diff --git a/src/Makefile.am b/src/Makefile.am index 8886a83b..ae502f4d 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -464,6 +464,7 @@ hdr = base64.h buffer.h burl.h network.h log.h http_kv.h keyvalue.h \ first.h http_chunk.h \ algo_hmac.h \ algo_md.h algo_md5.h algo_sha1.h algo_splaytree.h algo_xxhash.h \ + ck.h \ http_auth.h http_cgi.h http_date.h \ http_header.h http_range.h http_vhostdb.h \ fdevent.h gw_backend.h connections.h base.h base_decls.h stat_cache.h \ @@ -477,7 +478,7 @@ hdr = base64.h buffer.h burl.h network.h log.h http_kv.h keyvalue.h \ sys-crypto.h sys-crypto-md.h \ sys-endian.h sys-mmap.h sys-socket.h sys-strings.h sys-time.h \ mod_cml.h mod_cml_funcs.h \ - safe_memclear.h sock_addr.h status_counter.h \ + sock_addr.h status_counter.h \ mod_magnet_cache.h \ ls-hpack/lshpack.h \ ls-hpack/lsxpack_header.h \ diff --git a/src/configfile.c b/src/configfile.c index 52fd2008..bf2e3a22 100644 --- a/src/configfile.c +++ b/src/configfile.c @@ -3,6 +3,7 @@ #include "base.h" #include "burl.h" #include "chunk.h" +#include "ck.h" #include "fdevent.h" #include "http_etag.h" #include "keyvalue.h" @@ -11,7 +12,6 @@ #include "configparser.h" #include "configfile.h" #include "plugin.h" -#include "safe_memclear.h" #include "stat_cache.h" #include "sys-crypto.h" @@ -2192,7 +2192,7 @@ static int config_parse_stdin(server *srv, config_t *context) { log_perror(srv->errh, __FILE__, __LINE__, "config read from stdin"); if (dlen) - safe_memclear(b->ptr, dlen); + ck_memzero(b->ptr, dlen); chunk_buffer_release(b); return rc; } @@ -2209,7 +2209,7 @@ static int config_parse_file_stream(server *srv, config_t *context, const char * int rc = 0; if (dlen) { rc = config_parse(srv, context, fn, data, (size_t)dlen); - safe_memclear(data, (size_t)dlen); + ck_memzero(data, (size_t)dlen); } free(data); return rc; diff --git a/src/fdevent.c b/src/fdevent.c index 6bcfec47..961347cb 100644 --- a/src/fdevent.c +++ b/src/fdevent.c @@ -1117,7 +1117,7 @@ int fdevent_set_so_reuseaddr (const int fd, const int opt) #include -#include "safe_memclear.h" +#include "ck.h" __attribute_cold__ /*(convenience routine for use at config at startup)*/ char * fdevent_load_file (const char * const fn, off_t *lim, log_error_st *errh, void *(malloc_fn)(size_t), void(free_fn)(void *)) @@ -1163,7 +1163,7 @@ fdevent_load_file (const char * const fn, off_t *lim, log_error_st *errh, void * log_perror(errh, __FILE__, __LINE__, "%s() %s", __func__, fn); if (fd >= 0) close(fd); if (buf) { - safe_memclear(buf, (size_t)sz); + ck_memzero(buf, (size_t)sz); free_fn(buf); } *lim = 0; @@ -1199,7 +1199,7 @@ fdevent_load_file_bytes (char * const buf, const off_t sz, off_t off, const char if (errh) log_perror(errh, __FILE__, __LINE__, "%s() %s", __func__, fn); if (fd >= 0) close(fd); - safe_memclear(buf, (size_t)sz); + ck_memzero(buf, (size_t)sz); errno = errnum; return -1; } diff --git a/src/mod_auth.c b/src/mod_auth.c index bd11dad1..84fc63aa 100644 --- a/src/mod_auth.c +++ b/src/mod_auth.c @@ -12,7 +12,6 @@ #include "http_auth.h" #include "http_header.h" #include "log.h" -#include "safe_memclear.h" #include "algo_splaytree.h" /** @@ -75,7 +74,7 @@ static void http_auth_cache_entry_free (void *data) { http_auth_cache_entry * const ae = data; - safe_memclear(ae->pwdigest, ae->dlen); + ck_memzero(ae->pwdigest, ae->dlen); free(ae); } @@ -828,7 +827,7 @@ static handler_t mod_auth_check_basic(request_st * const r, void *p_d, const str break; } - safe_memclear(pw, pwlen); + ck_memzero(pw, pwlen); buffer_free(username); return rc; } @@ -1474,7 +1473,7 @@ static handler_t mod_auth_check_digest(request_st * const r, void *p_d, const st mod_auth_digest_mutate(&ai,m,uri,nonce,cnonce,nc,qop); if (!ck_memeq_const_time_fixed_len(rdigest, ai.digest, ai.dlen)) { - /*safe_memclear(ai.digest, ai.dlen);*//* skip clear since mutated */ + /*ck_memzero(ai.digest, ai.dlen);*//*skip