]> tinc-vpn.org Git - tinc/commitdiff
projects / tinc / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f86a5f1)
gcrypt: initialize secure memory on startup
authorKirill Isakov <bootctl@gmail.com>
Mon, 2 May 2022 09:41:03 +0000 (15:41 +0600)
committerKirill Isakov <bootctl@gmail.com>
Mon, 2 May 2022 18:49:02 +0000 (00:49 +0600)
Otherwise libgcrypt does it automatically, but only after we drop
privileges. This requires calling mlock(), which kills the sandboxed
process on OpenBSD.

If this is not enough, libgcrypt will resize the pool without calling
mlock().

src/gcrypt/crypto.c [new file with mode: 0644] patch | blob
src/gcrypt/meson.build patch | blob | history
src/meson.build patch | blob | history
src/nolegacy/crypto.c [moved from src/crypto.c with 97% similarity] patch | blob | history
src/nolegacy/meson.build patch | blob | history

diff --git a/src/gcrypt/crypto.c b/src/gcrypt/crypto.c
new file mode 100644 (file)
index 0000000..815bedf
--- /dev/null
+++ b/src/gcrypt/crypto.c
@@ -0,0 +1,10 @@
+#include "../system.h"
+
+#include <gcrypt.h>
+
+#include "../crypto.h"
+
+void crypto_init(void) {
+       gcry_control(GCRYCTL_INIT_SECMEM, 32 * 1024, 0);
+       gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+}
diff --git a/src/gcrypt/meson.build b/src/gcrypt/meson.build
index 9cfe466e4c5a266010fc0c12251f8adba795f4ad..ac93c809b4b57b9bd0943d6b51898988b883dbc2 100644 (file)
--- a/src/gcrypt/meson.build
+++ b/src/gcrypt/meson.build
@@ -1,5 +1,6 @@
 src_lib_crypto = files(
   'cipher.c',
+  'crypto.c',
   'digest.c',
   'pem.c',
   'prf.c',
diff --git a/src/meson.build b/src/meson.build
index 564ef6fc9b69606c117660a0ba28ba572090b44b..d9f7b14bd6c6458e46574a10c332261c7b0f0392 100644 (file)
--- a/src/meson.build
+++ b/src/meson.build
@@ -358,10 +358,6 @@ endif
 
 subdir(opt_crypto)
 
-if opt_crypto != 'openssl'
-  src_lib_crypto += 'crypto.c'
-endif
-
 if opt_crypto != 'nolegacy'
   src_lib_crypto += ['cipher.c', 'digest.c']
 endif
diff --git a/src/crypto.c b/src/nolegacy/crypto.c
similarity index 97%
rename from src/crypto.c
rename to src/nolegacy/crypto.c
index 20d917d9fd9f096c3b1a7598fa69987975e90799..4e6f427adbfbc20f6694bbb5b4c130b925bc6855 100644 (file)
--- a/src/crypto.c
+++ b/src/nolegacy/crypto.c
@@ -17,7 +17,7 @@
     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#include "crypto.h"
+#include "../crypto.h"
 
 // No-op for those cryptographic libraries that
 // do not require any additional initialization.
diff --git a/src/nolegacy/meson.build b/src/nolegacy/meson.build
index c9ea62f45a06365a4bed80d99782d960a3d6521e..323a8314d8b9b6fed057da288cf7b502fce36efe 100644 (file)
--- a/src/nolegacy/meson.build
+++ b/src/nolegacy/meson.build
@@ -1,4 +1,7 @@
-src_lib_crypto = files('prf.c')
+src_lib_crypto = files(
+  'crypto.c',
+  'prf.c',
+)
 
 dep_crypto = dependency('', required: false)
 
tinc, the VPN daemon