 secmem_init( size_t n )
mpi-genesis 310 {
mpi-genesis 311 if( !n ) {
mpi-genesis 312 #ifdef USE_CAPABILITIES
mpi-genesis 313
mpi-genesis 314 cap_set_proc( cap_from_text("all-eip") );
mpi-genesis 315 #elif !defined(HAVE_DOSISH_SYSTEM)
mpi-genesis 316 uid_t uid;
mpi-genesis 317 disable_secmem=1;
mpi-genesis 318 uid = getuid();
mpi-genesis 319 if( uid != geteuid() ) {
mpi-genesis 320 if( setuid( uid ) || getuid() != geteuid() || !setuid(0) )
mpi-genesis 321 log_fatal("failed to drop setuid\n" );
mpi-genesis 322 }
mpi-genesis 323 #endif
mpi-genesis 324 }
mpi-genesis 325 else {
mpi-genesis 326 if( n < DEFAULT_POOLSIZE )
mpi-genesis 327 n = DEFAULT_POOLSIZE;
mpi-genesis 328 if( !pool_okay )
mpi-genesis 329 init_pool(n);
mpi-genesis 330 else
mpi-genesis 331 log_error("Oops, secure memory pool already initialized\n");
mpi-genesis 332 }
mpi-genesis 333
mpi-genesis 334 return !show_warning;
mpi-genesis 335 }
mpi-genesis 336
mpi-genesis 337
mpi-genesis 338 void *
mpi-genesis 339 secmem_malloc( size_t size )
mpi-genesis 340 {
mpi-genesis 341 MEMBLOCK *mb, *mb2;
mpi-genesis 342 int compressed=0;
mpi-genesis 343
mpi-genesis 344 if( !pool_okay ) {
mpi-genesis 345 log_info(
mpi_second_cut 346 "operation is not possible without initialized secure memory\n");
mpi_second_cut 347 log_info("(you may have used the wrong program for this task)\n");
mpi-genesis 348 exit(2);
mpi-genesis 349 }
mpi-genesis 350 if( show_warning && !suspend_warning ) {
mpi-genesis 351 show_warning = 0;
mpi-genesis 352 print_warn();
mpi-genesis 353 }
mpi-genesis 354
mpi-genesis 355
mpi-genesis 356 extra of the size of an entire MEMBLOCK. This is required
mpi-genesis 357 becuase we do not only need the SIZE info but also extra space
mpi-genesis 358 to chain up unused memory blocks. */
mpi-genesis 359 size += sizeof(MEMBLOCK);
mpi-genesis 360 size = ((size + 31) / 32) * 32;
mpi-genesis 361
mpi-genesis 362 retry:
mpi-genesis 363
mpi-genesis 364 for(mb = unused_blocks,mb2=NULL; mb; mb2=mb, mb = mb->u.next )
mpi-genesis 365 if( mb->size >= size ) {
mpi-genesis 366 if( mb2 )
mpi-genesis 367 mb2->u.next = mb->u.next;
mpi-genesis 368 else
mpi-genesis 369 unused_blocks = mb->u.next;
mpi-genesis 370 goto leave;
mpi-genesis 371 }
mpi-genesis 372
mpi-genesis 373 if( (poollen + size <= poolsize) ) {
mpi-genesis 374 mb = (void*)((char*)pool + poollen);
mpi-genesis 375 poollen += size;
mpi-genesis 376 mb->size = size;
mpi-genesis 377 }
mpi-genesis 378 else if( !compressed ) {
mpi-genesis 379 compressed=1;
mpi-genesis 380 compress_pool();
mpi-genesis 381 goto retry;
mpi-genesis 382 }
mpi-genesis 383 else
mpi-genesis 384 return NULL;
mpi-genesis 385
mpi-genesis 386 leave:
mpi-genesis 387 cur_alloced += mb->size;
mpi-genesis 388 cur_blocks++;
mpi-genesis 389 if( cur_alloced > max_alloced )
mpi-genesis 390 max_alloced = cur_alloced;
mpi-genesis 391 if( cur_blocks > max_blocks )
mpi-genesis 392 max_blocks = cur_blocks;
mpi-genesis 393
mpi-genesis 394 return &mb->u.aligned.c;
mpi-genesis 395 }
mpi-genesis 396
mpi-genesis 397
mpi-genesis 398 void *
mpi-genesis 399 secmexrealloc( void *p, size_t newsize )
mpi-genesis 400 {
mpi-genesis 401 MEMBLOCK *mb;
mpi-genesis 402 size_t size;
mpi-genesis 403 void *a;
mpi-genesis 404
mpi-genesis 405 mb = (MEMBLOCK*)((char*)p - ((size_t) &((MEMBLOCK*)0)->u.aligned.c));
mpi-genesis 406 size = mb->size;
mpi-genesis 407 if (size < sizeof(MEMBLOCK))
mpi-genesis 408 log_bug ("secure memory corrupted at block %p\n", (void *)mb);
