| blob | 8ca8df388f14608f6a9f34d1d604f5a32f9b910f |
1 /* TODO:
2 x use getopt_long
3 x use error, not pferror
4 - don't use pfstatus (at least vprintf isn't portable) -- or maybe
5 leave it in and see who complains
6 x bracket strings with _(...) for gettext
7 - use consistent non-capitalization in error messages
8 - add standard GNU copyleft comment
9 */
11 /*
12 * shred.c - by Colin Plumb.
13 *
14 * Do a secure overwrite of given files or devices, so that not even
15 * very expensive hardware probing can recover the data.
16 *
17 * Although this process is also known as "wiping", I prefer the longer
18 * name both because I think it is more evocative of what is happening and
19 * because a longer name conveys a more appropriate sense of deliberateness.
20 *
21 * For the theory behind this, see "Secure Deletion of Data from Magnetic
22 * and Solid-State Memory", on line at
23 * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
24 *
25 * Just for the record, reversing one or two passes of disk overwrite
26 * is not terribly difficult with hardware help. Hook up a good-quality
27 * digitizing oscilloscope to the output of the head preamplifier and copy
28 * the high-res digitized data to a computer for some off-line analysis.
29 * Read the "current" data and average all the pulses together to get an
30 * "average" pulse on the disk. Subtract this average pulse from all of
31 * the actual pulses and you can clearly see the "echo" of the previous
32 * data on the disk.
33 *
34 * Real hard drives have to balance the cost of the media, the head,
35 * and the read circuitry. They use better-quality media than absolutely
36 * necessary to limit the cost of the read circuitry. By throwing that
37 * assumption out, and the assumption that you want the data processed
38 * as fast as the hard drive can spin, you can do better.
39 *
40 * If asked to wipe a file, this also deletes it, renaming it to in a
41 * clever way to try to leave no trace of the original filename.
42 *
43 * Copyright 1997, 1998 Colin Plumb <colin@nyx.net>. This program may
44 * be freely distributed under the terms of the GNU GPL, the BSD license,
45 * or Larry Wall's "Artistic License" Even if you use the BSD license,
46 * which does not require it, I'd really like to get improvements back.
47 *
48 * The ISAAC code still bears some resemblance to the code written
49 * by Bob Jenkins, but he permits pretty unlimited use.
50 *
51 * This was inspired by a desire to improve on some code titled:
52 * Wipe V1.0-- Overwrite and delete files. S. 2/3/96
53 * but I've rewritten everything here so completely that no trace of
54 * the original remains.
55 *
56 * Things to think about:
57 * - Security: Is there any risk to the race
58 * between overwriting and unlinking a file? Will it do anything
59 * drastically bad if told to attack a named pipes or a sockets?
60 */
63 #include <config.h>
64 #include <getopt.h>
65 #include <stdio.h>
75 /* How often to update wiping display */
76 #define VERBOSE_UPDATE 100*1024
78 /* FIXME: add comments */
79 struct Options
80 {
88 };
90 /* If nonzero, display usage information and exit. */
93 /* If nonzero, print the version on standard output and exit. */
97 {
108 };
110 /* Global variable for error printing purposes */
113 void
115 {
118 program_name);
119 else
120 {
141 }
143 }
145 #if ! HAVE_FDATASYNC
146 # define fdatasync(Fd) fsync (Fd)
147 #endif
149 /*
150 * --------------------------------------------------------------------
151 * Bob Jenkins' cryptographic random number generator, ISAAC.
152 * Hacked by Colin Plumb.
153 *
154 * We need a source of random numbers for some of the overwrite data.
155 * Cryptographically secure is desirable, but it's not life-or-death
156 * so I can be a little bit experimental in the choice of RNGs here.
157 *
158 * This generator is based somewhat on RC4, but has analysis
159 * (http://ourworld.compuserve.com/homepages/bob_jenkins/randomnu.htm)
160 * pointing to it actually being better. I like it because it's nice
161 * and fast, and because the author did good work analyzing it.
162 * --------------------------------------------------------------------
163 */
165 #if ULONG_MAX == 0xffffffff
167 #else
168 # if UINT_MAX == 0xffffffff
170 # else
171 # if USHRT_MAX == 0xffffffff
173 # else
174 # if UCHAR_MAX == 0xffffffff
176 # else
177 # error No 32-bit type available!
