From c32235ac0ef4ce8af77d59c6186436c49c3d7386 Mon Sep 17 00:00:00 2001 From: Kirill Isakov Date: Mon, 2 May 2022 15:41:03 +0600 Subject: [PATCH] gcrypt: initialize secure memory on startup Otherwise libgcrypt does it automatically, but only after we drop privileges. This requires calling mlock(), which kills the sandboxed process on OpenBSD. If this is not enough, libgcrypt will resize the pool without calling mlock(). --- src/gcrypt/crypto.c | 10 ++++++++++ src/gcrypt/meson.build | 1 + src/meson.build | 4 ---- src/{ => nolegacy}/crypto.c | 2 +- src/nolegacy/meson.build | 5 ++++- 5 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 src/gcrypt/crypto.c rename src/{ => nolegacy}/crypto.c (97%) diff --git a/src/gcrypt/crypto.c b/src/gcrypt/crypto.c new file mode 100644 index 00000000..815bedf1 --- /dev/null +++ b/src/gcrypt/crypto.c @@ -0,0 +1,10 @@ +#include "../system.h" + +#include + +#include "../crypto.h" + +void crypto_init(void) { + gcry_control(GCRYCTL_INIT_SECMEM, 32 * 1024, 0); + gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +} diff --git a/src/gcrypt/meson.build b/src/gcrypt/meson.build index 9cfe466e..ac93c809 100644 --- a/src/gcrypt/meson.build +++ b/src/gcrypt/meson.build @@ -1,5 +1,6 @@ src_lib_crypto = files( 'cipher.c', + 'crypto.c', 'digest.c', 'pem.c', 'prf.c', diff --git a/src/meson.build b/src/meson.build index 564ef6fc..d9f7b14b 100644 --- a/src/meson.build +++ b/src/meson.build @@ -358,10 +358,6 @@ endif subdir(opt_crypto) -if opt_crypto != 'openssl' - src_lib_crypto += 'crypto.c' -endif - if opt_crypto != 'nolegacy' src_lib_crypto += ['cipher.c', 'digest.c'] endif diff --git a/src/crypto.c b/src/nolegacy/crypto.c similarity index 97% rename from src/crypto.c rename to src/nolegacy/crypto.c index 20d917d9..4e6f427a 100644 --- a/src/crypto.c +++ b/src/nolegacy/crypto.c @@ -17,7 +17,7 @@ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include "crypto.h" +#include "../crypto.h" // No-op for those cryptographic libraries that // do not require any additional initialization. diff --git a/src/nolegacy/meson.build b/src/nolegacy/meson.build index c9ea62f4..323a8314 100644 --- a/src/nolegacy/meson.build +++ b/src/nolegacy/meson.build @@ -1,4 +1,7 @@ -src_lib_crypto = files('prf.c') +src_lib_crypto = files( + 'crypto.c', + 'prf.c', +) dep_crypto = dependency('', required: false) -- 2.20.1