| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
* cipher/cipher-ccm.c (_gcry_cipher_ccm_tag): Add static qualifier.
* mpi/ec-ed25519.c: Include ec-internal.h.
* src/secmem.c (MB_WIPE_OUT): Remove extra semicolon.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
| |
* random/random-csprng.c (random_poll): It's no args.
* src/secmem.c (_gcry_secmem_module_init): Likewise.
(_gcry_secmem_term): Likewise.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
| |
* src/secmem.c [__riscos__]: Remove.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (lock_pool_pages): Use ERR only for the return value
from mlock.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (lock_pool_pages): Remove escalation of the capability.
--
With CAP_SETPCAP, it might make sense before Linux 2.6.24 when file
capabilityes were not supported. But not any more.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
| |
* src/secmem.c (_gcry_secmem_realloc_internal): Use offsetof.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (_gcry_secmem_dump_stats): Factor code out to ...
(secmem_dump_stats_internal): new.
--
This allows to insert call to the dump function during debug sessions
inside of the allocators or call secmem_dump_stats_internal from gdb.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (gcry_cv_have_sync_synchronize): New check.
* src/secmem.c (pooldesc_s): Make next pointer volatile.
(memory_barrier): New.
(_gcry_secmem_malloc_internal): Insert memory barrier between
pool->next and mainpool.next assigments.
(_gcry_private_is_secure): Update comments.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (_gcry_secmem_malloc_internal): Release pool descriptor
if the pool could not be allocated.
--
GnuPG-bug-id: 4211
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/gcrypt.h.in (GCRYCTL_AUTO_EXPAND_SECMEM): New enum.
* src/global.c (_gcry_vcontrol): Implement that.
* src/secmem.c (auto_expand): New var.
(_gcry_secmem_set_auto_expand): New.
(_gcry_secmem_malloc_internal): Act upon AUTO_EXPAND.
--
GnuPG-bug-id: 3530
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
| |
* tests/t-secmem.c (main): Detect page size and setup chunk size.
* src/secmem.c (init_pool): Simplify the expression.
--
GnuPG-bug-id: 3351
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* src/secmem (init_pool): Care about the header size.
(_gcry_secmem_malloc_internal): Likewise.
(_gcry_secmem_malloc_internal): Use mb->size for stats.
--
GnuPG-bug-id: 3027
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
| |
--
GnuPG-bug-id: 3120
Reported-by: ka7 (klemens)
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* acinclude.m4 (GNUPG_CHECK_MLOCK): Check also for EAGAIN which is a
legitimate return code and does not indicate a broken mlock().
* src/secmem.c (lock_pool_pages): Test ERR instead of ERRNO which
could have been overwritten by cap_from+text et al.
--
On FreeBSD, if there are not enough free pages, mlock() can return
EAGAIN, as documented in mlock(2). That doesn't mean that mlock is
broken. I suspect this same issue also exists on the other BSD's.
Suggested-by: Ruben Kerkhof <ruben@rubenkerkhof.com>
This is (now) also true for Linux.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (pooldesc_s): Add fields next, cur_alloced, and
cur_blocks.
(cur_alloced, cur_blocks): Remove vars.
(ptr_into_pool_p): Make it inline.
(stats_update): Add arg pool and update the new pool specific
counters.
(_gcry_secmem_malloc_internal): Add arg xhint and allocate overflow
pools as needed.
(_gcry_secmem_malloc): Pass XHINTS along.
(_gcry_secmem_realloc_internal): Ditto.
(_gcry_secmem_realloc): Ditto.
(_gcry_secmem_free_internal): Take multiple pools in account. Add
return value to indicate whether the arg was freed.
(_gcry_secmem_free): Add return value to indicate whether the arg was
freed.
(_gcry_private_is_secure): Take multiple pools in account.
(_gcry_secmem_term): Release all pools.
(_gcry_secmem_dump_stats): Print stats for all pools.
* src/stdmem.c (_gcry_private_free): Replace _gcry_private_is_secure
test with a direct call of _gcry_secmem_free to avoid double checking.
--
This patch avoids process termination due to an out-of-secure-memory
condition in the MPI subsystem. We consider it more important to have
reliable MPI computations than process termination due the need for
memory which is protected against being swapped out. Using encrypted
swap is anyway a more reliable protection than those mlock'ed pages.
Note also that mlock'ed pages won't help against hibernation.
GnuPG-bug-id: 2857
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (_gcry_secmem_malloc): New not yet used arg XHINT.
(_gcry_secmem_realloc): Ditto.
