1/*
2 * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright 2004-2014, Akamai Technologies. All Rights Reserved.
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11/*
12 * This file is in two halves. The first half implements the public API
13 * to be used by external consumers, and to be used by OpenSSL to store
14 * data in a "secure arena." The second half implements the secure arena.
15 * For details on that implementation, see below (look for uppercase
16 * "SECURE HEAP IMPLEMENTATION").
17 */
18#include "e_os.h"
19#include <openssl/crypto.h>
20
21#include <string.h>
22
23/* e_os.h defines OPENSSL_SECURE_MEMORY if secure memory can be implemented */
24#ifdef OPENSSL_SECURE_MEMORY
25# include <stdlib.h>
26# include <assert.h>
27# include <unistd.h>
28# include <sys/types.h>
29# include <sys/mman.h>
30# if defined(OPENSSL_SYS_LINUX)
31# include <sys/syscall.h>
32# if defined(SYS_mlock2)
33# include <linux/mman.h>
34# include <errno.h>
35# endif
36# include <sys/param.h>
37# endif
38# include <sys/stat.h>
39# include <fcntl.h>
40#endif
41
42#define CLEAR(p, s) OPENSSL_cleanse(p, s)
43#ifndef PAGE_SIZE
44# define PAGE_SIZE 4096
45#endif
46#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
47# define MAP_ANON MAP_ANONYMOUS
48#endif
49
50#ifdef OPENSSL_SECURE_MEMORY
51static size_t secure_mem_used;
52
53static int secure_mem_initialized;
54
55static CRYPTO_RWLOCK *sec_malloc_lock = NULL;
56
57/*
58 * These are the functions that must be implemented by a secure heap (sh).
59 */
60static int sh_init(size_t size, int minsize);
61static void *sh_malloc(size_t size);
62static void sh_free(void *ptr);
63static void sh_done(void);
64static size_t sh_actual_size(char *ptr);
65static int sh_allocated(const char *ptr);
66#endif
67
68int CRYPTO_secure_malloc_init(size_t size, int minsize)
69{
70#ifdef OPENSSL_SECURE_MEMORY
71 int ret = 0;
72
73 if (!secure_mem_initialized) {
74 sec_malloc_lock = CRYPTO_THREAD_lock_new();
75 if (sec_malloc_lock == NULL)
76 return 0;
77 if ((ret = sh_init(size, minsize)) != 0) {
78 secure_mem_initialized = 1;
79 } else {
80 CRYPTO_THREAD_lock_free(sec_malloc_lock);
81 sec_malloc_lock = NULL;
82 }
83 }
84
85 return ret;
86#else
87 return 0;
88#endif /* OPENSSL_SECURE_MEMORY */
89}
90
91int CRYPTO_secure_malloc_done(void)
92{
93#ifdef OPENSSL_SECURE_MEMORY
94 if (secure_mem_used == 0) {
95 sh_done();
96 secure_mem_initialized = 0;
97 CRYPTO_THREAD_lock_free(sec_malloc_lock);
98 sec_malloc_lock = NULL;
99 return 1;
100 }
101#endif /* OPENSSL_SECURE_MEMORY */
102 return 0;
103}
104
105int CRYPTO_secure_malloc_initialized(void)
106{
107#ifdef OPENSSL_SECURE_MEMORY
108 return secure_mem_initialized;
109#else
110 return 0;
111#endif /* OPENSSL_SECURE_MEMORY */
112}
113
114void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
115{
116#ifdef OPENSSL_SECURE_MEMORY
117 void *ret;
118 size_t actual_size;
119
120 if (!secure_mem_initialized) {
121 return CRYPTO_malloc(num, file, line);
122 }
123 CRYPTO_THREAD_write_lock(sec_malloc_lock);
124 ret = sh_malloc(num);
125 actual_size = ret ? sh_actual_size(ret) : 0;
126 secure_mem_used += actual_size;
127 CRYPTO_THREAD_unlock(sec_malloc_lock);
128 return ret;
129#else
130 return CRYPTO_malloc(num, file, line);
