| blob | be377b18a615a8154e405b3ac4a0261f440b54a7 |
1 /* shred.c - overwrite files and devices to make it harder to recover data
3 Copyright (C) 1999-2003 Free Software Foundation, Inc.
4 Copyright (C) 1997, 1998, 1999 Colin Plumb.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
9 any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
20 Written by Colin Plumb. */
22 /* TODO:
23 - use consistent non-capitalization in error messages
24 - add standard GNU copyleft comment
26 - Add -r/-R/--recursive
27 - Add -i/--interactive
28 - Reserve -d
29 - Add -L
30 - Deal with the amazing variety of gettimeofday() implementation bugs.
31 (Some systems use a one-arg form; still others insist that the timezone
32 either be NULL or be non-NULL. Whee.)
33 - Add an unlink-all option to emulate rm.
34 */
36 /*
37 * Do a more secure overwrite of given files or devices, to make it harder
38 * for even very expensive hardware probing to recover the data.
39 *
40 * Although this process is also known as "wiping", I prefer the longer
41 * name both because I think it is more evocative of what is happening and
42 * because a longer name conveys a more appropriate sense of deliberateness.
43 *
44 * For the theory behind this, see "Secure Deletion of Data from Magnetic
45 * and Solid-State Memory", on line at
46 * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
47 *
48 * Just for the record, reversing one or two passes of disk overwrite
49 * is not terribly difficult with hardware help. Hook up a good-quality
50 * digitizing oscilloscope to the output of the head preamplifier and copy
51 * the high-res digitized data to a computer for some off-line analysis.
52 * Read the "current" data and average all the pulses together to get an
53 * "average" pulse on the disk. Subtract this average pulse from all of
54 * the actual pulses and you can clearly see the "echo" of the previous
55 * data on the disk.
56 *
57 * Real hard drives have to balance the cost of the media, the head,
58 * and the read circuitry. They use better-quality media than absolutely
59 * necessary to limit the cost of the read circuitry. By throwing that
60 * assumption out, and the assumption that you want the data processed
61 * as fast as the hard drive can spin, you can do better.
62 *
63 * If asked to wipe a file, this also unlinks it, renaming it to in a
64 * clever way to try to leave no trace of the original filename.
65 *
66 * The ISAAC code still bears some resemblance to the code written
67 * by Bob Jenkins, but he permits pretty unlimited use.
68 *
69 * This was inspired by a desire to improve on some code titled:
70 * Wipe V1.0-- Overwrite and delete files. S. 2/3/96
71 * but I've rewritten everything here so completely that no trace of
72 * the original remains.
73 *
74 * Thanks to:
75 * Bob Jenkins, for his good RNG work and patience with the FSF copyright
76 * paperwork.
77 * Jim Meyering, for his work merging this into the GNU fileutils while
78 * still letting me feel a sense of ownership and pride. Getting me to
79 * tolerate the GNU brace style was quite a feat of diplomacy.
80 * Paul Eggert, for lots of useful discussion and code. I disagree with
81 * an awful lot of his suggestions, but they're disagreements worth having.
82 *
83 * Things to think about:
84 * - Security: Is there any risk to the race
85 * between overwriting and unlinking a file? Will it do anything
86 * drastically bad if told to attack a named pipe or socket?
87 */
89 /* The official name of this program (e.g., no `g' prefix). */
94 #if HAVE_CONFIG_H
95 # include <config.h>
96 #endif
98 #include <getopt.h>
99 #include <stdio.h>
100 #include <assert.h>
101 #include <setjmp.h>
102 #include <signal.h>
103 #include <sys/types.h>
114 #ifndef O_NOCTTY
116 #endif
120 /* How many seconds to wait before checking whether to output another
121 verbose output line. */
122 #define VERBOSE_UPDATE 5
124 struct Options
125 {
133 };
136 {
147 };
149 /* Global variable for error printing purposes */
152 void
154 {
157 program_name);
158 else
159 {
220 }
222 }
224 #if ! HAVE_FDATASYNC
225 # define fdatasync(fd) -1
226 #endif
228 /*
229 * --------------------------------------------------------------------
230 * Bob Jenkins' cryptographic random number generator, ISAAC.
