2 * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright 2004-2014, Akamai Technologies. All Rights Reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
12 * This file is in two halves. The first half implements the public API
13 * to be used by external consumers, and to be used by OpenSSL to store
14 * data in a "secure arena." The second half implements the secure arena.
15 * For details on that implementation, see below (look for uppercase
16 * "SECURE HEAP IMPLEMENTATION").
19 #include <openssl/crypto.h>
23 #ifndef OPENSSL_NO_SECURE_MEMORY
27 # include <sys/types.h>
28 # include <sys/mman.h>
29 # if defined(OPENSSL_SYS_LINUX)
30 # include <sys/syscall.h>
31 # if defined(SYS_mlock2)
32 # include <linux/mman.h>
35 # include <sys/param.h>
37 # include <sys/stat.h>
41 #define CLEAR(p, s) OPENSSL_cleanse(p, s)
43 # define PAGE_SIZE 4096
45 #if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
46 # define MAP_ANON MAP_ANONYMOUS
49 #ifndef OPENSSL_NO_SECURE_MEMORY
50 static size_t secure_mem_used
;
52 static int secure_mem_initialized
;
54 static CRYPTO_RWLOCK
*sec_malloc_lock
= NULL
;
57 * These are the functions that must be implemented by a secure heap (sh).
59 static int sh_init(size_t size
, size_t minsize
);
60 static void *sh_malloc(size_t size
);
61 static void sh_free(void *ptr
);
62 static void sh_done(void);
63 static size_t sh_actual_size(char *ptr
);
64 static int sh_allocated(const char *ptr
);
67 int CRYPTO_secure_malloc_init(size_t size
, size_t minsize
)
69 #ifndef OPENSSL_NO_SECURE_MEMORY
72 if (!secure_mem_initialized
) {
73 sec_malloc_lock
= CRYPTO_THREAD_lock_new();
74 if (sec_malloc_lock
== NULL
)
76 if ((ret
= sh_init(size
, minsize
)) != 0) {
77 secure_mem_initialized
= 1;
79 CRYPTO_THREAD_lock_free(sec_malloc_lock
);
80 sec_malloc_lock
= NULL
;
87 #endif /* OPENSSL_NO_SECURE_MEMORY */
90 int CRYPTO_secure_malloc_done(void)
92 #ifndef OPENSSL_NO_SECURE_MEMORY
93 if (secure_mem_used
== 0) {
95 secure_mem_initialized
= 0;
96 CRYPTO_THREAD_lock_free(sec_malloc_lock
);
97 sec_malloc_lock
= NULL
;
100 #endif /* OPENSSL_NO_SECURE_MEMORY */
104 int CRYPTO_secure_malloc_initialized(void)
106 #ifndef OPENSSL_NO_SECURE_MEMORY
107 return secure_mem_initialized
;
110 #endif /* OPENSSL_NO_SECURE_MEMORY */
113 void *CRYPTO_secure_malloc(size_t num
, const char *file
, int line
)
115 #ifndef OPENSSL_NO_SECURE_MEMORY
119 if (!secure_mem_initialized
) {
120 return CRYPTO_malloc(num
, file
, line
);
122 CRYPTO_THREAD_write_lock(sec_malloc_lock
);
123 ret
= sh_malloc(num
);
124 actual_size
= ret
? sh_actual_size(ret
) : 0;
125 secure_mem_used
+= actual_size
;
126 CRYPTO_THREAD_unlock(sec_malloc_lock
);
129 return CRYPTO_malloc(num
, file
, line
);
130 #endif /* OPENSSL_NO_SECURE_MEMORY */
133 void *CRYPTO_secure_zalloc(size_t num
, const char *file
, int line
)
135 #ifndef OPENSSL_NO_SECURE_MEMORY
136 if (secure_mem_initialized
)
