[u/mdw/catacomb] / lmem.c

/* -*-c-*-
 *
 * $Id: lmem.c,v 1.5 2004/04/02 01:03:49 mdw Exp $
 *
 * Locked memory allocation (Unix-specific)
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: lmem.c,v $
 * Revision 1.5  2004/04/02 01:03:49  mdw
 * Miscellaneous constification.
 *
 * Revision 1.4  2002/01/24 22:26:11  mdw
 * Fix build failure when @mlock@ not available.
 *
 * Revision 1.3  2000/07/29 21:58:15  mdw
 * (l_destroy): New function for destroying locked memory blocks.
 *
 * Revision 1.2  2000/06/17 11:29:20  mdw
 * Add arena support.
 *
 * Revision 1.1  1999/12/22 16:02:52  mdw
 * Interface to allocating `locked' memory (which isn't paged out).
 *
 */

/*----- Header files ------------------------------------------------------*/

#include "config.h"

#include <assert.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <sys/types.h>
#include <unistd.h>

#ifdef HAVE_MLOCK
#  include <sys/mman.h>
#endif

#include <mLib/arena.h>
#include <mLib/dstr.h>
#include <mLib/sub.h>

#include "lmem.h"

/*----- Arena operations --------------------------------------------------*/

static void *aalloc(arena *a, size_t sz) { return l_alloc((lmem *)a, sz); }
static void afree(arena *a, void *p) { l_free((lmem *)a, p); }
static void apurge(arena *a) { l_purge((lmem *)a); }

static const arena_ops l_ops = { aalloc, arena_fakerealloc, afree, apurge };

/*----- Main code ---------------------------------------------------------*/

/* --- @l_init@ --- *
 *
 * Arguments:	@lmem *lm@ = pointer to locked memory descriptor
 *		@size_t sz@ = size of locked memory area requested
 *
 * Returns:	Zero if everything is fine, @+1@ if some insecure memory was
 *		allocated, and @-1@ if everything went horribly wrong.
 *
 * Use:		Initializes the locked memory manager.  This function is safe
 *		to call in a privileged program; privileges should usually be
 *		dropped after allocating the locked memory block.
 *
 *		You must call @sub_init@ before allocating locked memory
 *		buffers.
 */

int l_init(lmem *lm, size_t sz)
{
  char *p;
  int rc = 0;
  l_node *l;

  /* --- Preliminaries --- */

  lm->a.ops = &l_ops;
  lm->err = 0;
  lm->f = 0;

  /* --- Try making a secure locked passphrase buffer --- *
   *
   * Drop privileges before emitting diagnostic messages.
   */

#ifdef HAVE_MLOCK

  /* --- Memory-map a page from somewhere --- */

#  ifdef MAP_ANON
  p = mmap(0, sz, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
#  else
  {
    int fd;
    if ((fd = open("/dev/zero", O_RDWR)) >= 0) {
      p = mmap(0, sz, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
      close(fd);
    }
  }
#  endif

  /* --- Lock the page in memory --- *
   *
   * Why does @mmap@ return such a stupid result if it fails?
   */

  if (p == 0 || p == MAP_FAILED) {
    lm->emsg = "couldn't map locked memory area: %s";
    lm->err = errno;
    p = 0;
  } else if (mlock(p, sz)) {
    lm->emsg = "error locking memory area: %s";
    lm->err = errno;
    munmap(p, sz);
    p = 0;
  } else
    lm->f |= LF_LOCKED;

#endif

  /* --- Make a standard passphrase buffer --- */

#ifdef HAVE_MLOCK
  if (!p)
#else
  lm->err = 0;
  lm->emsg = "locked memory not available on this system";
#endif
  {
    if ((p = malloc(sz)) == 0) {
      lm->emsg = "not enough standard memory!";
      lm->err = ENOMEM;
      return (-1);
    }
    rc = +1;
  }

  /* --- Initialize the buffer --- */

  lm->sz = lm->free = sz;
  lm->p = p;

