From: Kirill Isakov Date: Mon, 2 May 2022 09:41:03 +0000 (+0600) Subject: gcrypt: initialize secure memory on startup X-Git-Url: https://tinc-vpn.org/git/browse?a=commitdiff_plain;ds=sidebyside;h=c32235ac0ef4ce8af77d59c6186436c49c3d7386;p=tinc gcrypt: initialize secure memory on startup Otherwise libgcrypt does it automatically, but only after we drop privileges. This requires calling mlock(), which kills the sandboxed process on OpenBSD. If this is not enough, libgcrypt will resize the pool without calling mlock(). --- diff --git a/src/gcrypt/crypto.c b/src/gcrypt/crypto.c new file mode 100644 index 00000000..815bedf1 --- /dev/null +++ b/src/gcrypt/crypto.c @@ -0,0 +1,10 @@ +#include "../system.h" + +#include + +#include "../crypto.h" + +void crypto_init(void) { + gcry_control(GCRYCTL_INIT_SECMEM, 32 * 1024, 0); + gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +} diff --git a/src/gcrypt/meson.build b/src/gcrypt/meson.build index 9cfe466e..ac93c809 100644 --- a/src/gcrypt/meson.build +++ b/src/gcrypt/meson.build @@ -1,5 +1,6 @@ src_lib_crypto = files( 'cipher.c', + 'crypto.c', 'digest.c', 'pem.c', 'prf.c', diff --git a/src/meson.build b/src/meson.build index 564ef6fc..d9f7b14b 100644 --- a/src/meson.build +++ b/src/meson.build @@ -358,10 +358,6 @@ endif subdir(opt_crypto) -if opt_crypto != 'openssl' - src_lib_crypto += 'crypto.c' -endif - if opt_crypto != 'nolegacy' src_lib_crypto += ['cipher.c', 'digest.c'] endif diff --git a/src/crypto.c b/src/nolegacy/crypto.c similarity index 97% rename from src/crypto.c rename to src/nolegacy/crypto.c index 20d917d9..4e6f427a 100644 --- a/src/crypto.c +++ b/src/nolegacy/crypto.c @@ -17,7 +17,7 @@ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include "crypto.h" +#include "../crypto.h" // No-op for those cryptographic libraries that // do not require any additional initialization. diff --git a/src/nolegacy/meson.build b/src/nolegacy/meson.build index c9ea62f4..323a8314 100644 --- a/src/nolegacy/meson.build +++ b/src/nolegacy/meson.build @@ -1,4 +1,7 @@ -src_lib_crypto = files('prf.c') +src_lib_crypto = files( + 'crypto.c', + 'prf.c', +) dep_crypto = dependency('', required: false)