clear since mutated*/ /* digest not ok */ log_error(r->conf.errh, __FILE__, __LINE__, "digest: auth failed for %s: wrong password, IP: %s", @@ -1484,7 +1483,7 @@ static handler_t mod_auth_check_digest(request_st * const r, void *p_d, const st buffer_free(b); return mod_auth_send_401_unauthorized_digest(r, require, 0); } - /*safe_memclear(ai.digest, ai.dlen);*//* skip clear since mutated */ + /*ck_memzero(ai.digest, ai.dlen);*//* skip clear since mutated */ /* value is our allow-rules */ if (!http_auth_match_rules(require, username, NULL, NULL)) { diff --git a/src/mod_authn_dbi.c b/src/mod_authn_dbi.c index 3081d789..f58f1015 100644 --- a/src/mod_authn_dbi.c +++ b/src/mod_authn_dbi.c @@ -39,7 +39,6 @@ #include #include "sys-crypto-md.h" -#include "safe_memclear.h" #include "base.h" #include "ck.h" #include "http_auth.h" @@ -337,7 +336,7 @@ mod_authn_crypt_cmp (const char *reqpw, const char *userpw, unsigned long userpw char *crypted = crypt(reqpw, userpw); size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0; int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1; - if (crypwlen) safe_memclear(crypted, crypwlen); + if (crypwlen) ck_memzero(crypted, crypwlen); return rc; #else @@ -365,7 +364,7 @@ mod_authn_crypt_cmp (const char *reqpw, const char *userpw, unsigned long userpw size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0; int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1; - safe_memclear(crypted, crypwlen); + ck_memzero(crypted, crypwlen); #if defined(HAVE_CRYPT_R) #if 1 /* (must free() if allocated above) */ free(crypt_tmp_data); diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c index 9b9182b8..50efbe16 100644 --- a/src/mod_authn_file.c +++ b/src/mod_authn_file.c @@ -18,8 +18,6 @@ #include "sys-crypto-md.h" /* USE_LIB_CRYPTO */ -#include "safe_memclear.h" - #include "base.h" #include "ck.h" #include "plugin.h" @@ -270,7 +268,7 @@ static int mod_authn_file_htdigest_get(request_st * const r, void *p_d, http_aut if (NULL == data) return -1; int rc = mod_authn_file_htdigest_get_loop(data, auth_fn, ai, r->conf.errh); - safe_memclear(data, (size_t)dlen); + ck_memzero(data, (size_t)dlen); free(data); return rc; } @@ -296,7 +294,7 @@ static handler_t mod_authn_file_htdigest_basic(request_st * const r, void *p_d, if (mod_authn_file_htdigest_get(r, p_d, &ai)) return HANDLER_ERROR; if (ai.dlen > sizeof(htdigest)) { - safe_memclear(ai.digest, ai.dlen); + ck_memzero(ai.digest, ai.dlen); return HANDLER_ERROR;/*(should not happen)*/ } memcpy(htdigest, ai.digest, ai.dlen); /*(save digest before reuse of ai)*/ @@ -306,8 +304,8 @@ static handler_t mod_authn_file_htdigest_basic(request_st * const r, void *p_d, int rc = (ck_memeq_const_time_fixed_len(htdigest, ai.digest, ai.dlen) && http_auth_match_rules(require, username->ptr, NULL, NULL)); - safe_memclear(htdigest, ai.dlen); - safe_memclear(ai.digest, ai.dlen); + ck_memzero(htdigest, ai.dlen); + ck_memzero(ai.digest, ai.dlen); return rc ? HANDLER_GO_ON : HANDLER_ERROR; } @@ -368,7 +366,7 @@ static int mod_authn_file_htpasswd_get(const buffer *auth_fn, const char *userna } } while (*n && *(f_user = n+1)); - safe_memclear(data, (size_t)dlen); + ck_memzero(data, (size_t)dlen); free(data); return rc; } @@ -383,7 +381,7 @@ static handler_t mod_authn_file_plain_digest(request_st * const r, void *p_d, ht /* generate password from plain-text */ mod_authn_file_digest(ai, CONST_BUF_LEN(password_buf)); } - safe_memclear(password_buf->ptr, password_buf->size); + ck_memzero(password_buf->ptr, password_buf->size); buffer_free(password_buf); return (0 == rc) ? HANDLER_GO_ON : HANDLER_ERROR; } @@ -399,7 +397,7 @@ static handler_t mod_authn_file_plain_basic(request_st * const r, void *p_d, con ? 