dnsdist: Move to safe_memory_lock / safe_memory_release

author Remi Gacogne <remi.gacogne@powerdns.com>

Thu, 29 Mar 2018 13:50:41 +0000 (15:50 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Thu, 29 Mar 2018 13:50:41 +0000 (15:50 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Thu, 29 Mar 2018 13:50:41 +0000 (15:50 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Thu, 29 Mar 2018 13:50:41 +0000 (15:50 +0200)
diff --git a/m4/pdns_check_secure_memset.m4 b/m4/pdns_check_secure_memset.m4

new file mode 100644 (file)

index 0000000..4f58219
--- /dev/null
+++ b/m4/pdns_check_secure_memset.m4
@@ -0,0 +1,3 @@
+AC_DEFUN([PDNS_CHECK_SECURE_MEMSET], [
+  AC_CHECK_FUNCS([explicit_bzero explicit_memset])
+])
diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac

index 6098778eb401b2a046f80834f3597953cb88bfaf..96b841f12436ed9e9df58b89bdc4ee787f7e404a 100644 (file)
--- a/pdns/dnsdistdist/configure.ac
+++ b/pdns/dnsdistdist/configure.ac
@@ -22,6 +22,7 @@ PDNS_CHECK_CLOCK_GETTIME
  PDNS_CHECK_OS
  PDNS_CHECK_NETWORK_LIBS
  PDNS_CHECK_PTHREAD_NP
+PDNS_CHECK_SECURE_MEMSET
  
  
  PDNS_WITH_PROTOBUF
diff --git a/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4 b/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4

index 65b116a4f3e4c891ad2977637bea0bbf254bacb7..77bb03f14ffddd898e931a36fdd8d1f50cd0821a 100644 (file)
--- a/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4
+++ b/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4
@@ -18,7 +18,7 @@ AC_DEFUN([DNSDIST_CHECK_GNUTLS], [
          save_LIBS=$LIBS
          CFLAGS="$GNUTLS_CFLAGS $CFLAGS"
          LIBS="$GNUTLS_LIBS $LIBS"
-        AC_CHECK_FUNCS([gnutls_memset explicit_bzero explicit_memset])
+        AC_CHECK_FUNCS([gnutls_memset])
          CFLAGS=$save_CFLAGS
          LIBS=$save_LIBS
  
diff --git a/pdns/dnsdistdist/m4/pdns_check_secure_memset.m4 b/pdns/dnsdistdist/m4/pdns_check_secure_memset.m4

new file mode 120000 (symlink)

index 0000000..58f6bd3
--- /dev/null
+++ b/pdns/dnsdistdist/m4/pdns_check_secure_memset.m4
@@ -0,0 +1 @@
+../../../m4/pdns_check_secure_memset.m4
+\ No newline at end of file
diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc

index 726e014b906efa4bdbd5a34a362db0197ff427ee..6316bf16c2b76c5f54728fbc06705399d52acc90 100644 (file)
--- a/pdns/dnsdistdist/tcpiohandler.cc
+++ b/pdns/dnsdistdist/tcpiohandler.cc
@@ -543,16 +543,24 @@ std::atomic<uint64_t> OpenSSLTLSIOCtx::s_users(0);
  #include <gnutls/gnutls.h>
  #include <gnutls/x509.h>
  
-#ifndef HAVE_LIBSODIUM
-void safe_memzero(void* data, size_t size)
+void safe_memory_lock(void* data, size_t size)
  {
-#if defined(HAVE_EXPLICIT_BZERO)
+#ifdef HAVE_LIBSODIUM
+  sodium_mlock(data, size);
+#endif
+}
+
+void safe_memory_release(void* data, size_t size)
+{
+#ifdef HAVE_LIBSODIUM
+  sodium_munlock(data, size);
+#elif defined(HAVE_EXPLICIT_BZERO)
    explicit_bzero(data, size);
  #elif defined(HAVE_EXPLICIT_MEMSET)
    explicit_memset(data, 0, size);
  #elif defined(HAVE_GNUTLS_MEMSET)
    gnutls_memset(data, 0, size);
-#else /* HAVE_GNUTLS_MEMSET */
+#else
    /* shamelessly taken from Dovecot's src/lib/safe-memset.c */
    volatile unsigned int volatile_zero_idx = 0;
    volatile unsigned char *p = reinterpret_cast<volatile unsigned char *>(data);
@@ -563,9 +571,8 @@ void safe_memzero(void* data, size_t size)
    do {
      memset(data, 0, size);
    } while (p[volatile_zero_idx] != 0);
-#endif /* HAVE_GNUTLS_MEMSET */
+#endif
  }
-#endif /* HAVE_LIBSODIUM */
  
  class GnuTLSTicketsKey
  {
@@ -576,9 +583,7 @@ public:
        throw std::runtime_error("Error generating tickets key for TLS context");
      }
  
-#ifdef HAVE_LIBSODIUM
-    sodium_mlock(d_key.data, d_key.size);
-#endif /* HAVE_LIBSODIUM */
+    safe_memory_lock(d_key.data, d_key.size);
    }
  
    GnuTLSTicketsKey(const std::string& keyFile)
@@ -589,9 +594,7 @@ public:
        throw std::runtime_error("Error generating tickets key (before parsing key file) for TLS context");
      }
  
-#ifdef HAVE_LIBSODIUM
-    sodium_mlock(d_key.data, d_key.size);
-#endif /* HAVE_LIBSODIUM */
+    safe_memory_lock(d_key.data, d_key.size);
  
      try {
        ifstream file(keyFile);
@@ -605,11 +608,7 @@ public:
        file.close();
      }
      catch (const std::exception& e) {
-#ifdef HAVE_LIBSODIUM
-      sodium_munlock(d_key.data, d_key.size);
-#else
-      safe_memzero(d_key.data, d_key.size);
-#endif /* HAVE_LIBSODIUM */
+      safe_memory_release(d_key.data, d_key.size);
        gnutls_free(d_key.data);
        throw;
      }
@@ -618,11 +617,7 @@ public:
    ~GnuTLSTicketsKey()
    {
      if (d_key.data != nullptr && d_key.size > 0) {
-#ifdef HAVE_LIBSODIUM
-      sodium_munlock(d_key.data, d_key.size);
-#else
-      safe_memzero(d_key.data, d_key.size);
-#endif /* HAVE_LIBSODIUM */
+      safe_memory_release(d_key.data, d_key.size);
      }
      gnutls_free(d_key.data);
    }
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 29 Mar 2018 13:50:41 +0000 (15:50 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 29 Mar 2018 13:50:41 +0000 (15:50 +0200)
m4/pdns_check_secure_memset.m4	[new file with mode: 0644]	patch \| blob
pdns/dnsdistdist/configure.ac		patch \| blob \| history
pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4		patch \| blob \| history
pdns/dnsdistdist/m4/pdns_check_secure_memset.m4	[new symlink]	patch \| blob
pdns/dnsdistdist/tcpiohandler.cc		patch \| blob \| history