131#endif /* OPENSSL_SECURE_MEMORY */
132}
133
134void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
135{
136#ifdef OPENSSL_SECURE_MEMORY
137 if (secure_mem_initialized)
138 /* CRYPTO_secure_malloc() zeroes allocations when it is implemented */
139 return CRYPTO_secure_malloc(num, file, line);
140#endif
141 return CRYPTO_zalloc(num, file, line);
142}
143
144void CRYPTO_secure_free(void *ptr, const char *file, int line)
145{
146#ifdef OPENSSL_SECURE_MEMORY
147 size_t actual_size;
148
149 if (ptr == NULL)
150 return;
151 if (!CRYPTO_secure_allocated(ptr)) {
152 CRYPTO_free(ptr, file, line);
153 return;
154 }
155 CRYPTO_THREAD_write_lock(sec_malloc_lock);
156 actual_size = sh_actual_size(ptr);
157 CLEAR(ptr, actual_size);
158 secure_mem_used -= actual_size;
159 sh_free(ptr);
160 CRYPTO_THREAD_unlock(sec_malloc_lock);
161#else
162 CRYPTO_free(ptr, file, line);
163#endif /* OPENSSL_SECURE_MEMORY */
164}
165
166void CRYPTO_secure_clear_free(void *ptr, size_t num,
167 const char *file, int line)
168{
169#ifdef OPENSSL_SECURE_MEMORY
170 size_t actual_size;
171
172 if (ptr == NULL)
173 return;
174 if (!CRYPTO_secure_allocated(ptr)) {
175 OPENSSL_cleanse(ptr, num);
176 CRYPTO_free(ptr, file, line);
177 return;
178 }
179 CRYPTO_THREAD_write_lock(sec_malloc_lock);
180 actual_size = sh_actual_size(ptr);
181 CLEAR(ptr, actual_size);
182 secure_mem_used -= actual_size;
183 sh_free(ptr);
184 CRYPTO_THREAD_unlock(sec_malloc_lock);
185#else
186 if (ptr == NULL)
187 return;
188 OPENSSL_cleanse(ptr, num);
189 CRYPTO_free(ptr, file, line);
190#endif /* OPENSSL_SECURE_MEMORY */
191}
192
193int CRYPTO_secure_allocated(const void *ptr)
194{
195#ifdef OPENSSL_SECURE_MEMORY
196 int ret;
197
198 if (!secure_mem_initialized)
199 return 0;
200 CRYPTO_THREAD_write_lock(sec_malloc_lock);
201 ret = sh_allocated(ptr);
202 CRYPTO_THREAD_unlock(sec_malloc_lock);
203 return ret;
204#else
205 return 0;
206#endif /* OPENSSL_SECURE_MEMORY */
207}
208
209size_t CRYPTO_secure_used(void)
210{
211#ifdef OPENSSL_SECURE_MEMORY
212 return secure_mem_used;
213#else
214 return 0;
215#endif /* OPENSSL_SECURE_MEMORY */
216}
217
218size_t CRYPTO_secure_actual_size(void *ptr)
219{
220#ifdef OPENSSL_SECURE_MEMORY
221 size_t actual_size;
222
223 CRYPTO_THREAD_write_lock(sec_malloc_lock);
224 actual_size = sh_actual_size(ptr);
225 CRYPTO_THREAD_unlock(sec_malloc_lock);
226 return actual_size;
227#else
228 return 0;
229#endif
230}
231/* END OF PAGE ...
232
233 ... START OF PAGE */
234
235/*
236 * SECURE HEAP IMPLEMENTATION
237 */
238#ifdef OPENSSL_SECURE_MEMORY
239
240
241/*
242 * The implementation provided here uses a fixed-sized mmap() heap,
243 * which is locked into memory, not written to core files, and protected
244 * on either side by an unmapped page, which will catch pointer overruns
245 * (or underruns) and an attempt to read data out of the secure heap.
246 * Free'd memory is zero'd or otherwise cleansed.
247 *
248 * This is a pretty standard buddy allocator. We keep areas in a multiple
249 * of "sh.minsize" units. The freelist and bitmaps are kept separately,
250 * so all (and only) data is kept in the mmap'd heap.
251 *
252 * This code assumes eight-bit bytes. The numbers 3 and 7 are all over the
253 * place.