  /* --- Initialize the free list --- */

  l = CREATE(l_node);
  l->next = 0;
  l->p = p;
  l->sz = sz;
  l->f = 0;
  lm->l = l;

  /* --- Done --- */

  return (rc);
}

/* --- @l_alloc@ --- *
 *
 * Arguments:	@lmem *lm@ = pointer to locked memory descriptor
 *		@size_t sz@ = size requested
 *
 * Returns:	Pointer to allocated memory.
 *
 * Use:		Allocates @sz@ bytes of locked memory.
 */

void *l_alloc(lmem *lm, size_t sz)
{
  l_node *l;

  sz = (sz + 3u) & ~3u;
  for (l = lm->l; l; l = l->next) {
    if (l->f & LF_ALLOC)
      continue;
    if (l->sz < sz)
      continue;
    l->f |= LF_ALLOC;
    if (l->sz > sz) {
      l_node *n = CREATE(l_node);
      n->next = l->next;
      n->p = l->p + sz;
      n->sz = l->sz - sz;
      l->sz = sz;
      n->f = 0;
      l->next = n;
    }
    assert(((void)"Locked buffer space has vanished", lm->free >= sz));
    lm->free -= sz;
    return (l->p);
  }
  return (0);
}

/* --- @l_free@ --- *
 *
 * Arguments:	@lmem *lm@ = pointer to locked memory descriptor
 *		@void *p@ = pointer to block
 *
 * Returns:	---
 *
 * Use:		Releases a block of locked memory.
 */

void l_free(lmem *lm, void *p)
{
  l_node *l;
  l_node *ll = 0;

  for (l = lm->l; l; l = l->next) {
    size_t sz;

    /* --- If this isn't the block, skip it --- */

    if (l->p != p) {
      ll = l;
      continue;
    }
    assert(((void)"Block is already free", l->f & LF_ALLOC));

    /* --- Coalesce with adjacent free blocks --- */

    l->f &= ~LF_ALLOC;
    sz = l->sz;
    memset(p, 0, sz);

    if (ll && !(ll->f & LF_ALLOC)) {
      assert(((void)"Previous block doesn't fit", ll->p + ll->sz == p));
      ll->sz += sz;
      ll->next = l->next;
      DESTROY(l);
      l = ll;
    }

    ll = l->next;
    if (ll && !(ll->f & LF_ALLOC)) {
      assert(((void)"Next block doesn't fit", ll->p == l->p + l->sz));
      l->sz += ll->sz;
      l->next = ll->next;
      DESTROY(ll);
    }

    lm->free += sz;
    assert(((void)"Free lunch", lm->free <= lm->sz));
    return;
  }
  assert(((void)"Not a locked block", 0));
}

/* --- @l_purge@ --- *
 *
 * Arguments:	@lmem *lm@ = pointer to locked memory descriptor
 *
 * Returns:	---
 *
 * Use:		Purges all the free blocks in the buffer, and clears all of
 *		the locked memory.  Memory is not freed back to the system.
 */

void l_purge(lmem *lm)
{
  l_node *l;

  l = lm->l;
  while (l) {
    l_node *ll = l->next;
    DESTROY(l);
    l = ll;
  }
  memset(lm->p, 0, lm->sz);
  l = CREATE(l_node);
  l->next = 0;
  l->p = lm->p;
  l->sz = lm->sz;
  l->f = 0;
  lm->l = l;
  lm->free = l->sz;
}

/* --- @l_destroy@ --- *
 *
 * Arguments:	@lmem *lm@ = pointer to locked memory descriptor
 *
 * Returns:	---
 *
 * Use:		Disposes of a locked memory arena permanently.
 */

void l_destroy(lmem *lm)
{
  l_node *l;

  l = lm->l;
  while (l) {
    l_node *ll = l->next;
    DESTROY(l);
    l = ll;
  }
  memset(lm->p, 0, lm->sz);