137 /* CRYPTO_secure_malloc() zeroes allocations when it is implemented */
138 return CRYPTO_secure_malloc(num
, file
, line
);
140 return CRYPTO_zalloc(num
, file
, line
);
143 void CRYPTO_secure_free(void *ptr
, const char *file
, int line
)
145 #ifndef OPENSSL_NO_SECURE_MEMORY
150 if (!CRYPTO_secure_allocated(ptr
)) {
151 CRYPTO_free(ptr
, file
, line
);
154 CRYPTO_THREAD_write_lock(sec_malloc_lock
);
155 actual_size
= sh_actual_size(ptr
);
156 CLEAR(ptr
, actual_size
);
157 secure_mem_used
-= actual_size
;
159 CRYPTO_THREAD_unlock(sec_malloc_lock
);
161 CRYPTO_free(ptr
, file
, line
);
162 #endif /* OPENSSL_NO_SECURE_MEMORY */
165 void CRYPTO_secure_clear_free(void *ptr
, size_t num
,
166 const char *file
, int line
)
168 #ifndef OPENSSL_NO_SECURE_MEMORY
173 if (!CRYPTO_secure_allocated(ptr
)) {
174 OPENSSL_cleanse(ptr
, num
);
175 CRYPTO_free(ptr
, file
, line
);
178 CRYPTO_THREAD_write_lock(sec_malloc_lock
);
179 actual_size
= sh_actual_size(ptr
);
180 CLEAR(ptr
, actual_size
);
181 secure_mem_used
-= actual_size
;
183 CRYPTO_THREAD_unlock(sec_malloc_lock
);
187 OPENSSL_cleanse(ptr
, num
);
188 CRYPTO_free(ptr
, file
, line
);
189 #endif /* OPENSSL_NO_SECURE_MEMORY */
192 int CRYPTO_secure_allocated(const void *ptr
)
194 #ifndef OPENSSL_NO_SECURE_MEMORY
197 if (!secure_mem_initialized
)
199 CRYPTO_THREAD_write_lock(sec_malloc_lock
);
200 ret
= sh_allocated(ptr
);
201 CRYPTO_THREAD_unlock(sec_malloc_lock
);
205 #endif /* OPENSSL_NO_SECURE_MEMORY */
208 size_t CRYPTO_secure_used(void)
210 #ifndef OPENSSL_NO_SECURE_MEMORY
211 return secure_mem_used
;
214 #endif /* OPENSSL_NO_SECURE_MEMORY */
217 size_t CRYPTO_secure_actual_size(void *ptr
)
219 #ifndef OPENSSL_NO_SECURE_MEMORY
222 CRYPTO_THREAD_write_lock(sec_malloc_lock
);
223 actual_size
= sh_actual_size(ptr
);
224 CRYPTO_THREAD_unlock(sec_malloc_lock
);
232 * SECURE HEAP IMPLEMENTATION
234 #ifndef OPENSSL_NO_SECURE_MEMORY
238 * The implementation provided here uses a fixed-sized mmap() heap,
239 * which is locked into memory, not written to core files, and protected
240 * on either side by an unmapped page, which will catch pointer overruns
241 * (or underruns) and an attempt to read data out of the secure heap.
242 * Free'd memory is zero'd or otherwise cleansed.
244 * This is a pretty standard buddy allocator. We keep areas in a multiple
245 * of "sh.minsize" units. The freelist and bitmaps are kept separately,
246 * so all (and only) data is kept in the mmap'd heap.
248 * This code assumes eight-bit bytes. The numbers 3 and 7 are all over the
252 #define ONE ((size_t)1)
254 # define TESTBIT(t, b) (t[(b) >> 3] & (ONE << ((b) & 7)))
255 # define SETBIT(t, b) (t[(b) >> 3] |= (ONE << ((b) & 7)))
256 # define CLEARBIT(t, b) (t[(b) >> 3] &= (0xFF & ~(ONE << ((b) & 7))))
258 #define WITHIN_ARENA(p) \
259 ((char*)(p) >= sh.arena && (char*)(p) < &sh.arena[sh.arena_size])
260 #define WITHIN_FREELIST(p) \