* src/stdmem.c (_gcry_private_malloc_secure): New arg XHINT to be
passed to the secmem functions.
(_gcry_private_realloc): Ditto.
* src/g10lib.h (GCRY_ALLOC_FLAG_XHINT): New.
* src/global.c (do_malloc): Pass this flag as XHINT to the private
allocator.
(_gcry_malloc_secure): Factor code out to ...
(_gcry_malloc_secure_core): this. Add arg XHINT.
(_gcry_realloc): Factor code out to ...
(_gcry_realloc_core): here. Add arg XHINT.
(_gcry_strdup): Factor code out to ...
(_gcry_strdup_core): here. Add arg XHINT.
(_gcry_xrealloc): Use the core function and pass true for XHINT.
(_gcry_xmalloc_secure): Ditto.
(_gcry_xstrdup): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (_gcry_secmem_dump_stats): Add arg EXTENDED and adjust
caller.
* src/gcrypt-testapi.h (PRIV_CTL_DUMP_SECMEM_STATS): New.
* src/global.c (_gcry_vcontrol): Implement that.
* tests/t-secmem.c: New.
* tests/Makefile.am (tests_bin): Add that test.
--
This test does not much right now.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (pooldesc_t): New type to collect information about one
pool.
(pool_size): Remove. Now a member of pooldesc_t.
(pool_okay): Ditto.
(pool_is_mmapped): Ditto.
(pool): Rename variable ...
(mainpool): And change type to pooldesc_t.
(ptr_into_pool_p): Add arg 'pool'.
(mb_get_next): Ditto.
(mb_get_prev): Ditto.
(mb_merge): Ditto.
(mb_get_new): Ditto.
(init_pool): Ditto.
(lock_pool): Rename to ...
(look_pool_pages: this.
(secmem_init): Rename to ...
(_gcry_secmem_init_internal): this. Add local var POOL and init with
address of MAINPOOL.
(_gcry_secmem_malloc_internal): Add local var POOL and init with
address of MAINPOOL.
(_gcry_private_is_secure): Ditto.
(_gcry_secmem_term): Ditto.
(_gcry_secmem_dump_stats): Ditto.
(_gcry_secmem_free_internal): Ditto. Remove check for NULL arg.
(_gcry_secmem_free): Add check for NULL arg before taking the lock.
(_gcry_secmem_realloc): Factor most code out to ...
(_gcry_secmem_realloc_internal): this.
--
This change prepares future work to allow the use of several pools.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
| |
* src/secmem.c (lock_pool, secmem_init): Do not call any cap_
functions if NO_PRIV_DROP is set.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Mark variable
as unused.
* random/rndw32.c (slow_gatherer): Avoid signed pointer mismatch
warning.
* src/secmem.c (init_pool): Avoid unused variable warning.
* tests/random.c (writen, readn): Include on if needed.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (ptr_into_pool_p): Replace size_t by uintptr_t.
--
This is more or less cosmetic.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/secmem.c (ADDR_TO_BLOCK, mb_get_next, mb_get_new): Cast pointer
from 'char *' to 'memblock_t *' through 'void *'.
(MB_WIPE_OUT): Remove unneeded cast to 'memblock_t *'.
--
Patch fixes 'cast increases required alignment' warnings seen on GCC:
secmem.c: In function 'mb_get_next':
secmem.c:140:13: warning: cast increases required alignment of target type [-Wcast-align]
mb_next = (memblock_t *) ((char *) mb + BLOCK_HEAD_SIZE + mb->size);
^
secmem.c: In function 'mb_get_new':
secmem.c:208:17: warning: cast increases required alignment of target type [-Wcast-align]
mb_split = (memblock_t *) (((char *) mb) + BLOCK_HEAD_SIZE + size);
^
secmem.c: In function '_gcry_secmem_free_internal':
secmem.c:101:3: warning: cast increases required alignment of target type [-Wcast-align]
(memblock_t *) ((char *) addr - BLOCK_HEAD_SIZE)
^
secmem.c:603:8: note: in expansion of macro 'ADDR_TO_BLOCK'
mb = ADDR_TO_BLOCK (a);
^
In file included from secmem.c:40:0:
secmem.c:609:16: warning: cast increases required alignment of target type [-Wcast-align]
wipememory2 ((memblock_t *) ((char *) mb + BLOCK_HEAD_SIZE), (byte), size);
^
g10lib.h:309:54: note: in definition of macro 'wipememory2'
volatile char *_vptr=(volatile char *)(_ptr); \
^
secmem.c:611:3: note: in expansion of macro 'MB_WIPE_OUT'