  if (lm->f & LF_LOCKED)
    munmap(lm->p, lm->sz);
  else
    free(lm->p);
}

/* --- @l_report@ --- *
 *
 * Arguments:	@lmem *lm@ = pointer to locked memory descriptor
 *		@dstr *d@ = string to write the error message on
 *
 * Returns:	Zero if the buffer is fine, @+1@ if there was a problem
 *		getting locked memory but insecure stuff could be allocated,
 *		and @-1@ if not even insecure memory could be found.
 *
 * Use:		Returns a user-digestable explanation for the state of a
 *		locked memory buffer.  If the return code is zero, no message
 *		is emitted to the string @d@.
 */

int l_report(lmem *lm, dstr *d)
{
  int rc;
  if (lm->err)
    dstr_putf(d, lm->emsg, strerror(lm->err));
  if (!lm->p)
    rc = -1;
  else if (lm->err)
    rc = +1;
  else
    rc = 0;
  return (rc);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
359df778	1	/* --c--
359df778	2	*
4e66da02	3	* $Id: lmem.c,v 1.5 2004/04/02 01:03:49 mdw Exp $
359df778	4	*
	5	* Locked memory allocation (Unix-specific)
	6	*
	7	* (c) 1999 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
	30	/----- Revision history --------------------------------------------------
	31	*
	32	* $Log: lmem.c,v $
4e66da02	33	* Revision 1.5 2004/04/02 01:03:49 mdw
	34	* Miscellaneous constification.
	35	*
fa16f6d3	36	* Revision 1.4 2002/01/24 22:26:11 mdw
	37	* Fix build failure when @mlock@ not available.
	38	*
37038e63	39	* Revision 1.3 2000/07/29 21:58:15 mdw
	40	* (l_destroy): New function for destroying locked memory blocks.
	41	*
47d5f7c2	42	* Revision 1.2 2000/06/17 11:29:20 mdw
	43	* Add arena support.
	44	*
359df778	45	* Revision 1.1 1999/12/22 16:02:52 mdw
	46	* Interface to allocating `locked' memory (which isn't paged out).
	47	*
	48	*/
	49
	50	/----- Header files ------------------------------------------------------/
	51
	52	#include "config.h"
	53
	54	#include <assert.h>
	55	#include <errno.h>
	56	#include <stdio.h>
	57	#include <stdlib.h>
	58	#include <string.h>
	59
	60	#include <sys/types.h>
	61	#include <unistd.h>
	62
	63	#ifdef HAVE_MLOCK
	64	# include <sys/mman.h>
	65	#endif
	66
47d5f7c2	67	#include <mLib/arena.h>
359df778	68	#include <mLib/dstr.h>
	69	#include <mLib/sub.h>
	70
	71	#include "lmem.h"
	72
47d5f7c2	73	/----- Arena operations --------------------------------------------------/
	74
	75	static void aalloc(arena a, size_t sz) { return l_alloc((lmem *)a, sz); }
	76	static void afree(arena a, void p) { l_free((lmem *)a, p); }
	77	static void apurge(arena a) { l_purge((lmem )a); }
	78
4e66da02	79	static const arena_ops l_ops = { aalloc, arena_fakerealloc, afree, apurge };
47d5f7c2	80
359df778	81	/----- Main code ---------------------------------------------------------/
	82
	83	/* --- @l_init@ --- *
	84	*
	85	* Arguments: @lmem *lm@ = pointer to locked memory descriptor
	86	* @size_t sz@ = size of locked memory area requested
	87	*
	88	* Returns: Zero if everything is fine, @+1@ if some insecure memory was
	89	* allocated, and @-1@ if everything went horribly wrong.
	90	*
	91	* Use: Initializes the locked memory manager. This function is safe