261 ((char*)(p) >= (char*)sh.freelist && (char*)(p) < (char*)&sh.freelist[sh.freelist_size])
264 typedef struct sh_list_st
266 struct sh_list_st
*next
;
267 struct sh_list_st
**p_next
;
277 ossl_ssize_t freelist_size
;
279 unsigned char *bittable
;
280 unsigned char *bitmalloc
;
281 size_t bittable_size
; /* size in bits */
286 static size_t sh_getlist(char *ptr
)
288 ossl_ssize_t list
= sh
.freelist_size
- 1;
289 size_t bit
= (sh
.arena_size
+ ptr
- sh
.arena
) / sh
.minsize
;
291 for (; bit
; bit
>>= 1, list
--) {
292 if (TESTBIT(sh
.bittable
, bit
))
294 OPENSSL_assert((bit
& 1) == 0);
301 static int sh_testbit(char *ptr
, int list
, unsigned char *table
)
305 OPENSSL_assert(list
>= 0 && list
< sh
.freelist_size
);
306 OPENSSL_assert(((ptr
- sh
.arena
) & ((sh
.arena_size
>> list
) - 1)) == 0);
307 bit
= (ONE
<< list
) + ((ptr
- sh
.arena
) / (sh
.arena_size
>> list
));
308 OPENSSL_assert(bit
> 0 && bit
< sh
.bittable_size
);
309 return TESTBIT(table
, bit
);
312 static void sh_clearbit(char *ptr
, int list
, unsigned char *table
)
316 OPENSSL_assert(list
>= 0 && list
< sh
.freelist_size
);
317 OPENSSL_assert(((ptr
- sh
.arena
) & ((sh
.arena_size
>> list
) - 1)) == 0);
318 bit
= (ONE
<< list
) + ((ptr
- sh
.arena
) / (sh
.arena_size
>> list
));
319 OPENSSL_assert(bit
> 0 && bit
< sh
.bittable_size
);
320 OPENSSL_assert(TESTBIT(table
, bit
));
321 CLEARBIT(table
, bit
);
324 static void sh_setbit(char *ptr
, int list
, unsigned char *table
)
328 OPENSSL_assert(list
>= 0 && list
< sh
.freelist_size
);
329 OPENSSL_assert(((ptr
- sh
.arena
) & ((sh
.arena_size
>> list
) - 1)) == 0);
330 bit
= (ONE
<< list
) + ((ptr
- sh
.arena
) / (sh
.arena_size
>> list
));
331 OPENSSL_assert(bit
> 0 && bit
< sh
.bittable_size
);
332 OPENSSL_assert(!TESTBIT(table
, bit
));
336 static void sh_add_to_list(char **list
, char *ptr
)
340 OPENSSL_assert(WITHIN_FREELIST(list
));
341 OPENSSL_assert(WITHIN_ARENA(ptr
));
343 temp
= (SH_LIST
*)ptr
;
344 temp
->next
= *(SH_LIST
**)list
;
345 OPENSSL_assert(temp
->next
== NULL
|| WITHIN_ARENA(temp
->next
));
346 temp
->p_next
= (SH_LIST
**)list
;
348 if (temp
->next
!= NULL
) {
349 OPENSSL_assert((char **)temp
->next
->p_next
== list
);
350 temp
->next
->p_next
= &(temp
->next
);
356 static void sh_remove_from_list(char *ptr
)
358 SH_LIST
*temp
, *temp2
;
360 temp
= (SH_LIST
*)ptr
;
361 if (temp
->next
!= NULL
)
362 temp
->next
->p_next
= temp
->p_next
;
363 *temp
->p_next
= temp
->next
;
364 if (temp
->next
== NULL
)
368 OPENSSL_assert(WITHIN_FREELIST(temp2
->p_next
) || WITHIN_ARENA(temp2
->p_next
));
372 static int sh_init(size_t size
, size_t minsize
)
379 memset(&sh
, 0, sizeof(sh
));
381 /* make sure size is a powers of 2 */
382 OPENSSL_assert(size
> 0);
383 OPENSSL_assert((size
& (size
- 1)) == 0);
384 if (size
== 0 || (size
& (size
- 1)) != 0)
387 if (minsize
<= sizeof(SH_LIST
)) {
388 OPENSSL_assert(sizeof(SH_LIST
) <= 65536);
390 * Compute the minimum possible allocation size.