231 * Hacked by Colin Plumb.
232 *
233 * We need a source of random numbers for some of the overwrite data.
234 * Cryptographically secure is desirable, but it's not life-or-death
235 * so I can be a little bit experimental in the choice of RNGs here.
236 *
237 * This generator is based somewhat on RC4, but has analysis
238 * (http://ourworld.compuserve.com/homepages/bob_jenkins/randomnu.htm)
239 * pointing to it actually being better. I like it because it's nice
240 * and fast, and because the author did good work analyzing it.
241 * --------------------------------------------------------------------
242 */
244 #if defined __STDC__ && __STDC__
245 # define UINT_MAX_32_BITS 4294967295U
246 #else
247 # define UINT_MAX_32_BITS 0xFFFFFFFF
248 #endif
250 #if ULONG_MAX == UINT_MAX_32_BITS
252 #else
253 # if UINT_MAX == UINT_MAX_32_BITS
255 # else
256 # if USHRT_MAX == UINT_MAX_32_BITS
258 # else
259 # if UCHAR_MAX == UINT_MAX_32_BITS
261 # else
262 "No 32-bit type available!"
263 # endif
264 # endif
265 # endif
266 #endif
268 /* Size of the state tables to use. (You may change ISAAC_LOG) */
269 #define ISAAC_LOG 8
270 #define ISAAC_WORDS (1 << ISAAC_LOG)
271 #define ISAAC_BYTES (ISAAC_WORDS * sizeof (word32))
273 /* RNG state variables */
274 struct isaac_state
275 {
279 };
281 /* This index operation is more efficient on many processors */
282 #define ind(mm, x) \
283 (* (word32 *) ((char *) (mm) + ((x) & (ISAAC_WORDS - 1) * sizeof (word32))))
285 /*
286 * The central step. This uses two temporaries, x and y. mm is the
287 * whole state array, while m is a pointer to the current word. off is
288 * the offset from m to the word ISAAC_WORDS/2 words away in the mm array,
289 * i.e. +/- ISAAC_WORDS/2.
290 */
291 #define isaac_step(mix, a, b, mm, m, off, r) \
292 ( \
293 a = ((a) ^ (mix)) + (m)[off], \
294 x = *(m), \
295 *(m) = y = ind (mm, x) + (a) + (b), \
296 *(r) = b = ind (mm, (y) >> ISAAC_LOG) + x \
297 )
299 /*
300 * Refill the entire R array, and update S.
301 */
302 static void
304 {
312 do
313 {
319 }
321 do
322 {
328 }
332 }
334 /*
335 * The basic seed-scrambling step for initialization, based on Bob
336 * Jenkins' 256-bit hash.
337 */
338 #define mix(a,b,c,d,e,f,g,h) \
339 ( a ^= b << 11, d += a, \
340 b += c, b ^= c >> 2, e += b, \
341 c += d, c ^= d << 8, f += c, \
342 d += e, d ^= e >> 16, g += d, \
343 e += f, e ^= f << 10, h += e, \
344 f += g, f ^= g >> 4, a += f, \
345 g += h, g ^= h << 8, b += g, \
346 h += a, h ^= a >> 9, c += h, \
347 a += b )
349 /* The basic ISAAC initialization pass. */
350 static void
352 {
364 {
384 }
394 }
397 /*
398 * Initialize the ISAAC RNG with the given seed material.
399 * Its size MUST be a multiple of ISAAC_BYTES, and may be
400 * stored in the s->mm array.
401 *
402 * This is a generalization of the original ISAAC initialization code
403 * to support larger seed sizes. For seed sizes of 0 and ISAAC_BYTES,
404 * it is identical.