254 */
255
256#define ONE ((size_t)1)
257
258# define TESTBIT(t, b) (t[(b) >> 3] & (ONE << ((b) & 7)))
259# define SETBIT(t, b) (t[(b) >> 3] |= (ONE << ((b) & 7)))
260# define CLEARBIT(t, b) (t[(b) >> 3] &= (0xFF & ~(ONE << ((b) & 7))))
261
262#define WITHIN_ARENA(p) \
263 ((char*)(p) >= sh.arena && (char*)(p) < &sh.arena[sh.arena_size])
264#define WITHIN_FREELIST(p) \
265 ((char*)(p) >= (char*)sh.freelist && (char*)(p) < (char*)&sh.freelist[sh.freelist_size])
266
267
268typedef struct sh_list_st
269{
270 struct sh_list_st *next;
271 struct sh_list_st **p_next;
272} SH_LIST;
273
274typedef struct sh_st
275{
276 char* map_result;
277 size_t map_size;
278 char *arena;
279 size_t arena_size;
280 char **freelist;
281 ossl_ssize_t freelist_size;
282 size_t minsize;
283 unsigned char *bittable;
284 unsigned char *bitmalloc;
285 size_t bittable_size; /* size in bits */
286} SH;
287
288static SH sh;
289
290static size_t sh_getlist(char *ptr)
291{
292 ossl_ssize_t list = sh.freelist_size - 1;
293 size_t bit = (sh.arena_size + ptr - sh.arena) / sh.minsize;
294
295 for (; bit; bit >>= 1, list--) {
296 if (TESTBIT(sh.bittable, bit))
297 break;
298 OPENSSL_assert((bit & 1) == 0);
299 }
300
301 return list;
302}
303
304
305static int sh_testbit(char *ptr, int list, unsigned char *table)
306{
307 size_t bit;
308
309 OPENSSL_assert(list >= 0 && list < sh.freelist_size);
310 OPENSSL_assert(((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0);
311 bit = (ONE << list) + ((ptr - sh.arena) / (sh.arena_size >> list));
312 OPENSSL_assert(bit > 0 && bit < sh.bittable_size);
313 return TESTBIT(table, bit);
314}
315
316static void sh_clearbit(char *ptr, int list, unsigned char *table)
317{
318 size_t bit;
319
320 OPENSSL_assert(list >= 0 && list < sh.freelist_size);
321 OPENSSL_assert(((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0);
322 bit = (ONE << list) + ((ptr - sh.arena) / (sh.arena_size >> list));
323 OPENSSL_assert(bit > 0 && bit < sh.bittable_size);
324 OPENSSL_assert(TESTBIT(table, bit));
325 CLEARBIT(table, bit);
326}
327
328static void sh_setbit(char *ptr, int list, unsigned char *table)
329{
330 size_t bit;
331
332 OPENSSL_assert(list >= 0 && list < sh.freelist_size);
333 OPENSSL_assert(((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0);
334 bit = (ONE << list) + ((ptr - sh.arena) / (sh.arena_size >> list));
335 OPENSSL_assert(bit > 0 && bit < sh.bittable_size);
336 OPENSSL_assert(!TESTBIT(table, bit));
337 SETBIT(table, bit);
338}
339
340static void sh_add_to_list(char **list, char *ptr)
341{
342 SH_LIST *temp;
343
344 OPENSSL_assert(WITHIN_FREELIST(list));
345 OPENSSL_assert(WITHIN_ARENA(ptr));
346
347 temp = (SH_LIST *)ptr;
348 temp->next = *(SH_LIST **)list;
349 OPENSSL_assert(temp->next == NULL || WITHIN_ARENA(temp->next));
350 temp->p_next = (SH_LIST **)list;
351
352 if (temp->next != NULL) {
353 OPENSSL_assert((char **)temp->next->p_next == list);
354 temp->next->p_next = &(temp->next);
355 }
356
357 *list = ptr;
358}
359
360static void sh_remove_from_list(char *ptr)
361{
362 SH_LIST *temp, *temp2;
363
364 temp = (SH_LIST *)ptr;
365 if (temp->next != NULL)
366 temp->next->p_next = temp->p_next;
367 *temp->p_next = temp->next;
368 if (temp->next == NULL)
369 return;
370
371 temp2 = temp->next;
372 OPENSSL_assert(WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next));
373}
374
375
376static int sh_init(size_t size, int minsize)
377{
378 int ret;
379 size_t i;
380 size_t pgsize;
381 size_t aligned;
382
383 memset(&sh, 0, sizeof(sh));
384
385 /* make sure size and minsize are powers of 2 */
386 OPENSSL_assert(size > 0);