391 * This must be a power of 2 and at least as large as the SH_LIST
394 minsize
= sizeof(SH_LIST
) - 1;
395 minsize
|= minsize
>> 1;
396 minsize
|= minsize
>> 2;
397 if (sizeof(SH_LIST
) > 16)
398 minsize
|= minsize
>> 4;
399 if (sizeof(SH_LIST
) > 256)
400 minsize
|= minsize
>> 8;
403 /* make sure minsize is a powers of 2 */
404 OPENSSL_assert((minsize
& (minsize
- 1)) == 0);
405 if ((minsize
& (minsize
- 1)) != 0)
409 sh
.arena_size
= size
;
410 sh
.minsize
= minsize
;
411 sh
.bittable_size
= (sh
.arena_size
/ sh
.minsize
) * 2;
413 /* Prevent allocations of size 0 later on */
414 if (sh
.bittable_size
>> 3 == 0)
417 sh
.freelist_size
= -1;
418 for (i
= sh
.bittable_size
; i
; i
>>= 1)
421 sh
.freelist
= OPENSSL_zalloc(sh
.freelist_size
* sizeof(char *));
422 OPENSSL_assert(sh
.freelist
!= NULL
);
423 if (sh
.freelist
== NULL
)
426 sh
.bittable
= OPENSSL_zalloc(sh
.bittable_size
>> 3);
427 OPENSSL_assert(sh
.bittable
!= NULL
);
428 if (sh
.bittable
== NULL
)
431 sh
.bitmalloc
= OPENSSL_zalloc(sh
.bittable_size
>> 3);
432 OPENSSL_assert(sh
.bitmalloc
!= NULL
);
433 if (sh
.bitmalloc
== NULL
)
436 /* Allocate space for heap, and two extra pages as guards */
437 #if defined(_SC_PAGE_SIZE) || defined (_SC_PAGESIZE)
439 # if defined(_SC_PAGE_SIZE)
440 long tmppgsize
= sysconf(_SC_PAGE_SIZE
);
442 long tmppgsize
= sysconf(_SC_PAGESIZE
);
447 pgsize
= (size_t)tmppgsize
;
452 sh
.map_size
= pgsize
+ sh
.arena_size
+ pgsize
;
455 sh
.map_result
= mmap(NULL
, sh
.map_size
,
456 PROT_READ
|PROT_WRITE
, MAP_ANON
|MAP_PRIVATE
, -1, 0);
461 sh
.map_result
= MAP_FAILED
;
462 if ((fd
= open("/dev/zero", O_RDWR
)) >= 0) {
463 sh
.map_result
= mmap(NULL
, sh
.map_size
,
464 PROT_READ
|PROT_WRITE
, MAP_PRIVATE
, fd
, 0);
469 if (sh
.map_result
== MAP_FAILED
)
471 sh
.arena
= (char *)(sh
.map_result
+ pgsize
);
472 sh_setbit(sh
.arena
, 0, sh
.bittable
);
473 sh_add_to_list(&sh
.freelist
[0], sh
.arena
);
475 /* Now try to add guard pages and lock into memory. */
478 /* Starting guard is already aligned from mmap. */
479 if (mprotect(sh
.map_result
, pgsize
, PROT_NONE
) < 0)
482 /* Ending guard page - need to round up to page boundary */
483 aligned
= (pgsize
+ sh
.arena_size
+ (pgsize
- 1)) & ~(pgsize
- 1);
484 if (mprotect(sh
.map_result
+ aligned
, pgsize
, PROT_NONE
) < 0)
487 #if defined(OPENSSL_SYS_LINUX) && defined(MLOCK_ONFAULT) && defined(SYS_mlock2)
488 if (syscall(SYS_mlock2
, sh
.arena
, sh
.arena_size
, MLOCK_ONFAULT
) < 0) {
489 if (errno
== ENOSYS
) {
490 if (mlock(sh
.arena
, sh
.arena_size
) < 0)
497 if (mlock(sh
.arena
, sh
.arena_size
) < 0)
501 if (madvise(sh
.arena
, sh
.arena_size
, MADV_DONTDUMP
) < 0)
512 static void sh_done(void)
514 OPENSSL_free(sh
.freelist
);
515 OPENSSL_free(sh
.bittable
);
516 OPENSSL_free(sh
.bitmalloc
);
517 if (sh
.map_result
!= MAP_FAILED
&& sh
.map_size
)
518 munmap(sh
.map_result
, sh
.map_size
);
519 memset(&sh
, 0, sizeof(sh
));
522 static int sh_allocated(const char *ptr
)
524 return WITHIN_ARENA(ptr
) ? 1 : 0;
527 static char *sh_find_my_buddy(char *ptr
, int list
)
532 bit
= (ONE
<< list
) + (ptr
- sh
.arena
) / (sh
.arena_size
>> list
);
535 if (TESTBIT(sh