405 */
406 static void
408 {
410 {
415 # if 0
416 /* The initialization of iv is a precomputed form of: */
421 # endif
428 {
429 /* First pass (as in reference ISAAC code) */
431 /* Second and subsequent passes (extension to ISAAC) */
433 {
438 }
439 }
440 else
441 {
442 /* The no seed case (as in reference ISAAC code) */
445 }
447 /* Final pass */
449 }
450 #endif
452 /* Start seeding an ISAAC structire */
453 static void
455 {
457 {
460 };
463 #if 0
464 /* The initialization of iv is a precomputed form of: */
469 #endif
472 /* We could initialize s->mm to zero, but why bother? */
474 /* s->c gets used for a data pointer during the seeding phase */
476 }
478 /* Add a buffer of seed material */
479 static void
481 {
488 /* Do any full buffers that are necessary */
490 {
499 }
501 /* And the final partial block */
506 }
509 /* End of seeding phase; get everything ready to produce output. */
510 static void
512 {
515 /* Now reinitialize c to start things off right */
517 }
518 #define ISAAC_SEED(s,x) isaac_seed_data (s, &(x), sizeof (x))
521 #if __GNUC__ >= 2 && (__i386__ || __alpha__)
522 /*
523 * Many processors have very-high-resolution timer registers,
524 * The timer registers can be made inaccessible, so we have to deal with the
525 * possibility of SIGILL while we're working.
526 */
528 static RETSIGTYPE
530 {
533 }
535 /* FIXME: find a better way.
536 This signal-handling code may well end up being ripped out eventually.
537 An example of how fragile it is, on an i586-sco-sysv5uw7.0.1 system, with
538 gcc-2.95.3pl1, the "rdtsc" instruction causes a segmentation violation.
539 So now, the code catches SIGSEGV. It'd probably be better to remove all
540 of that mess and find a better source of random data. Patches welcome. */
542 static void
544 {
547 /* This is how one does try/except in C */
551 {
554 }
555 else
556 {
557 # if __i386__
560 # endif
561 # if __alpha__
564 # endif
565 # if _ARCH_PPC
566 /* Code not used because this instruction is available only on first-
567 generation PPCs and evokes a SIGBUS on some Linux 2.4 kernels. */
568 word32 t;
570 # endif
571 # if __mips
572 /* Code not used because this is not accessible from userland */
573 word32 t;
575 # endif
576 # if __sparc__
577 /* This doesn't compile on all platforms yet. How to fix? */
580 # endif
584 }
585 }
589 /* Do-nothing stub */
590 # define isaac_seed_machdep(s) (void) 0
595 /*
596 * Get seed material. 16 bytes (128 bits) is plenty, but if we have
597 * /dev/urandom, we get 32 bytes = 256 bits for complete overkill.
598 */
599 static void
601 {
609 {
610 #if HAVE_GETHRTIME
613 #else
617 # else
618 # if HAVE_GETTIMEOFDAY
621 # else
624 # endif
625 # endif
626 #endif
628 }
632 {
636 {
640 }
641 else
642 {
645 {
646 /* /dev/random is more precious, so use less */
650 }
651 }
652 }
655 }
657 /* Single-word RNG built on top of ISAAC */
658 struct irand_state
659 {
663 };
665 static void
667 {
670 }
672 /*
673 * We take from the end of the block deliberately, so if we need
674 * only a small number of values, we choose the final ones which are
675 * marginally better mixed than the initial ones.
676 */
677 static word32
679 {
681 {
684 }
686 }
688 /*
689 * Return a uniformly distributed random number between 0 and n,
690 * inclusive. Thus, the result is modulo n+1.
691 *
692 * Theory of operation: as x steps through every possible 32-bit number,
693 * x % n takes each value at least 2^32 / n times (rounded down), but
694 * the values less than 2^32 % n are taken one additional time. Thus,
695 * x % n is not perfectly uniform. To fix this, the values of x less
696 * than 2^32 % n are disallowed, and if the RNG produces one, we ask
697 * for a new value.
698 */
699 static word32
701 {
702 word32 x;
703 word32 lim;
709 do
710 {
712 }
715 }
717 /*
718 * Fill a buffer with a fixed pattern.