	92	* to call in a privileged program; privileges should usually be
	93	* dropped after allocating the locked memory block.
	94	*
	95	* You must call @sub_init@ before allocating locked memory
	96	* buffers.
	97	*/
	98
	99	int l_init(lmem *lm, size_t sz)
	100	{
	101	char *p;
	102	int rc = 0;
	103	l_node *l;
	104
	105	/* --- Preliminaries --- */
	106
47d5f7c2	107	lm->a.ops = &l_ops;
359df778	108	lm->err = 0;
37038e63	109	lm->f = 0;
359df778	110
	111	/* --- Try making a secure locked passphrase buffer --- *
	112	*
	113	* Drop privileges before emitting diagnostic messages.
	114	*/
	115
	116	#ifdef HAVE_MLOCK
	117
	118	/* --- Memory-map a page from somewhere --- */
	119
	120	# ifdef MAP_ANON
	121	p = mmap(0, sz, PROT_READ \| PROT_WRITE, MAP_PRIVATE \| MAP_ANON, -1, 0);
	122	# else
	123	{
	124	int fd;
	125	if ((fd = open("/dev/zero", O_RDWR)) >= 0) {
	126	p = mmap(0, sz, PROT_READ \| PROT_WRITE, MAP_PRIVATE, fd, 0);
	127	close(fd);
	128	}
	129	}
	130	# endif
	131
	132	/* --- Lock the page in memory --- *
	133	*
	134	* Why does @mmap@ return such a stupid result if it fails?
	135	*/
	136
	137	if (p == 0 \|\| p == MAP_FAILED) {
	138	lm->emsg = "couldn't map locked memory area: %s";
	139	lm->err = errno;
	140	p = 0;
	141	} else if (mlock(p, sz)) {
	142	lm->emsg = "error locking memory area: %s";
	143	lm->err = errno;
	144	munmap(p, sz);
	145	p = 0;
37038e63	146	} else
37038e63	147	lm->f \|= LF_LOCKED;
359df778	148
	149	#endif
	150
	151	/* --- Make a standard passphrase buffer --- */
	152
	153	#ifdef HAVE_MLOCK
	154	if (!p)
	155	#else
fa16f6d3	156	lm->err = 0;
fa16f6d3	157	lm->emsg = "locked memory not available on this system";
359df778	158	#endif
	159	{
	160	if ((p = malloc(sz)) == 0) {
	161	lm->emsg = "not enough standard memory!";
	162	lm->err = ENOMEM;
	163	return (-1);
	164	}
	165	rc = +1;
	166	}
	167
	168	/* --- Initialize the buffer --- */
	169
	170	lm->sz = lm->free = sz;
	171	lm->p = p;
	172
	173	/* --- Initialize the free list --- */
	174
	175	l = CREATE(l_node);
	176	l->next = 0;
	177	l->p = p;
	178	l->sz = sz;
	179	l->f = 0;
	180	lm->l = l;
	181
	182	/* --- Done --- */
	183
	184	return (rc);
	185	}
	186
	187	/* --- @l_alloc@ --- *
	188	*
	189	* Arguments: @lmem *lm@ = pointer to locked memory descriptor
	190	* @size_t sz@ = size requested
	191	*
	192	* Returns: Pointer to allocated memory.
	193	*
	194	* Use: Allocates @sz@ bytes of locked memory.
	195	*/
	196
	197	void l_alloc(lmem lm, size_t sz)
	198	{
	199	l_node *l;
	200
	201	sz = (sz + 3u) & ~3u;
	202	for (l = lm->l; l; l = l->next) {
	203	if (l->f & LF_ALLOC)
	204	continue;
	205	if (l->sz < sz)
	206	continue;
	207	l->f \|= LF_ALLOC;
	208	if (l->sz > sz) {
	209	l_node *n = CREATE(l_node);
	210	n->next = l->next;
	211	n->p = l->p + sz;
	212	n->sz = l->sz - sz;
	213	l->sz = sz;
	214	n->f = 0;
	215	l->next = n;
	216	}
	217	assert(((void)"Locked buffer space has vanished", lm->free >= sz));
	218	lm->free -= sz;
	219	return (l->p);
	220	}
	221	return (0);
222	}
223
224	/* --- @l_free@ --- *
225	*
226	* Arguments: @lmem *lm@ = pointer to locked memory descriptor