.bittable
, bit
) && !TESTBIT(sh
.bitmalloc
, bit
))
536 chunk
= sh
.arena
+ ((bit
& ((ONE
<< list
) - 1)) * (sh
.arena_size
>> list
));
541 static void *sh_malloc(size_t size
)
543 ossl_ssize_t list
, slist
;
547 if (size
> sh
.arena_size
)
550 list
= sh
.freelist_size
- 1;
551 for (i
= sh
.minsize
; i
< size
; i
<<= 1)
556 /* try to find a larger entry to split */
557 for (slist
= list
; slist
>= 0; slist
--)
558 if (sh
.freelist
[slist
] != NULL
)
563 /* split larger entry */
564 while (slist
!= list
) {
565 char *temp
= sh
.freelist
[slist
];
567 /* remove from bigger list */
568 OPENSSL_assert(!sh_testbit(temp
, slist
, sh
.bitmalloc
));
569 sh_clearbit(temp
, slist
, sh
.bittable
);
570 sh_remove_from_list(temp
);
571 OPENSSL_assert(temp
!= sh
.freelist
[slist
]);
573 /* done with bigger list */
576 /* add to smaller list */
577 OPENSSL_assert(!sh_testbit(temp
, slist
, sh
.bitmalloc
));
578 sh_setbit(temp
, slist
, sh
.bittable
);
579 sh_add_to_list(&sh
.freelist
[slist
], temp
);
580 OPENSSL_assert(sh
.freelist
[slist
] == temp
);
583 temp
+= sh
.arena_size
>> slist
;
584 OPENSSL_assert(!sh_testbit(temp
, slist
, sh
.bitmalloc
));
585 sh_setbit(temp
, slist
, sh
.bittable
);
586 sh_add_to_list(&sh
.freelist
[slist
], temp
);
587 OPENSSL_assert(sh
.freelist
[slist
] == temp
);
589 OPENSSL_assert(temp
-(sh
.arena_size
>> slist
) == sh_find_my_buddy(temp
, slist
));
592 /* peel off memory to hand back */
593 chunk
= sh
.freelist
[list
];
594 OPENSSL_assert(sh_testbit(chunk
, list
, sh
.bittable
));
595 sh_setbit(chunk
, list
, sh
.bitmalloc
);
596 sh_remove_from_list(chunk
);
598 OPENSSL_assert(WITHIN_ARENA(chunk
));
600 /* zero the free list header as a precaution against information leakage */
601 memset(chunk
, 0, sizeof(SH_LIST
));
606 static void sh_free(void *ptr
)
613 OPENSSL_assert(WITHIN_ARENA(ptr
));
614 if (!WITHIN_ARENA(ptr
))
617 list
= sh_getlist(ptr
);
618 OPENSSL_assert(sh_testbit(ptr
, list
, sh
.bittable
));
619 sh_clearbit(ptr
, list
, sh
.bitmalloc
);
620 sh_add_to_list(&sh
.freelist
[list
], ptr
);
622 /* Try to coalesce two adjacent free areas. */
623 while ((buddy
= sh_find_my_buddy(ptr
, list
)) != NULL
) {
624 OPENSSL_assert(ptr
== sh_find_my_buddy(buddy
, list
));
625 OPENSSL_assert(ptr
!= NULL
);
626 OPENSSL_assert(!sh_testbit(ptr
, list
, sh
.bitmalloc
));
627 sh_clearbit(ptr
, list
, sh
.bittable
);
628 sh_remove_from_list(ptr
);
629 OPENSSL_assert(!sh_testbit(ptr
, list
, sh
.bitmalloc
));
630 sh_clearbit(buddy
, list
, sh
.bittable
);
631 sh_remove_from_list(buddy
);
635 /* Zero the higher addressed block's free list pointers */
636 memset(ptr
> buddy
? ptr
: buddy
, 0, sizeof(SH_LIST
));
640 OPENSSL_assert(!sh_testbit(ptr
, list
, sh
.bitmalloc
));
641 sh_setbit(ptr
, list
, sh
.bittable
);
642 sh_add_to_list(&sh
.freelist
[list
], ptr
);
643 OPENSSL_assert(sh
.freelist
[list
] == ptr
);
647 static size_t sh_actual_size(char *ptr
)
651 OPENSSL_assert(WITHIN_ARENA(ptr
));
652 if (!WITHIN_ARENA(ptr
))
654 list
= sh_getlist(ptr
);
655 OPENSSL_assert(sh_testbit(ptr
, list
, sh
.bittable
));
656 return sh
.arena_size
/ (ONE
<< list
);
658 #endif /* OPENSSL_NO_SECURE_MEMORY */