387 OPENSSL_assert((size & (size - 1)) == 0);
388 OPENSSL_assert(minsize > 0);
389 OPENSSL_assert((minsize & (minsize - 1)) == 0);
390 if (size <= 0 || (size & (size - 1)) != 0)
391 goto err;
392 if (minsize <= 0 || (minsize & (minsize - 1)) != 0)
393 goto err;
394
395 while (minsize < (int)sizeof(SH_LIST))
396 minsize *= 2;
397
398 sh.arena_size = size;
399 sh.minsize = minsize;
400 sh.bittable_size = (sh.arena_size / sh.minsize) * 2;
401
402 /* Prevent allocations of size 0 later on */
403 if (sh.bittable_size >> 3 == 0)
404 goto err;
405
406 sh.freelist_size = -1;
407 for (i = sh.bittable_size; i; i >>= 1)
408 sh.freelist_size++;
409
410 sh.freelist = OPENSSL_zalloc(sh.freelist_size * sizeof(char *));
411 OPENSSL_assert(sh.freelist != NULL);
412 if (sh.freelist == NULL)
413 goto err;
414
415 sh.bittable = OPENSSL_zalloc(sh.bittable_size >> 3);
416 OPENSSL_assert(sh.bittable != NULL);
417 if (sh.bittable == NULL)
418 goto err;
419
420 sh.bitmalloc = OPENSSL_zalloc(sh.bittable_size >> 3);
421 OPENSSL_assert(sh.bitmalloc != NULL);
422 if (sh.bitmalloc == NULL)
423 goto err;
424
425 /* Allocate space for heap, and two extra pages as guards */
426#if defined(_SC_PAGE_SIZE) || defined (_SC_PAGESIZE)
427 {
428# if defined(_SC_PAGE_SIZE)
429 long tmppgsize = sysconf(_SC_PAGE_SIZE);
430# else
431 long tmppgsize = sysconf(_SC_PAGESIZE);
432# endif
433 if (tmppgsize < 1)
434 pgsize = PAGE_SIZE;
435 else
436 pgsize = (size_t)tmppgsize;
437 }
438#else
439 pgsize = PAGE_SIZE;
440#endif
441 sh.map_size = pgsize + sh.arena_size + pgsize;
442 if (1) {
443#ifdef MAP_ANON
444 sh.map_result = mmap(NULL, sh.map_size,
445 PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, -1, 0);
446 } else {
447#endif
448 int fd;
449
450 sh.map_result = MAP_FAILED;
451 if ((fd = open("/dev/zero", O_RDWR)) >= 0) {
452 sh.map_result = mmap(NULL, sh.map_size,
453 PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
454 close(fd);
455 }
456 }
457 if (sh.map_result == MAP_FAILED)
458 goto err;
459 sh.arena = (char *)(sh.map_result + pgsize);
460 sh_setbit(sh.arena, 0, sh.bittable);
461 sh_add_to_list(&sh.freelist[0], sh.arena);
462
463 /* Now try to add guard pages and lock into memory. */
464 ret = 1;
465
466 /* Starting guard is already aligned from mmap. */
467 if (mprotect(sh.map_result, pgsize, PROT_NONE) < 0)
468 ret = 2;
469
470 /* Ending guard page - need to round up to page boundary */
471 aligned = (pgsize + sh.arena_size + (pgsize - 1)) & ~(pgsize - 1);
472 if (mprotect(sh.map_result + aligned, pgsize, PROT_NONE) < 0)
473 ret = 2;
474
475#if defined(OPENSSL_SYS_LINUX) && defined(MLOCK_ONFAULT) && defined(SYS_mlock2)
476 if (syscall(SYS_mlock2, sh.arena, sh.arena_size, MLOCK_ONFAULT) < 0) {
477 if (errno == ENOSYS) {
478 if (mlock(sh.arena, sh.arena_size) < 0)
479 ret = 2;
480 } else {
481 ret = 2;
482 }
483 }
484#else
485 if (mlock(sh.arena, sh.arena_size) < 0)
486 ret = 2;
487#endif
488#ifdef MADV_DONTDUMP
489 if (madvise(sh.arena, sh.arena_size, MADV_DONTDUMP) < 0)
490 ret = 2;
491#endif
492
493 return ret;
494
495 err:
496 sh_done();
497 return 0;
498}
499
500static void sh_done(void)
501{
502 OPENSSL_free(sh.freelist);
503 OPENSSL_free(sh.bittable);
504 OPENSSL_free(sh.bitmalloc);
505 if (sh.map_result != NULL && sh.map_size)
506 munmap(sh.map_result, sh.map_size);
507 memset(&sh, 0, sizeof(sh));
508}
509
510static int sh_allocated(const char *ptr)
511{
512 return WITHIN_ARENA(ptr) ? 1 : 0;
513}
514
515static char *sh_find_my_buddy(char *ptr, int list)
516{
517 size_t bit;
518 char *chunk = NULL;
519