MB_WIPE_OUT (0xff);
^
secmem.c:609:16: warning: cast increases required alignment of target type [-Wcast-align]
wipememory2 ((memblock_t *) ((char *) mb + BLOCK_HEAD_SIZE), (byte), size);
^
g10lib.h:309:54: note: in definition of macro 'wipememory2'
volatile char *_vptr=(volatile char *)(_ptr); \
^
secmem.c:612:3: note: in expansion of macro 'MB_WIPE_OUT'
MB_WIPE_OUT (0xaa);
^
secmem.c:609:16: warning: cast increases required alignment of target type [-Wcast-align]
wipememory2 ((memblock_t *) ((char *) mb + BLOCK_HEAD_SIZE), (byte), size);
^
g10lib.h:309:54: note: in definition of macro 'wipememory2'
volatile char *_vptr=(volatile char *)(_ptr); \
^
secmem.c:613:3: note: in expansion of macro 'MB_WIPE_OUT'
MB_WIPE_OUT (0x55);
^
secmem.c:609:16: warning: cast increases required alignment of target type [-Wcast-align]
wipememory2 ((memblock_t *) ((char *) mb + BLOCK_HEAD_SIZE), (byte), size);
^
g10lib.h:309:54: note: in definition of macro 'wipememory2'
volatile char *_vptr=(volatile char *)(_ptr); \
^
secmem.c:614:3: note: in expansion of macro 'MB_WIPE_OUT'
MB_WIPE_OUT (0x00);
^
secmem.c: In function '_gcry_secmem_realloc':
secmem.c:644:8: warning: cast increases required alignment of target type [-Wcast-align]
mb = (memblock_t *) ((char *) p - ((size_t) &((memblock_t *) 0)->aligned.c));
^
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (NEED_GPG_ERROR_VERSION): Require 1.13.
(gl_LOCK): Remove.
* src/ath.c, src/ath.h: Remove. Remove from all files. Replace all
mutexes by gpgrt based statically initialized locks.
* src/global.c (global_init): Remove ath_init.
(_gcry_vcontrol): Make ath install a dummy function.
(print_config): Remove threads info line.
* doc/gcrypt.texi: Simplify the multi-thread related documentation.
--
The current code does only work on ELF systems with weak symbol
support. In particular no locks were used under Windows. With the
new gpgrt_lock functions from the soon to be released libgpg-error
1.13 we have a better portable scheme which also allows for static
initialized mutexes.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
| |
* src/secmem.c (lock_pool): Remove remaining line. Reported by Ian
Goldberg.
|
|
|
|
|
|
|
| |
* src/secmem.c (lock_pool, secmem_init): Use cap_free. Reported by
Mike Crowe <mac@mcrowe.com>.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/gcrypt.h.in (GCRYCTL_DISABLE_LOCKED_SECMEM): New.
(GCRYCTL_DISABLE_PRIV_DROP): New.
* src/global.c (_gcry_vcontrol): Implement them.
* src/secmem.h (GCRY_SECMEM_FLAG_NO_MLOCK): New.
(GCRY_SECMEM_FLAG_NO_PRIV_DROP): New.
* src/secmem.c (no_mlock, no_priv_drop): New.
(_gcry_secmem_set_flags, _gcry_secmem_get_flags): Set and get them.
(lock_pool): Handle no_mlock and no_priv_drop.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
| |
* src/ath.c: Include assert.h.
(ath_mutex_destroy, ath_mutex_lock, ath_mutex_unlock): Dereference LOCK.
* src/g10lib.h (_gcry_secmem_module_init): New declaration.
* src/global.c (global_init): Call _gcry_secmem_module_init.
* src/secmem.c (_gcry_secmem_module_init): New function.
|
|
|
|
|
|
|
|
|
|
| |
ERRNO was not always set and thus it could happen that a misleading
error code was returned form a malloc functions. Fix was to set
ERRNO.
At one place we also switched to the newer gpg_err_code_from_syserror
which makes sure to return a special error code in case ERRNO is not
set at all.
|
|
|
|
| |
Check and install the standard git pre-commit hook.
|
| |
|
| |
|
|
|
|
|
| |
Documentation updates.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac: Check for sysconf.
* acinclude.m4 (GNUPG_CHECK_MLOCK): Try to use sysconf to get the
page size and use getpagesize only then if available.
cipher/
* ecc.c (_gcry_ecc_generate): Renamed DUMMY to CURVE and use it.
src/
* secmem.c (init_pool): Use sysconf() if available to determine
page size.
|
|
|
|
|
|
|
|
|
|
| |
macros. Suggested by Andreas Metzler.