178 # endif
179 # endif
180 # endif
181 #endif
183 /* Size of the state tables to use. (You may change ISAAC_LOG) */
184 #define ISAAC_LOG 8
185 #define ISAAC_WORDS (1 << ISAAC_LOG)
186 #define ISAAC_BYTES (ISAAC_WORDS * sizeof (word32))
188 /* RNG state variables */
189 struct isaac_state
190 {
194 };
196 /* This index operation is more efficient on many processors */
197 #define ind(mm, x) *(unsigned *)((char *)(mm) + ( (x) & (ISAAC_WORDS-1)<<2 ))
199 /*
200 * The central step. This uses two temporaries, x and y. mm is the
201 * whole state array, while m is a pointer to the current word. off is
202 * the offset from m to the word ISAAC_WORDS/2 words away in the mm array,
203 * i.e. +/- ISAAC_WORDS/2.
204 */
205 #define isaac_step(mix, a, b, mm, m, off, r) \
206 ( \
207 a = ((a) ^ (mix)) + (m)[off], \
208 x = *(m), \
209 *(m) = y = ind ((mm), x) + (a) + (b), \
210 *(r) = b = ind ((mm), (y) >> ISAAC_LOG) + x \
211 )
213 /*
214 * Refill the entire R array, and update S.
215 */
216 static void
218 {
226 do
227 {
233 }
235 do
236 {
242 }
246 }
248 /*
249 * The basic seed-scrambling step for initialization, based on Bob
250 * Jenkins' 256-bit hash.
251 */
252 #define mix(a,b,c,d,e,f,g,h) \
253 ( a ^= b << 11, d += a, \
254 b += c, b ^= c >> 2, e += b, \
255 c += d, c ^= d << 8, f += c, \
256 d += e, d ^= e >> 16, g += d, \
257 e += f, e ^= f << 10, h += e, \
258 f += g, f ^= g >> 4, a += f, \
259 g += h, g ^= h << 8, b += g, \
260 h += a, h ^= a >> 9, c += h, \
261 a += b )
263 /* The basic ISAAC initialization pass. */
264 static void
266 {
278 {
298 }
308 }
310 /*
311 * Initialize the ISAAC RNG with the given seed material.
312 * Its size MUST be a multiple of ISAAC_BYTES, and may be
313 * stored in the s->mm array.
314 *
315 * This is a generalization of the original ISAAC initialization code
316 * to support larger seed sizes. For seed sizes of 0 and ISAAC_BYTES,
317 * it is identical.
318 */
319 static void
321 {
323 {
328 #if 0
329 /* The initialization of iv is a precomputed form of: */
334 #endif
341 {
342 /* First pass (as in reference ISAAC code) */
344 /* Second and subsequent passes (extension to ISAAC) */
346 {
351 }
352 }
353 else
354 {
355 /* The no seed case (as in reference ISAAC code) */
358 }
360 /* Final pass */
362 }
364 /*
365 * Get seed material. 16 bytes (128 bits) is plenty, but if we have
366 * /dev/urandom, we get 32 bytes = 256 bits for complete overkill.
367 */
368 static void
370 {
374 {
380 #else
385 #endif
386 }
388 {
391 {
394 }
395 else
396 {
399 {
400 /* /dev/random is more precious, so use less */
403 }
404 }
405 }
408 }
410 /*
411 * Read up to "size" bytes from the given fd and use them as additional
412 * ISAAC seed material. Returns the number of bytes actually read.
413 */
414 static off_t
416 {
419 ssize_t ssize;
424 {
429 do
430 {
432 }
434 /* Mix in what was read */
436 {
437 /* Garbage after the sofff position is harmless */
442 }
445 }
446 /* Wipe the copy of the file in "seed" */
449 /* Final mix, as in isaac_init */
452 }
454 /* Single-word RNG built on top of ISAAC */
455 struct irand_state
456 {
460 };
462 static void
464 {
467 }
469 /*
470 * We take from the end of the block deliberately, so if we need
471 * only a small number of values, we choose the final ones which are
472 * marginally better mixed than the initial ones.
473 */
474 static word32
476 {
478 {
481 }
483 }
485 /*
486 * Return a uniformly distributed random number between 0 and n,
487 * inclusive. Thus, the result is modulo n+1.
