From: Remi Gacogne Date: Thu, 29 Mar 2018 13:50:41 +0000 (+0200) Subject: dnsdist: Move to safe_memory_lock / safe_memory_release X-Git-Tag: dnsdist-1.3.0^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7e81628bb8a74f71ca0ba5010866235375a0cd30;p=pdns dnsdist: Move to safe_memory_lock / safe_memory_release --- diff --git a/m4/pdns_check_secure_memset.m4 b/m4/pdns_check_secure_memset.m4 new file mode 100644 index 000000000..4f582199a --- /dev/null +++ b/m4/pdns_check_secure_memset.m4 @@ -0,0 +1,3 @@ +AC_DEFUN([PDNS_CHECK_SECURE_MEMSET], [ + AC_CHECK_FUNCS([explicit_bzero explicit_memset]) +]) diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac index 6098778eb..96b841f12 100644 --- a/pdns/dnsdistdist/configure.ac +++ b/pdns/dnsdistdist/configure.ac @@ -22,6 +22,7 @@ PDNS_CHECK_CLOCK_GETTIME PDNS_CHECK_OS PDNS_CHECK_NETWORK_LIBS PDNS_CHECK_PTHREAD_NP +PDNS_CHECK_SECURE_MEMSET PDNS_WITH_PROTOBUF diff --git a/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4 b/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4 index 65b116a4f..77bb03f14 100644 --- a/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4 +++ b/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4 @@ -18,7 +18,7 @@ AC_DEFUN([DNSDIST_CHECK_GNUTLS], [ save_LIBS=$LIBS CFLAGS="$GNUTLS_CFLAGS $CFLAGS" LIBS="$GNUTLS_LIBS $LIBS" - AC_CHECK_FUNCS([gnutls_memset explicit_bzero explicit_memset]) + AC_CHECK_FUNCS([gnutls_memset]) CFLAGS=$save_CFLAGS LIBS=$save_LIBS diff --git a/pdns/dnsdistdist/m4/pdns_check_secure_memset.m4 b/pdns/dnsdistdist/m4/pdns_check_secure_memset.m4 new file mode 120000 index 000000000..58f6bd3be --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_check_secure_memset.m4 @@ -0,0 +1 @@ +../../../m4/pdns_check_secure_memset.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc index 726e014b9..6316bf16c 100644 --- a/pdns/dnsdistdist/tcpiohandler.cc +++ b/pdns/dnsdistdist/tcpiohandler.cc @@ -543,16 +543,24 @@ std::atomic OpenSSLTLSIOCtx::s_users(0); #include #include -#ifndef HAVE_LIBSODIUM -void safe_memzero(void* data, size_t size) +void safe_memory_lock(void* data, size_t size) { -#if defined(HAVE_EXPLICIT_BZERO) +#ifdef HAVE_LIBSODIUM + sodium_mlock(data, size); +#endif +} + +void safe_memory_release(void* data, size_t size) +{ +#ifdef HAVE_LIBSODIUM + sodium_munlock(data, size); +#elif defined(HAVE_EXPLICIT_BZERO) explicit_bzero(data, size); #elif defined(HAVE_EXPLICIT_MEMSET) explicit_memset(data, 0, size); #elif defined(HAVE_GNUTLS_MEMSET) gnutls_memset(data, 0, size); -#else /* HAVE_GNUTLS_MEMSET */ +#else /* shamelessly taken from Dovecot's src/lib/safe-memset.c */ volatile unsigned int volatile_zero_idx = 0; volatile unsigned char *p = reinterpret_cast(data); @@ -563,9 +571,8 @@ void safe_memzero(void* data, size_t size) do { memset(data, 0, size); } while (p[volatile_zero_idx] != 0); -#endif /* HAVE_GNUTLS_MEMSET */ +#endif } -#endif /* HAVE_LIBSODIUM */ class GnuTLSTicketsKey { @@ -576,9 +583,7 @@ public: throw std::runtime_error("Error generating tickets key for TLS context"); } -#ifdef HAVE_LIBSODIUM - sodium_mlock(d_key.data, d_key.size); -#endif /* HAVE_LIBSODIUM */ + safe_memory_lock(d_key.data, d_key.size); } GnuTLSTicketsKey(const std::string& keyFile) @@ -589,9 +594,7 @@ public: throw std::runtime_error("Error generating tickets key (before parsing key file) for TLS context"); } -#ifdef HAVE_LIBSODIUM - sodium_mlock(d_key.data, d_key.size); -#endif /* HAVE_LIBSODIUM */ + safe_memory_lock(d_key.data, d_key.size); try { ifstream file(keyFile); @@ -605,11 +608,7 @@ public: file.close(); } catch (const std::exception& e) { -#ifdef HAVE_LIBSODIUM - sodium_munlock(d_key.data, d_key.size); -#else - safe_memzero(d_key.data, d_key.size); -#endif /* HAVE_LIBSODIUM */ + safe_memory_release(d_key.data, d_key.size); gnutls_free(d_key.data); throw; } @@ -618,11 +617,7 @@ public: ~GnuTLSTicketsKey() { if (d_key.data != nullptr && d_key.size > 0) { -#ifdef HAVE_LIBSODIUM - sodium_munlock(d_key.data, d_key.size); -#else - safe_memzero(d_key.data, d_key.size); -#endif /* HAVE_LIBSODIUM */ + safe_memory_release(d_key.data, d_key.size); } gnutls_free(d_key.data); }