719 *
720 * The buffer must be at least 3 bytes long, even if
721 * size is less. Larger sizes are filled exactly.
722 */
723 static void
725 {
738 /* Invert the first bit of every 512-byte sector. */
742 }
744 /*
745 * Fill a buffer, R (of size SIZE_MAX), with random data.
746 * SIZE is rounded UP to a multiple of ISAAC_BYTES.
747 */
748 static void
750 {
755 {
758 }
759 }
761 /*
762 * Generate a 6-character (+ nul) pass name string
763 * FIXME: allow translation of "random".
764 */
765 #define PASS_NAME_SIZE 7
766 static void
768 {
771 else
773 }
775 /*
776 * Do pass number k of n, writing "size" bytes of the given pattern "type"
777 * to the file descriptor fd. Qname, k and n are passed in only for verbose
778 * progress message purposes. If n == 0, no progress messages are printed.
779 *
780 * If *sizep == -1, the size is unknown, and it will be filled in as soon
781 * as writing fails.
782 */
783 static int
786 {
794 #if ISAAC_WORDS > 1024
796 #else
798 #endif
801 /* Printable previous offset into the file */
806 {
809 }
811 /* Constant fill patterns need only be set up once. */
813 {
816 {
818 }
821 }
822 else
823 {
825 }
827 /* Set position if first status update */
829 {
833 }
837 {
838 /* How much to write this time? */
841 {
847 }
850 /* Loop to retry partial writes. */
852 {
855 {
858 {
859 /* Ah, we have found the end of the file */
862 }
863 else
864 {
869 /*
870 * I sometimes use shred on bad media, before throwing it
871 * out. Thus, I don't want it to give up on bad blocks.
872 * This code assumes 512-byte blocks and tries to skip
873 * over them. It works because lim is always a multiple
874 * of 512, except at the end.
875 */
878 {
881 {
884 }
886 }
888 }
889 }
890 }
892 /* Okay, we have written "soff" bytes. */
895 {
898 }
902 /* Time to print progress? */
906 {
917 {
921 else
922 {
937 percent);
938 }
944 /*
945 * Force periodic syncs to keep displayed progress accurate
946 * FIXME: Should these be present even if -v is not enabled,
947 * to keep the buffer cache from filling with dirty pages?
948 * It's a common problem with programs that do lots of writes,
949 * like mkfs.
950 */
952 {
955 }
956 }
957 }
958 }
960 /* Force what we just wrote to hit the media. */
962 {
965 }
967 }
969 /*
970 * The passes start and end with a random pass, and the passes in between
971 * are done in random order. The idea is to deprive someone trying to
972 * reverse the process of knowledge of the overwrite patterns, so they
973 * have the additional step of figuring out what was done to the disk
974 * before they can try to reverse or cancel it.
975 *
976 * First, all possible 1-bit patterns. There are two of them.
977 * Then, all possible 2-bit patterns. There are four, but the two
978 * which are also 1-bit patterns can be omitted.
979 * Then, all possible 3-bit patterns. Likewise, 8-2 = 6.
980 * Then, all possible 4-bit patterns. 16-4 = 12.
981 *
982 * The basic passes are:
983 * 1-bit: 0x000, 0xFFF
984 * 2-bit: 0x555, 0xAAA
985 * 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
986 * 100100100100 110110110110
987 * 9 2 4 D B 6
988 * 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
989 * 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
990 * Adding three random passes at the beginning, middle and end
991 * produces the default 25-pass structure.
992 *
993 * The next extension would be to 5-bit and 6-bit patterns.
994 * There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
995 * 6-bit patterns, so they would increase the time required
996 * significantly. 4-bit patterns are enough for most purposes.
997 *
998 * The main gotcha is that this would require a trickier encoding,
999 * since lcm(2,3,4) = 12 bits is easy to fit into an int, but
1000 * lcm(2,3,4,5) = 60 bits is not.