488 *
489 * Theory of operation: as x steps through every possible 32-bit number,
490 * x % n takes each value at least 2^32 / n times (rounded down), but
491 * the values less than 2^32 % n are taken one additional time. Thus,
492 * x % n is not perfectly uniform. To fix this, the values of x less
493 * than 2^32 % n are disallowed, and if the RNG produces one, we ask
494 * for a new value.
495 */
496 static word32
498 {
499 word32 x;
500 word32 lim;
506 do
507 {
509 }
512 }
514 /*
515 * Like perror() but fancier. (And fmt is not allowed to be NULL)
516 * This apparent use of features specific to GNU C is actually portable;
517 * see the definitions in error.h.
518 */
522 /*
523 * Maintain a status line on stdout. This is done by using CR and
524 * overprinting a new line when it changes, padding with trailing blanks
525 * as needed to hide all of the previous line. (Assuming that the return
526 * value of printf is an accurate width.)
527 FIXME: we can't assume that
528 */
532 /* Print a new status line, overwriting the previous one. */
533 static void
535 {
539 /* If we weren't at beginning, go there. */
546 {
549 {
551 status_pos++;
552 }
554 }
556 }
558 /* Leave current status (if any) visible and go to the next free line. */
559 static void
561 {
563 {
567 }
569 {
573 }
574 }
576 /*
577 * Get the size of a file that doesn't want to cooperate (such as a
578 * device) by doing a binary search for the last readable byte. The size
579 * of the file is the least offset at which it is not possible to read
580 * a byte.
581 *
582 * This is also a nice example of using loop invariants to correctly
583 * implement an algorithm that is potentially full of fencepost errors.
584 * We assume that if it is possible to read a byte at offset x, it is
585 * also possible at all offsets <= x.
586 */
587 static off_t
589 {
593 /* Binary doubling upwards to find the right range */
597 /*
598 * Loop invariant: we have verified that it is possible to read a
599 * byte at all offsets < lo. Probe at offset hi >= lo until it
600 * is not possible to read a byte at that offset, establishing
601 * the loop invariant for the following loop.
602 */
604 {
610 }
611 /*
612 * Binary search to find the exact endpoint.
613 * Loop invariant: it is not possible to read a byte at hi,
614 * but it is possible at all offsets < lo. Thus, the
615 * offset we seek is between lo and hi inclusive.
616 */
618 {
623 else
625 }
626 /* lo == hi, so we have an exact answer */
628 }
630 /*
631 * Fill a buffer with a fixed pattern.
632 *
633 * The buffer must be at least 3 bytes long, even if
634 * size is less. Larger sizes are filled exactly.
635 */
636 static void
638 {
651 /* Invert the first bit of every 512-byte sector. */
655 }
657 /*
658 * Fill a buffer with random data.
659 * size is rounded UP to a multiple of ISAAC_BYTES.
660 */
661 static void
663 {
667 {
670 }
671 }
673 /* Generate a 6-character (+ nul) pass name string */
674 #define PASS_NAME_SIZE 7
675 static void
677 {
680 else
682 }
684 /*
685 * Do pass number k of n, writing "size" bytes of the given pattern "type"
686 * to the file descriptor fd. Name, k and n are passed in only for verbose
687 * progress message purposes. If n == 0, no progress messages are printed.
688 */
689 static int
692 {
698 #if ISAAC_WORDS > 1024
700 #else
702 #endif
706 {
709 }
711 /* Constant fill patterns need only be set up once. */
713 {
716 {
718 }
721 }
722 else
723 {
725 }
727 /* Set position if first status update */
730 {
734 }
737 {
738 /* How much to write this time? */
744 /* Loop to retry partial writes. */
746 {
749 {
753 /* FIXME: this is slightly fragile in that some systems
754 may fail with a different errno. */
755 /* This error confuses people. */
758 stderr);
760 }
761 }
763 /* Okay, we have written "lim" bytes. */
766 /* Time to print progress? */
768 {
774 else
776 }
777 }
778 /* Force what we just wrote to hit the media. */
780 {
783 }
785 }
787 /*
788 * The passes start and end with a random pass, and the passes in between
789 * are done in random order. The idea is to deprive someone trying to
790 * reverse the process of knowledge of the overwrite patterns, so they
791 * have the additional step of figuring out what was done to the disk
792 * before they can try to reverse or cancel it.
