From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 28 Mar 2018 14:37:43 +0000 (+0200)
Subject: dnsdist: Use safe_memset if we have neither sodium nor gnutls_memset
X-Git-Tag: dnsdist-1.3.0^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68aaaa061042b7e07ac4f5f0b6a1de869448aea3;p=thirdparty%2Fpdns.git

dnsdist: Use safe_memset if we have neither sodium nor gnutls_memset
---

diff --git a/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4 b/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4
index 4d8eaf7842..77bb03f14f 100644
--- a/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4
+++ b/pdns/dnsdistdist/m4/dnsdist_check_gnutls.m4
@@ -14,6 +14,14 @@ AC_DEFUN([DNSDIST_CHECK_GNUTLS], [
       PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.1.11], [
         [HAVE_GNUTLS=1]
         AC_DEFINE([HAVE_GNUTLS], [1], [Define to 1 if you have GnuTLS])
+        save_CFLAGS=$CFLAGS
+        save_LIBS=$LIBS
+        CFLAGS="$GNUTLS_CFLAGS $CFLAGS"
+        LIBS="$GNUTLS_LIBS $LIBS"
+        AC_CHECK_FUNCS([gnutls_memset])
+        CFLAGS=$save_CFLAGS
+        LIBS=$save_LIBS
+
       ], [ : ])
     ])
   ])
diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc
index 4f8d11e12d..0408fcd92d 100644
--- a/pdns/dnsdistdist/tcpiohandler.cc
+++ b/pdns/dnsdistdist/tcpiohandler.cc
@@ -543,6 +543,26 @@ std::atomic<uint64_t> OpenSSLTLSIOCtx::s_users(0);
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
 
+#ifndef HAVE_LIBSODIUM
+void safe_memset(void* data, int c, size_t size)
+{
+#ifdef HAVE_GNUTLS_MEMSET
+      gnutls_memset(data, c, size);
+#else
+      /* shamelessly taken from Dovecot's src/lib/safe-memset.c */
+      volatile unsigned int volatile_zero_idx = 0;
+      volatile unsigned char *p = reinterpret_cast<volatile unsigned char *>(data);
+
+      if (size == 0)
+        return;
+
+      do {
+        memset(data, c, size);
+      } while (p[volatile_zero_idx] != c);
+#endif /* HAVE_GNUTLS_MEMSET */
+}
+#endif /* HAVE_LIBSODIUM */
+
 class GnuTLSTicketsKey
 {
 public:
@@ -583,6 +603,8 @@ public:
     catch (const std::exception& e) {
 #ifdef HAVE_LIBSODIUM
       sodium_munlock(d_key.data, d_key.size);
+#else
+      safe_memset(d_key.data, 0, d_key.size);
 #endif /* HAVE_LIBSODIUM */
       gnutls_free(d_key.data);
       throw;
@@ -595,7 +617,7 @@ public:
 #ifdef HAVE_LIBSODIUM
       sodium_munlock(d_key.data, d_key.size);
 #else
-      gnutls_memset(d_key.data, 0, d_key.size);
+      safe_memset(d_key.data, 0, d_key.size);
 #endif /* HAVE_LIBSODIUM */
     }
     gnutls_free(d_key.data);