* secmem.c (ptr_into_pool_p): New.
(_gcry_private_is_secure): Implement in terms of new function.
(BLOCK_VALID): Removed. Replaced all users by new function.
|
| |
|
|
|
|
|
| |
* secmem.c (init_pool): Close FD after establishing the mapping.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2006-04-01 Moritz Schulte <moritz@g10code.com>
* gcrypt.h (gcry_ac_eme_pkcs_v1_5): Removed members: key, handle;
added member: key_size.
* secmem.c (MB_FLAG_ACTIVE): write braces around MB_FLAG_ACTIVE
definition.
cipher/ChangeLog:
2006-04-01 Moritz Schulte <moritz@g10code.com>
* ac.c (eme_pkcs_v1_5_encode): Use KEY_SIZE directly, no need to
call gcry_ac_key_get_nbits.
(eme_pkcs_v1_5_decode): Likewise.
(ac_es_dencode_prepare_pkcs_v1_5): Fill options_em structure with
key_size.
(_gcry_ac_data_dump, gcry_ac_data_dump): New functions.
(_gcry_ac_data_to_sexp, _gcry_ac_data_from_sexp): More or less
rewritten; changed S-Expression format so that it matches the one
used in pubkey.c.
|
|
|
|
|
|
|
|
| |
Vandoorselaere.
* secmem.h (_gcry_secmem_set_flags,_gcry_secmem_get_flags):
Removed __pure__.
(GCRY_SECMEM_FLAG_NO_WARNING): Put macro value into parens.
|
|
|
|
|
|
| |
* secmem.c (_gcry_secmem_init): Try to lock pool into core not
only when running with root privileges.
|
| |
|
|
|
|
|
|
| |
manifested itself due to the more rigorous checking in the changed
ath.h
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
core warning" if the NO_WARNING flag has been set.
* sexp.c (sexp_sscan): Allocate result in secure memory if BUFFER
is in secure memory. Switch to secure memory for the a secure %b
format item. Extra paranoid wipe on error.
(gcry_sexp_release): Added paranoid wiping for securely allocated
S-expressions.
* tsexp.c (basic): New pass to check secure memory switching.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac: Use it here instead of the generic lib test.
Bumbed LT vesion to C9/A2/R0.
* dsa.c (verify): s/exp/ex/ due to shadowing of a builtin.
* elgamal.c (verify): Ditto.
* ac.c (gcry_ac_data_get_index): s/index/idx/
(gcry_ac_data_copy_internal): Remove the cast in _gcry_malloc.
(gcry_ac_data_add): Must use gcry_realloc instead of realloc.
* pubkey.c (sexp_elements_extract): s/index/idx/ as tribute to the
forehackers.
(gcry_pk_encrypt): Removed shadowed definition of I. Reordered
arguments to malloc for clarity.
(gcry_pk_sign, gcry_pk_genkey): Ditto.
* primegen.c (prime_generate_internal): s/random/randomlevel/.
* i386/mpih-rshift.S, i386/mpih-lshift.S: Use %dl and not %edx for
testb; this avoids an assembler warning.
* mpi-pow.c (gcry_mpi_powm): s/exp/expo/ to avoid shadowing warning.
* autogen.sh: Allow to override the tool name. Do not run
libtoolize. Update required version numbers.
* libgcrypt.vers (_gcry_generate_elg_prime): Removed this symbol;
gnutls does not need it anymore.
* secmem.c (mb_get_new): s/pool/block/ due to global pool.
* misc.c (gcry_set_log_handler): s/logf/f/ to avoid shadowing
warning against a builtin.
* ath-pth-compat.c: cast pth_connect to get rid of the const
prototype.
* basic.c (check_aes128_cbc_cts_cipher): Make it a prototype
* ac.c (check_run): Comment unused variable.
|
|
|
|
|
| |
systems, handle ENOMEM.
|
|
|
|
|
| |
size_t. Reported by Stephane Corthesy.
|
|
|
|
|
|
| |
* secmem.c (_gcry_secmem_realloc): Do not forget to release secmem
lock. Thanks to low halo for triggering this bug.
|
|
|
|
|
|
|
|
|
|
|
| |
* libgcrypt-config.in: Adjusted script for new thread handling.
* Makefile.am: New version, based on GPGMEs Makefile.am.
* ath.c, ath-compat.c, ath.h, ath-pth.c, ath-pth-compat.c,
ath-pthread.c, ath-pthread-compat.c: New files, merged from GPGME.
* ath.c, ath.h, ath-pthread.c, ath-pth.c: Removed files.
|