227	* @void *p@ = pointer to block
228	*
229	* Returns: ---
230	*
231	* Use: Releases a block of locked memory.
232	*/
233
234	void l_free(lmem lm, void p)
235	{
236	l_node *l;
237	l_node *ll = 0;
238
239	for (l = lm->l; l; l = l->next) {
240	size_t sz;
241
242	/* --- If this isn't the block, skip it --- */
243
244	if (l->p != p) {
245	ll = l;
246	continue;
247	}
248	assert(((void)"Block is already free", l->f & LF_ALLOC));
249
250	/* --- Coalesce with adjacent free blocks --- */
251
252	l->f &= ~LF_ALLOC;
253	sz = l->sz;
254	memset(p, 0, sz);
255
256	if (ll && !(ll->f & LF_ALLOC)) {
257	assert(((void)"Previous block doesn't fit", ll->p + ll->sz == p));
258	ll->sz += sz;
259	ll->next = l->next;
260	DESTROY(l);
261	l = ll;
262	}
263
264	ll = l->next;
265	if (ll && !(ll->f & LF_ALLOC)) {
266	assert(((void)"Next block doesn't fit", ll->p == l->p + l->sz));
267	l->sz += ll->sz;
268	l->next = ll->next;
269	DESTROY(ll);
270	}
271
272	lm->free += sz;
273	assert(((void)"Free lunch", lm->free <= lm->sz));
274	return;
275	}
276	assert(((void)"Not a locked block", 0));
277	}
278
279	/* --- @l_purge@ --- *
280	*
281	* Arguments: @lmem *lm@ = pointer to locked memory descriptor
282	*
283	* Returns: ---
284	*
285	* Use: Purges all the free blocks in the buffer, and clears all of
286	* the locked memory. Memory is not freed back to the system.
287	*/
288
289	void l_purge(lmem *lm)
290	{
291	l_node *l;
292
293	l = lm->l;
294	while (l) {
295	l_node *ll = l->next;
296	DESTROY(l);
297	l = ll;
298	}
299	memset(lm->p, 0, lm->sz);
300	l = CREATE(l_node);
301	l->next = 0;
302	l->p = lm->p;
303	l->sz = lm->sz;
304	l->f = 0;
305	lm->l = l;
306	lm->free = l->sz;
307	}
308
37038e63	309	/* --- @l_destroy@ --- *
	310	*
	311	* Arguments: @lmem *lm@ = pointer to locked memory descriptor
	312	*
	313	* Returns: ---
	314	*
	315	* Use: Disposes of a locked memory arena permanently.
	316	*/
	317
	318	void l_destroy(lmem *lm)
	319	{
	320	l_node *l;
	321
	322	l = lm->l;
	323	while (l) {
	324	l_node *ll = l->next;
	325	DESTROY(l);
	326	l = ll;
	327	}
	328	memset(lm->p, 0, lm->sz);
	329
	330	if (lm->f & LF_LOCKED)
	331	munmap(lm->p, lm->sz);
	332	else
	333	free(lm->p);
	334	}
	335
359df778	336	/* --- @l_report@ --- *
	337	*
	338	* Arguments: @lmem *lm@ = pointer to locked memory descriptor
	339	* @dstr *d@ = string to write the error message on
	340	*
	341	* Returns: Zero if the buffer is fine, @+1@ if there was a problem
	342	* getting locked memory but insecure stuff could be allocated,
	343	* and @-1@ if not even insecure memory could be found.
	344	*
	345	* Use: Returns a user-digestable explanation for the state of a
	346	* locked memory buffer. If the return code is zero, no message
	347	* is emitted to the string @d@.
	348	*/
	349
	350	int l_report(lmem lm, dstr d)
	351	{
	352	int rc;
	353	if (lm->err)
	354	dstr_putf(d, lm->emsg, strerror(lm->err));
	355	if (!lm->p)
	356	rc = -1;
	357	else if (lm->err)
	358	rc = +1;
	359	else
	360	rc = 0;
	361	return (rc);
	362	}
	363
	364	/----- That's all, folks -------------------------------------------------/