mpi-genesis 409 size -= ((size_t) &((MEMBLOCK*)0)->u.aligned.c);
mpi-genesis 410
mpi-genesis 411 if( newsize <= size )
mpi-genesis 412 return p;
mpi-genesis 413 a = secmem_malloc( newsize );
mpi-genesis 414 if ( a ) {
mpi-genesis 415 memcpy(a, p, size);
mpi-genesis 416 memset((char*)a+size, 0, newsize-size);
mpi-genesis 417 secmem_free(p);
mpi-genesis 418 }
mpi-genesis 419 return a;
mpi-genesis 420 }
mpi-genesis 421
mpi-genesis 422
mpi-genesis 423 void
mpi-genesis 424 secmem_free( void *a )
mpi-genesis 425 {
mpi-genesis 426 MEMBLOCK *mb;
mpi-genesis 427 size_t size;
mpi-genesis 428
mpi-genesis 429 if( !a )
mpi-genesis 430 return;
mpi-genesis 431
mpi-genesis 432 mb = (MEMBLOCK*)((char*)a - ((size_t) &((MEMBLOCK*)0)->u.aligned.c));
mpi-genesis 433 size = mb->size;
mpi-genesis 434
mpi-genesis 435 * cache. We do it anyway: */
mpi-genesis 436 wipememory2(mb, 0xff, size );
mpi-genesis 437 wipememory2(mb, 0xaa, size );
mpi-genesis 438 wipememory2(mb, 0x55, size );
mpi-genesis 439 wipememory2(mb, 0x00, size );
mpi-genesis 440 mb->size = size;
mpi-genesis 441 mb->u.next = unused_blocks;
mpi-genesis 442 unused_blocks = mb;
mpi-genesis 443 cur_blocks--;
mpi-genesis 444 cur_alloced -= size;
mpi-genesis 445 }
mpi-genesis 446
mpi-genesis 447
mpi-genesis 448
mpi-genesis 449 static int
mpi-genesis 450 ptr_into_pool_p (const void *p)
mpi-genesis 451 {
mpi-genesis 452
mpi-genesis 453 C-99 6.5.8 to avoid undefined behaviour. Using size_t is at
mpi-genesis 454 least only implementation defined. See also
mpi-genesis 455 http:
mpi-genesis 456 */
mpi-genesis 457 size_t p_addr = (size_t)p;
mpi-genesis 458 size_t pool_addr = (size_t)pool;
mpi-genesis 459
mpi-genesis 460 return p_addr >= pool_addr && p_addr < pool_addr+poolsize;
mpi-genesis 461 }
mpi-genesis 462
mpi-genesis 463
mpi-genesis 464 int
mpi-genesis 465 m_is_secure( const void *p )
mpi-genesis 466 {
mpi-genesis 467 return pool_okay && ptr_into_pool_p (p);
mpi-genesis 468 }
mpi-genesis 469
mpi-genesis 470
mpi-genesis 471
mpi-genesis 472
mpi-genesis 473 * Warning: This code might be called by an interrupt handler
mpi-genesis 474 * and frankly, there should really be such a handler,
mpi-genesis 475 * to make sure that the memory is wiped out.
mpi-genesis 476 * We hope that the OS wipes out mlocked memory after
mpi-genesis 477 * receiving a SIGKILL - it really should do so, otherwise
mpi-genesis 478 * there is no chance to get the secure memory cleaned.
mpi-genesis 479 */
mpi-genesis 480 void
mpi-genesis 481 secmem_term()
mpi-genesis 482 {
mpi-genesis 483 if( !pool_okay )
mpi-genesis 484 return;
mpi-genesis 485
mpi-genesis 486 wipememory2( pool, 0xff, poolsize);
mpi-genesis 487 wipememory2( pool, 0xaa, poolsize);
mpi-genesis 488 wipememory2( pool, 0x55, poolsize);
mpi-genesis 489 wipememory2( pool, 0x00, poolsize);
mpi-genesis 490 #ifdef HAVE_MMAP
mpi-genesis 491 if( pool_is_mmapped )
mpi-genesis 492 munmap( pool, poolsize );
mpi-genesis 493 #endif
mpi-genesis 494 pool = NULL;
mpi-genesis 495 pool_okay = 0;
mpi-genesis 496 poolsize=0;
mpi-genesis 497 poollen=0;
mpi-genesis 498 unused_blocks=NULL;
mpi-genesis 499 }
mpi-genesis 500
mpi-genesis 501
mpi-genesis 502 void
mpi-genesis 503 secmem_dump_stats()
mpi-genesis 504 {
mpi-genesis 505 if( disable_secmem )
mpi-genesis 506 return;
mpi-genesis 507 fprintf(stderr,
mpi-genesis 508 "secmem usage: %u/%u bytes in %u/%u blocks of pool %lu/%lu\n",
mpi-genesis 509 cur_alloced, max_alloced, cur_blocks, max_blocks,
mpi-genesis 510 (ulong)poollen, (ulong)poolsize );
mpi-genesis 511 }