| blob | 6da58b2e630496c133056509968738a3ebc14d0c |
1 /* secmem.c - memory allocation from a secure heap
2 * Copyright (C) 1998, 1999, 2000 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuPG.
5 *
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
19 * USA.
20 */
22 #include <config.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <errno.h>
27 #include <stdarg.h>
28 #include <unistd.h>
29 #if defined(HAVE_MLOCK) || defined(HAVE_MMAP)
30 #include <sys/mman.h>
31 #include <sys/types.h>
32 #include <fcntl.h>
33 #ifdef USE_CAPABILITIES
34 #include <sys/capability.h>
35 #endif
36 #ifdef HAVE_PLOCK
37 #include <sys/lock.h>
38 #endif
39 #endif
46 /* MinGW doesn't seem to prototype getpagesize, though it does have
47 it. */
48 #if !HAVE_DECL_GETPAGESIZE
50 #endif
52 #if defined(MAP_ANON) && !defined(MAP_ANONYMOUS)
53 #define MAP_ANONYMOUS MAP_ANON
54 #endif
55 /* It seems that Slackware 7.1 does not know about EPERM */
56 #if !defined(EPERM) && defined(ENOMEM)
57 #define EPERM ENOMEM
58 #endif
61 #define DEFAULT_POOLSIZE 16384
68 PROPERLY_ALIGNED_TYPE aligned;
70 };
76 #ifdef HAVE_MMAP
78 #endif
92 static void
94 {
96 {
100 }
101 }
104 static void
106 {
107 #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK)
120 #endif
123 #endif
126 #endif
127 )
130 }
132 #elif defined(HAVE_MLOCK)
133 uid_t uid;
138 #ifdef HAVE_BROKEN_MLOCK
139 /* ick. but at least we get secured memory. about to lock
140 entire data segment. */
141 #ifdef HAVE_PLOCK
142 # ifdef _AIX
143 /* The configure for AIX returns broken mlock but the plock has
144 the strange requirement to somehow set the stack limit first.
145 The problem might turn out in indeterministic program behaviour
146 and hanging processes which can somehow be solved when enough
147 processes are clogging up the memory. To get this problem out
148 of the way we simply don't try to lock the memory at all.
149 */
161 }
166 }
168 #else
172 #endif
175 /* check that we really dropped the privs.
176 * Note: setuid(0) should always fail */
179 }
185 #endif
188 #endif
191 #endif
192 )
195 }
197 #elif defined ( __QNX__ )
198 /* QNX does not page at all, so the whole secure memory stuff does
199 * not make much sense. However it is still of use because it
200 * wipes out the memory on a free().
201 * Therefore it is sufficient to suppress the warning
202 */
203 #elif defined (HAVE_DOSISH_SYSTEM) || defined (__CYGWIN__)
204 /* It does not make sense to print such a warning, given the fact that
205 * this whole Windows !@#$% and their user base are inherently insecure
206 */
207 #elif defined (__riscos__)
208 /* no virtual memory on RISC OS, so no pages are swapped to disc,
209 * besides we don't have mmap, so we don't use it! ;-)
210 * But don't complain, as explained above.
211 */
212 #else
214 #endif
215 }
218 static void
220 {
228 #ifdef HAVE_GETPAGESIZE
230 #else
232 #endif
234 #ifdef HAVE_MMAP
236 #ifdef MAP_ANONYMOUS
246 }
250 }
251 }
252 #endif
259 }
261 #endif
267 else
269 }
272 }
275 /* concatenate unused blocks */
276 static void
278 {
279 /* fixme: we really should do this */
280 }
282 void
284 {
290 /* and now issue the warning if it is not longer suspended */
294 }
295 }
297 unsigned
299 {
305 }
307 /* Returns 1 if memory was locked, 0 if not. */
308 int
310 {
312 #ifndef __riscos__
313 #ifdef USE_CAPABILITIES
314 /* drop all capabilities */
317 #elif !defined(HAVE_DOSISH_SYSTEM)
318 uid_t uid;
325 }
326 #endif
328 }
334 else
336 }
339 }
344 {
353 }
357 }
359 /* Blocks are always a multiple of 32. Note that we allocate an
360 extra of the size of an entire MEMBLOCK. This is required
361 becuase we do not only need the SIZE info but also extra space
362 to chain up unused memory blocks. */
366 retry:
367 /* try to get it from the used blocks */
372 else
375 }
376 /* allocate a new block */
381 }
386 }
387 else
390 leave:
392 cur_blocks++;
399 }
404 {
422 }
424 }
427 void
429 {
438 /* This does not make much sense: probably this memory is held in the
439 * cache. We do it anyway: */
447 cur_blocks--;
449 }
451 int
453 {
455 }
459 /****************
460 * Warning: This code might be called by an interrupt handler
461 * and frankly, there should really be such a handler,
462 * to make sure that the memory is wiped out.
463 * We hope that the OS wipes out mlocked memory after
464 * receiving a SIGKILL - it really should do so, otherwise
465 * there is no chance to get the secure memory cleaned.
466 */
467 void
469 {
477 #ifdef HAVE_MMAP
480 #endif
486 }
489 void
491 {
498 }