793 *
794 * First, all possible 1-bit patterns. There are two of them.
795 * Then, all possible 2-bit patterns. There are four, but the two
796 * which are also 1-bit patterns can be omitted.
797 * Then, all possible 3-bit patterns. Again, 8-2 = 6.
798 * Then, all possible 4-bit patterns. 16-4 = 12.
799 *
800 * The basic passes are:
801 * 1-bit: 0x000, 0xFFF
802 * 2-bit: 0x555, 0xAAA
803 * 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
804 * 100100100100 110110110110
805 * 9 2 4 D B 6
806 * 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
807 * 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
808 * Adding three random passes at the beginning, middle and end
809 * produces the default 25-pass structure.
810 *
811 * The next extension would be to 5-bit and 6-bit patterns.
812 * There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
813 * 6-bit patterns, so they would increase the time required
814 * significantly. 4-bit patterns are enough for most purposes.
815 *
816 * The main gotcha is that this would require a trickier encoding,
817 * since lcm(2,3,4) = 12 bits is easy to fit into an int, but
818 * lcm(2,3,4,5) = 60 bits is not.
819 *
820 * One extension that is included is to complement the first bit in each
821 * 512-byte block, to alter the phase of the encoded data in the more
822 * complex encodings. This doesn't apply to MFM, so the 1-bit patterns
823 * are considered part of the 3-bit ones and the 2-bit patterns are
824 * considered part of the 4-bit patterns.
825 *
826 *
827 * How does the generalization to variable numbers of passes work?
828 *
829 * Here's how...
830 * Have an ordered list of groups of passes. Each group is a set.
831 * Take as many groups as will fit, plus a random subset of the
832 * last partial group, and place them into the passes list.
833 * Then shuffle the passes list into random order and use that.
834 *
835 * One extra detail: if we can't include a large enough fraction of the
836 * last group to be interesting, then just substitute random passes.
837 *
838 * If you want more passes than the entire list of groups can
839 * provide, just start repeating from the beginning of the list.
840 */
841 static int const
842 patterns[] =
843 {
852 /* The following patterns have the frst bit per block flipped */
858 };
860 /*
861 * Generate a random wiping pass pattern with num passes.
862 * This is a two-stage process. First, the passes to include
863 * are chosen, and then they are shuffled into the desired
864 * order.
865 */
866 static void
868 {
882 /* Stage 1: choose the passes to use */
889 {
894 }
899 {
903 }
906 }
913 }
918 }
919 else
921 do
922 {
924 {
926 n--;
927 }
928 p++;
929 }
932 }
933 }
936 /* assert(d == dest+top); */
938 /*
939 * We now have fixed patterns in the dest buffer up to
940 * "top", and we need to scramble them, with "randpasses"
941 * random passes evenly spaced among them.
942 *
943 * We want one at the beginning, one at the end, and
944 * evenly spaced in between. To do this, we basically
945 * use Bresenham's line draw (a.k.a DDA) algorithm
946 * to draw a line with slope (randpasses-1)/(num-1).
947 * (We use a positive accumulator and count down to
948 * do this.)
949 *
950 * So for each desired output value, we do the following:
951 * - If it should be a random pass, copy the pass type
952 * to top++, out of the way of the other passes, and
953 * set the current pass to -1 (random).
954 * - If it should be a normal pattern pass, choose an
955 * entry at random between here and top-1 (inclusive)
956 * and swap the current entry with that one.
957 */
962 {
964 {
968 }
969 else
970 {
975 }
977 }
978 /* assert(top == num); */
981 }
983 /*
984 * The core routine to actually do the work. This overwrites the first
985 * size bytes of the given fd. Returns -1 on error, 0 on success with
986 * regular files, and 1 on success with non-regular files.
987 */
988 static int
991 {
1006 {
1009 }
1011 /* Check for devices */
1013 {
1016 name);
1018 }
1020 /* Allocate pass array */
1023 {
1027 }
1031 {
1032 /* Reluctant to talk? Apply thumbscrews. */
1034 }
1036 {
1037 /* Round up to the next st_blksize to include "slack" */
1039 }
1041 /*
1042 * Use the file itself as seed material. Avoid wasting "lots"
1043 * of time (>10% of the write time) reading "large" (>16K)
1044 * files for seed material if there aren't many passes.