0 : -1; } - safe_memclear(password_buf->ptr, password_buf->size); + ck_memzero(password_buf->ptr, password_buf->size); buffer_free(password_buf); return 0 == rc && http_auth_match_rules(require, username->ptr, NULL, NULL) ? HANDLER_GO_ON @@ -587,7 +585,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ /* * Don't leave anything around in vm they could use. */ - safe_memclear(final, sizeof(final)); + ck_memzero(final, sizeof(final)); /* FIXME */ @@ -713,7 +711,7 @@ static handler_t mod_authn_file_htpasswd_basic(request_st * const r, void *p_d, } #endif } - safe_memclear(password->ptr, password->size); + ck_memzero(password->ptr, password->size); buffer_free(password); return 0 == rc && http_auth_match_rules(require, username->ptr, NULL, NULL) ? HANDLER_GO_ON diff --git a/src/mod_authn_mysql.c b/src/mod_authn_mysql.c index 99476aec..e1dbd37f 100644 --- a/src/mod_authn_mysql.c +++ b/src/mod_authn_mysql.c @@ -34,7 +34,6 @@ #include "http_auth.h" #include "log.h" #include "plugin.h" -#include "safe_memclear.h" #include #include @@ -300,7 +299,7 @@ static int mod_authn_mysql_password_cmp(const char *userpw, unsigned long userpw char *crypted = crypt(reqpw, userpw); size_t crypwlen = (NULL != crypted) ? strlen(crypted) : 0; int rc = (crypwlen == userpwlen) ? memcmp(crypted, userpw, crypwlen) : -1; - if (crypwlen) safe_memclear(crypted, crypwlen); + if (crypwlen) ck_memzero(crypted, crypwlen); return rc; } else diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c index 5b9d9d89..bae3d4e1 100644 --- a/src/mod_mbedtls.c +++ b/src/mod_mbedtls.c @@ -85,12 +85,12 @@ #endif #include "base.h" +#include "ck.h" #include "fdevent.h" #include "http_header.h" #include "http_kv.h" #include "log.h" #include "plugin.h" -#include "safe_memclear.h" typedef struct { /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */ @@ -817,7 +817,7 @@ mod_mbedtls_x509_crl_parse_file (mbedtls_x509_crl *chain, const char *fn) rc = mbedtls_x509_crl_parse(chain, (unsigned char *)data, (size_t)dlen+1); - if (dlen) safe_memclear(data, (size_t)dlen); + if (dlen) ck_memzero(data, (size_t)dlen); free(data); return rc; @@ -890,7 +890,7 @@ mod_mbedtls_x509_crt_parse_acme (mbedtls_x509_crt *chain, const char *fn) mbedtls_pem_free(&pem); - if (dlen) safe_memclear(data, (size_t)dlen); + if (dlen) ck_memzero(data, (size_t)dlen); free(data); return rc; @@ -909,7 +909,7 @@ mod_mbedtls_x509_crt_parse_file (mbedtls_x509_crt *chain, const char *fn) rc = mbedtls_x509_crt_parse(chain, (unsigned char *)data, (size_t)dlen+1); - if (dlen) safe_memclear(data, (size_t)dlen); + if (dlen) ck_memzero(data, (size_t)dlen); free(data); return rc; @@ -928,7 +928,7 @@ mod_mbedtls_pk_parse_keyfile (mbedtls_pk_context *ctx, const char *fn, const cha (const unsigned char *)pwd, pwd ? strlen(pwd) : 0); - if (dlen) safe_memclear(data, (size_t)dlen); + if (dlen) ck_memzero(data, (size_t)dlen); free(data); return rc; diff --git a/src/mod_nss.c b/src/mod_nss.c index a441990f..167e5a95 100644 --- a/src/mod_nss.c +++ b/src/mod_nss.c @@ -110,12 +110,12 @@ #endif #include "base.h" +#include "ck.h" #include "fdevent.h" #include "http_header.h" #include "http_kv.h" #include "log.h" #include "plugin.h" -#include "safe_memclear.h" typedef struct { /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */ @@ -358,8 +358,8 @@ mod_nss_secitem_wipe (SECItem * const d) /* safer than SECITEM_ZfreeItem() */ if (NULL == d) return; if (d->data) { - if (d->len) safe_memclear(d->data, d->len); /*safer than PORT_Memset()*/ - PORT_Free(d->data); /* safe_memclear() is safer than PORT_ZFree() */ + if (d->len) ck_memzero(d->data, d->len); /*safer than PORT_Memset()*/ + PORT_Free(d->data); /* ck_memzero() is safer than PORT_ZFree() */ d->data = NULL; } d->len = 0; diff --git a/src/mod_openssl.c b/src/mod_openssl.c index a476547a..2fdfd5c7 100644 --- a/src/mod_openssl.c +++ b/src/mod_openssl.c @@ -85,13 +85,13 @@ #endif #include "base.h" +#include "ck.h" #include "fdevent.h" #include "http_date.h" #include "http_header.h" #include "http_kv.h" #include "log.h" #include "plugin.h" -#include "safe_memclear.h" typedef struct { /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */ @@ -1279,7 +1279,7 @@ mod_openssl_load_pem_file (const char *file, log_error_st *errh, STACK_OF(X509) if (NULL == in) { log_error(errh, __FILE__, __LINE__, "SSL: BIO_new/BIO_read_filename('%s') failed", file); - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); return NULL; } @@ -1295,7 +1295,7 @@ mod_openssl_load_pem_file (const char *file, log_error_st *errh, STACK_OF(X509) } BIO_free(in); - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); return x; } @@ -1313,7 +1313,7 @@ mod_openssl_evp_pkey_load_pem_file (const char *file, log_error_st *errh) x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); BIO_free(in); } - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); if (NULL == in) diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c index d879336b..a96a79b7 100644 --- a/src/mod_wolfssl.c +++ b/src/mod_wolfssl.c @@ -93,7 +93,7 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NA #endif #if LIBWOLFSSL_VERSION_HEX < 0x04006000 || defined(WOLFSSL_NO_FORCE_ZERO) -#define wolfSSL_OPENSSL_cleanse(x,sz) safe_memclear((x),(sz)) +#define wolfSSL_OPENSSL_cleanse(x,sz) ck_memzero((x),(sz)) #endif #if LIBWOLFSSL_VERSION_HEX < 0x04002000 /*(exact version needed not checked)*/ @@ -103,12 +103,12 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NA #endif #include "base.h" +#include "ck.h" #include "fdevent.h" #include "http_header.h" #include "http_kv.h" #include "log.h" #include "plugin.h" -#include "safe_memclear.h" typedef struct { /* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */ @@ -692,7 +692,7 @@ mod_wolfssl_load_pem_file (const char *fn, log_error_st *errh, buffer ***chain) errno = EIO; } while (0); - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); if (rc < 0) { @@ -745,7 +745,7 @@ mod_wolfssl_evp_pkey_load_pem_file (const char *fn, log_error_st *errh) rc = 0; } while (0); - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); if (rc < 0) { @@ -775,7 +775,7 @@ mod_wolfssl_CTX_use_certificate_chain_file (WOLFSSL_CTX *ssl_ctx, const char *fn (unsigned char *)data, (long)dlen); - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); if (rc == WOLFSSL_SUCCESS) @@ -912,7 +912,7 @@ mod_wolfssl_load_cacrls (WOLFSSL_CTX *ssl_ctx, const buffer *ssl_ca_crl_file, se rc = wolfSSL_CTX_LoadCRLBuffer(ssl_ctx, (byte *)data, (long)dlen, WOLFSSL_FILETYPE_PEM); - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); if (rc == WOLFSSL_SUCCESS) @@ -941,7 +941,7 @@ mod_wolfssl_load_verify_locn (SSL_CTX *ssl_ctx, const buffer *b, server *srv) int rc = wolfSSL_CTX_load_verify_buffer(ssl_ctx, (unsigned char *)data, (long)dlen, WOLFSSL_FILETYPE_PEM); - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); if (rc == WOLFSSL_SUCCESS) @@ -2043,7 +2043,7 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p) if (0 == rc) wolfSSL_CTX_SetTmpDH_buffer(s->ssl_ctx, (unsigned char *)data, (long)dlen, WOLFSSL_FILETYPE_PEM); - if (dlen) safe_memclear(data, dlen); + if (dlen) ck_memzero(data, dlen); free(data); if (rc < 0) { log_error(srv->errh, __FILE__, __LINE__, diff --git a/src/rand.c b/src/rand.c index 8d5c8ea9..1584c12f 100644 --- a/src/rand.c +++ b/src/rand.c @@ -8,8 +8,8 @@ #include "rand.h" #include "buffer.h" +#include "ck.h" #include "fdevent.h" -#include "safe_memclear.h" #include #include @@ -496,5 +496,5 @@ void li_rand_cleanup (void) mbedtls_entropy_free(&entropy); #endif #endif - safe_memclear(xsubi, sizeof(xsubi)); + ck_memzero(xsubi, sizeof(xsubi)); } diff --git a/src/safe_memclear.h b/src/safe_memclear.h deleted file mode 100644 index 94bf9e77..00000000 --- a/src/safe_memclear.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef _SAFE_MEMCLEAR_H_ -#define _SAFE_MEMCLEAR_H_ -#include "first.h" - -#include "ck.h" -#define safe_memclear ck_memzero - -#endif