1001 *
1002 * One extension that is included is to complement the first bit in each
1003 * 512-byte block, to alter the phase of the encoded data in the more
1004 * complex encodings. This doesn't apply to MFM, so the 1-bit patterns
1005 * are considered part of the 3-bit ones and the 2-bit patterns are
1006 * considered part of the 4-bit patterns.
1007 *
1008 *
1009 * How does the generalization to variable numbers of passes work?
1010 *
1011 * Here's how...
1012 * Have an ordered list of groups of passes. Each group is a set.
1013 * Take as many groups as will fit, plus a random subset of the
1014 * last partial group, and place them into the passes list.
1015 * Then shuffle the passes list into random order and use that.
1016 *
1017 * One extra detail: if we can't include a large enough fraction of the
1018 * last group to be interesting, then just substitute random passes.
1019 *
1020 * If you want more passes than the entire list of groups can
1021 * provide, just start repeating from the beginning of the list.
1022 */
1023 static int const
1024 patterns[] =
1025 {
1034 /* The following patterns have the frst bit per block flipped */
1040 };
1042 /*
1043 * Generate a random wiping pass pattern with num passes.
1044 * This is a two-stage process. First, the passes to include
1045 * are chosen, and then they are shuffled into the desired
1046 * order.
1047 */
1048 static void
1050 {
1064 /* Stage 1: choose the passes to use */
1071 {
1076 }
1081 {
1085 }
1088 }
1095 }
1100 }
1101 else
1103 do
1104 {
1106 {
1108 n--;
1109 }
1110 p++;
1111 }
1114 }
1115 }
1117 /* assert (d == dest+top); */
1119 /*
1120 * We now have fixed patterns in the dest buffer up to
1121 * "top", and we need to scramble them, with "randpasses"
1122 * random passes evenly spaced among them.
1123 *
1124 * We want one at the beginning, one at the end, and
1125 * evenly spaced in between. To do this, we basically
1126 * use Bresenham's line draw (a.k.a DDA) algorithm
1127 * to draw a line with slope (randpasses-1)/(num-1).
1128 * (We use a positive accumulator and count down to
1129 * do this.)
1130 *
1131 * So for each desired output value, we do the following:
1132 * - If it should be a random pass, copy the pass type
1133 * to top++, out of the way of the other passes, and
1134 * set the current pass to -1 (random).
1135 * - If it should be a normal pattern pass, choose an
1136 * entry at random between here and top-1 (inclusive)
1137 * and swap the current entry with that one.
1138 */
1142 {
1144 {
1148 }
1149 else
1150 {
1155 }
1157 }
1158 /* assert (top == num); */
1161 }
1163 /*
1164 * The core routine to actually do the work. This overwrites the first
1165 * size bytes of the given fd. Returns -1 on error, 0 on success.
1166 */
1167 static int
1170 {
1182 {
1185 }
1187 /* If we know that we can't possibly shred the file, give up now.
1188 Otherwise, we may go into a infinite loop writing data before we
1189 find that we can't rewind the device. */
1193 {
1196 }
1198 /* Allocate pass array */
1203 {
1204 /* Accept a length of zero only if it's a regular file.
1205 For any other type of file, try to get the size another way. */
1207 {
1210 {
1213 }
1214 }
1215 else
1216 {
1219 {
1220 /* We are unable to determine the length, up front.
1221 Let dopass do that as part of its first iteration. */
1223 }
1224 }
1227 {
1230 /* If in rounding up, we've just overflowed, use the maximum. */
1233 }
1234 }
1236 /* Schedule the passes in random order. */
1239 /* Do the work */
1241 {
1243 {
1247 }
1248 }
1257 /* Okay, now deallocate the data. The effect of ftruncate on
1258 non-regular files is unspecified, so don't worry about any
1259 errors reported for them. */
1262 {
1265 }
1268 }
1270 /* A wrapper with a little more checking for fds on the command line */
1271 static int
1274 {
1278 {
1281 }
1283 {
1286 }
1288 }
1290 /* --- Name-wiping code --- */
1292 /* Characters allowed in a file name - a safe universal set. */
1296 /*
1297 * This increments the name, considering it as a big-endian base-N number
1298 * with the digits taken from nameset. Characters not in the nameset
1299 * are considered to come before nameset[0].