520 bit = (ONE << list) + (ptr - sh.arena) / (sh.arena_size >> list);
521 bit ^= 1;
522
523 if (TESTBIT(sh.bittable, bit) && !TESTBIT(sh.bitmalloc, bit))
524 chunk = sh.arena + ((bit & ((ONE << list) - 1)) * (sh.arena_size >> list));
525
526 return chunk;
527}
528
529static void *sh_malloc(size_t size)
530{
531 ossl_ssize_t list, slist;
532 size_t i;
533 char *chunk;
534
535 if (size > sh.arena_size)
536 return NULL;
537
538 list = sh.freelist_size - 1;
539 for (i = sh.minsize; i < size; i <<= 1)
540 list--;
541 if (list < 0)
542 return NULL;
543
544 /* try to find a larger entry to split */
545 for (slist = list; slist >= 0; slist--)
546 if (sh.freelist[slist] != NULL)
547 break;
548 if (slist < 0)
549 return NULL;
550
551 /* split larger entry */
552 while (slist != list) {
553 char *temp = sh.freelist[slist];
554
555 /* remove from bigger list */
556 OPENSSL_assert(!sh_testbit(temp, slist, sh.bitmalloc));
557 sh_clearbit(temp, slist, sh.bittable);
558 sh_remove_from_list(temp);
559 OPENSSL_assert(temp != sh.freelist[slist]);
560
561 /* done with bigger list */
562 slist++;
563
564 /* add to smaller list */
565 OPENSSL_assert(!sh_testbit(temp, slist, sh.bitmalloc));
566 sh_setbit(temp, slist, sh.bittable);
567 sh_add_to_list(&sh.freelist[slist], temp);
568 OPENSSL_assert(sh.freelist[slist] == temp);
569
570 /* split in 2 */
571 temp += sh.arena_size >> slist;
572 OPENSSL_assert(!sh_testbit(temp, slist, sh.bitmalloc));
573 sh_setbit(temp, slist, sh.bittable);
574 sh_add_to_list(&sh.freelist[slist], temp);
575 OPENSSL_assert(sh.freelist[slist] == temp);
576
577 OPENSSL_assert(temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist));
578 }
579
580 /* peel off memory to hand back */
581 chunk = sh.freelist[list];
582 OPENSSL_assert(sh_testbit(chunk, list, sh.bittable));
583 sh_setbit(chunk, list, sh.bitmalloc);
584 sh_remove_from_list(chunk);
585
586 OPENSSL_assert(WITHIN_ARENA(chunk));
587
588 /* zero the free list header as a precaution against information leakage */
589 memset(chunk, 0, sizeof(SH_LIST));
590
591 return chunk;
592}
593
594static void sh_free(void *ptr)
595{
596 size_t list;
597 void *buddy;
598
599 if (ptr == NULL)
600 return;
601 OPENSSL_assert(WITHIN_ARENA(ptr));
602 if (!WITHIN_ARENA(ptr))
603 return;
604
605 list = sh_getlist(ptr);
606 OPENSSL_assert(sh_testbit(ptr, list, sh.bittable));
607 sh_clearbit(ptr, list, sh.bitmalloc);
608 sh_add_to_list(&sh.freelist[list], ptr);
609
610 /* Try to coalesce two adjacent free areas. */
611 while ((buddy = sh_find_my_buddy(ptr, list)) != NULL) {
612 OPENSSL_assert(ptr == sh_find_my_buddy(buddy, list));
613 OPENSSL_assert(ptr != NULL);
614 OPENSSL_assert(!sh_testbit(ptr, list, sh.bitmalloc));
615 sh_clearbit(ptr, list, sh.bittable);
616 sh_remove_from_list(ptr);
617 OPENSSL_assert(!sh_testbit(ptr, list, sh.bitmalloc));
618 sh_clearbit(buddy, list, sh.bittable);
619 sh_remove_from_list(buddy);
620
621 list--;
622
623 /* Zero the higher addressed block's free list pointers */
624 memset(ptr > buddy ? ptr : buddy, 0, sizeof(SH_LIST));
625 if (ptr > buddy)
626 ptr = buddy;
627
628 OPENSSL_assert(!sh_testbit(ptr, list, sh.bitmalloc));
629 sh_setbit(ptr, list, sh.bittable);
630 sh_add_to_list(&sh.freelist[list], ptr);
631 OPENSSL_assert(sh.freelist[list] == ptr);
632 }
633}
634
635static size_t sh_actual_size(char *ptr)
636{
637 int list;
638
639 OPENSSL_assert(WITHIN_ARENA(ptr));
640 if (!WITHIN_ARENA(ptr))
641 return 0;
642 list = sh_getlist(ptr);
643 OPENSSL_assert(sh_testbit(ptr, list, sh.bittable));
644 return sh.arena_size / (ONE << list);
645}
646#endif /* OPENSSL_SECURE_MEMORY */
647