1045 *
1046 * Note that "seedsize*passes/10" risks overflow, while
1047 * "seedsize/10*passes is slightly inaccurate. The hack
1048 * here manages perfection with no overflow.
1049 */
1051 {
1055 }
1058 /* Schedule the passes in random order. */
1061 /* Do the work */
1063 {
1065 {
1069 }
1072 }
1082 }
1084 /* Characters allowed in a file name - a safe universal set. */
1088 /*
1089 * This increments the name, considering it as a big-endian base-N number
1090 * with the digits taken from nameset. Characters not in the nameset
1091 * are considered to come before nameset[0].
1092 *
1093 * It's not obvious, but this will explode if name[0..len-1] contains
1094 * any 0 bytes.
1095 *
1096 * This returns the carry (1 on overflow).
1097 */
1098 static int
1100 {
1107 /* If the character is not found, replace it with a 0 digit */
1109 {
1112 }
1113 /* If this character has a successor, use it */
1115 {
1118 }
1119 /* Otherwise, set this digit to 0 and increment the prefix */
1122 }
1124 /*
1125 * Repeatedly rename a file with shorter and shorter names,
1126 * to obliterate all traces of the file name on any system that
1127 * adds a trailing delimiter to on-disk file names and reuses
1128 * the same directory slot. Finally, delete it.
1129 * The passed-in filename is modified in place to the new filename.
1130 * (Which is deleted if this function succeeds, but is still present if
1131 * it fails for some reason.)
1132 *
1133 * The main loop is written carefully to not get stuck if all possible
1134 * names of a given length are occupied. It counts down the length from
1135 * the original to 0. While the length is non-zero, it tries to find an
1136 * unused file name of the given length. It continues until either the
1137 * name is available and the rename succeeds, or it runs out of names
1138 * to try (incname() wraps and returns 1). Finally, it deletes the file.
1139 *
1140 * Note that rename() and remove() are both in the ANSI C standard,
1141 * so that part, at least, is NOT Unix-specific.
1142 *
1143 * FIXME: update this comment.
1144 * To force the directory data out, we try to open() the directory and
1145 * invoke fdatasync() on it. This is rather non-standard, so we don't
1146 * insist that it works, just fall back to a global sync() in that case.
1147 * Unfortunately, this code is Unix-specific.
1148 */
1149 int
1151 {
1163 {
1166 }
1168 {
1171 {
1175 }
1176 }
1178 /* Find the file name portion */
1180 /* Temporary hackery to get a directory fd */
1182 {
1186 }
1187 else
1188 {
1190 }
1195 {
1198 do
1199 {
1202 {
1206 {
1207 /* The use of origname (rather than oldname) here is
1208 deliberate. It makes the -v output more intelligible
1209 at the expense of making the `renamed to ...' messages
1210 use the logical (original) file name. */
1214 }
1217 }
1218 }
1220 len--;
1221 }
1228 {
1232 }
1234 }
1236 /*
1237 * Finally, the function that actually takes a filename and grinds
1238 * it into hamburger. Returns 1 if it was not a regular file.
1239 *
1240 * FIXME
1241 * Detail to note: since we do not restore errno to EACCES after
1242 * a failed chmod, we end up printing the error code from the chmod.
1243 * This is probably either EACCES again or EPERM, which both give
1244 * reasonable error messages. But it might be better to change that.
1245 */
1246 static int
1249 {
1254 {
1257 }
1259 {
1262 }
1266 /*
1267 * Wipe the name and unlink - regular files only, no devices!
1268 * (wipefd returns 1 for non-regular files.)
1269 */
1271 {
1275 }
1277 }
1279 int
1281 {
1300 /* By default, remove each file after sanitization. */
1304 {
1306 {
1319 {
1325 {
1327 }
1329 }
1350 }
1351 }
1354 {
1358 }
1367 {
1370 }
1373 {
1375 {
1378 }
1379 else
1380 {
1381 /* Plain filename - Note that this overwrites *argv! */
1384 }
1386 }
1388 /* Just on general principles, wipe s. */
1394 }