1300 *
1301 * It's not obvious, but this will explode if name[0..len-1] contains
1302 * any 0 bytes.
1303 *
1304 * This returns the carry (1 on overflow).
1305 */
1306 static int
1308 {
1315 /* If the character is not found, replace it with a 0 digit */
1317 {
1320 }
1321 /* If this character has a successor, use it */
1323 {
1326 }
1327 /* Otherwise, set this digit to 0 and increment the prefix */
1330 }
1332 /*
1333 * Repeatedly rename a file with shorter and shorter names,
1334 * to obliterate all traces of the file name on any system that
1335 * adds a trailing delimiter to on-disk file names and reuses
1336 * the same directory slot. Finally, unlink it.
1337 * The passed-in filename is modified in place to the new filename.
1338 * (Which is unlinked if this function succeeds, but is still present if
1339 * it fails for some reason.)
1340 *
1341 * The main loop is written carefully to not get stuck if all possible
1342 * names of a given length are occupied. It counts down the length from
1343 * the original to 0. While the length is non-zero, it tries to find an
1344 * unused file name of the given length. It continues until either the
1345 * name is available and the rename succeeds, or it runs out of names
1346 * to try (incname wraps and returns 1). Finally, it unlinks the file.
1347 *
1348 * The unlink is Unix-specific, as ANSI-standard remove has more
1349 * portability problems with C libraries making it "safe". rename
1350 * is ANSI-standard.
1351 *
1352 * To force the directory data out, we try to open the directory and
1353 * invoke fdatasync on it. This is rather non-standard, so we don't
1354 * insist that it works, just fall back to a global sync in that case.
1355 * This is fairly significantly Unix-specific. Of course, on any
1356 * filesystem with synchronous metadata updates, this is unnecessary.
1357 */
1358 static int
1360 {
1371 /* Find the file name portion */
1373 /* Temporary hackery to get a directory fd */
1375 {
1379 }
1380 else
1381 {
1383 }
1388 {
1391 do
1392 {
1395 {
1397 {
1402 {
1403 /*
1404 * People seem to understand this better than talking
1405 * about renaming oldname. newname doesn't need
1406 * quoting because we picked it. oldname needs to
1407 * be quoted only the first time.
1408 */
1412 }
1415 }
1416 else
1417 {
1418 /* The rename failed: give up on this length. */
1420 }
1421 }
1422 else
1423 {
1424 /* newname exists, so increment BASE so we use another */
1425 }
1426 }
1428 len--;
1429 }
1438 }
1440 /*
1441 * Finally, the function that actually takes a filename and grinds
1442 * it into hamburger.
1443 *
1444 * FIXME
1445 * Detail to note: since we do not restore errno to EACCES after
1446 * a failed chmod, we end up printing the error code from the chmod.
1447 * This is actually the error that stopped us from proceeding, so
1448 * it's arguably the right one, and in practice it'll be either EACCES
1449 * again or EPERM, which both give similar error messages.
1450 * Does anyone disagree?
1451 */
1452 static int
1455 {
1460 {
1462 {
1465 }
1468 {
1469 /* We accept /dev/fd/# even if the OS doesn't support it */
1475 /* If it's completely decimal with no leading zeros... */
1479 {
1481 }
1483 }
1484 }
1486 {
1489 }
1493 {
1496 }
1498 {
1502 }
1504 }
1506 int
1508 {
1532 {
1534 {
1543 {
1548 {
1551 }
1553 }
1561 {
1565 {
1568 }
1570 }
1585 case_GETOPT_HELP_CHAR;
1591 }
1592 }
1598 {
1601 }
1604 {
1607 {
1610 }
1611 else
1612 {
1613 /* Plain filename - Note that this overwrites *argv! */
1616 }
1618 }
1620 /* Just on general principles, wipe s. */
1624 }
1625 /*
1626 * vim:sw=2:sts=2:
1627 */