database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-04-25 21:42:33 +03:00
Code

Use explicit_bzero

Browse Source 
Use the explicit_bzero() function in places where it is important that
security information such as passwords is cleared from memory.  There
might be other places where it could be useful; this is just an
initial collection.

For platforms that don't have explicit_bzero(), provide various
fallback implementations.  (explicit_bzero() itself isn't standard,
but as Linux/glibc, FreeBSD, and OpenBSD have it, it's the most common
spelling, so it makes sense to make that the invocation point.)

Discussion: https://www.postgresql.org/message-id/flat/42d26bde-5d5b-c90d-87ae-6cab875f73be%402ndquadrant.com
This commit is contained in:
Peter Eisentraut 2019-09-05 08:15:58 +02:00
parent ae060a52b2
commit 74a308cf52
9 changed files with 99 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
configure vendored
View File

@ -15087,7 +15087,7 @@ fi
LIBS_including_readline="$LIBS" LIBS_including_readline="$LIBS"
LIBS=`echo "$LIBS" | sed -e 's/-ledit//g' -e 's/-lreadline//g'` LIBS=`echo "$LIBS" | sed -e 's/-ledit//g' -e 's/-lreadline//g'`
for ac_func in cbrt clock_gettime copyfile fdatasync getifaddrs getpeerucred getrlimit mbstowcs_l memmove poll posix_fallocate ppoll pstat pthread_is_threaded_np readlink setproctitle setproctitle_fast setsid shm_open strchrnul strsignal symlink sync_file_range uselocale utime utimes wcstombs_l for ac_func in cbrt clock_gettime copyfile fdatasync getifaddrs getpeerucred getrlimit mbstowcs_l memset_s memmove poll posix_fallocate ppoll pstat pthread_is_threaded_np readlink setproctitle setproctitle_fast setsid shm_open strchrnul strsignal symlink sync_file_range uselocale utime utimes wcstombs_l
do : do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -15739,6 +15739,19 @@ esac
fi fi
ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero"
if test "x$ac_cv_func_explicit_bzero" = xyes; then :
$as_echo "#define HAVE_EXPLICIT_BZERO 1" >>confdefs.h
else
case " $LIBOBJS " in
*" explicit_bzero.$ac_objext "* ) ;;
*) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext"
;;
esac
fi
ac_fn_c_check_func "$LINENO" "fls" "ac_cv_func_fls" ac_fn_c_check_func "$LINENO" "fls" "ac_cv_func_fls"
if test "x$ac_cv_func_fls" = xyes; then : if test "x$ac_cv_func_fls" = xyes; then :
$as_echo "#define HAVE_FLS 1" >>confdefs.h $as_echo "#define HAVE_FLS 1" >>confdefs.h

2
configure.in
View File

@ -1594,6 +1594,7 @@ AC_CHECK_FUNCS(m4_normalize([
getpeerucred getpeerucred
getrlimit getrlimit
mbstowcs_l mbstowcs_l
memset_s
memmove memmove
poll poll
posix_fallocate posix_fallocate
@ -1691,6 +1692,7 @@ fi
AC_REPLACE_FUNCS(m4_normalize([ AC_REPLACE_FUNCS(m4_normalize([
dlopen dlopen
explicit_bzero
fls fls
getopt getopt
getrusage getrusage

3
src/backend/libpq/be-secure-common.c
View File

@ -87,6 +87,7 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
{ {
if (ferror(fh)) if (ferror(fh))
{ {
explicit_bzero(buf, size);
ereport(loglevel, ereport(loglevel,
(errcode_for_file_access(), (errcode_for_file_access(),
errmsg("could not read from command \"%s\": %m", errmsg("could not read from command \"%s\": %m",
@ -98,6 +99,7 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
pclose_rc = ClosePipeStream(fh); pclose_rc = ClosePipeStream(fh);
if (pclose_rc == -1) if (pclose_rc == -1)
{ {
explicit_bzero(buf, size);
ereport(loglevel, ereport(loglevel,
(errcode_for_file_access(), (errcode_for_file_access(),
errmsg("could not close pipe to external command: %m"))); errmsg("could not close pipe to external command: %m")));
@ -105,6 +107,7 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
} }
else if (pclose_rc != 0) else if (pclose_rc != 0)
{ {
explicit_bzero(buf, size);
ereport(loglevel, ereport(loglevel,
(errcode_for_file_access(), (errcode_for_file_access(),
errmsg("command \"%s\" failed", errmsg("command \"%s\" failed",

6
src/include/pg_config.h.in
View File

@ -195,6 +195,9 @@
/* Define to 1 if you have the <editline/readline.h> header file. */ /* Define to 1 if you have the <editline/readline.h> header file. */
#undef HAVE_EDITLINE_READLINE_H #undef HAVE_EDITLINE_READLINE_H
/* Define to 1 if you have the `explicit_bzero' function. */
#undef HAVE_EXPLICIT_BZERO
/* Define to 1 if you have the `fdatasync' function. */ /* Define to 1 if you have the `fdatasync' function. */
#undef HAVE_FDATASYNC #undef HAVE_FDATASYNC
@ -395,6 +398,9 @@
/* Define to 1 if you have the <memory.h> header file. */ /* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H #undef HAVE_MEMORY_H
/* Define to 1 if you have the `memset_s' function. */
#undef HAVE_MEMSET_S
/* Define to 1 if the system has the type `MINIDUMP_TYPE'. */ /* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
#undef HAVE_MINIDUMP_TYPE #undef HAVE_MINIDUMP_TYPE

6
src/include/pg_config.h.win32
View File

@ -153,6 +153,9 @@
/* Define to 1 if you have the <editline/readline.h> header file. */ /* Define to 1 if you have the <editline/readline.h> header file. */
/* #undef HAVE_EDITLINE_READLINE_H */ /* #undef HAVE_EDITLINE_READLINE_H */
/* Define to 1 if you have the `explicit_bzero' function. */
/* #undef HAVE_EXPLICIT_BZERO */
/* Define to 1 if you have the `fdatasync' function. */ /* Define to 1 if you have the `fdatasync' function. */
/* #undef HAVE_FDATASYNC */ /* #undef HAVE_FDATASYNC */
@ -283,6 +286,9 @@
/* Define to 1 if you have the <memory.h> header file. */ /* Define to 1 if you have the <memory.h> header file. */
#define HAVE_MEMORY_H 1 #define HAVE_MEMORY_H 1
/* Define to 1 if you have the `memset_s' function. */
/* #undef HAVE_MEMSET_S */
/* Define to 1 if the system has the type `MINIDUMP_TYPE'. */ /* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
#define HAVE_MINIDUMP_TYPE 1 #define HAVE_MINIDUMP_TYPE 1

4
src/include/port.h
View File

@ -378,6 +378,10 @@ extern int isinf(double x);
#endif /* __clang__ && !__cplusplus */ #endif /* __clang__ && !__cplusplus */
#endif /* !HAVE_ISINF */ #endif /* !HAVE_ISINF */
#ifndef HAVE_EXPLICIT_BZERO
extern void explicit_bzero(void *buf, size_t len);
#endif
#ifndef HAVE_STRTOF #ifndef HAVE_STRTOF
extern float strtof(const char *nptr, char **endptr); extern float strtof(const char *nptr, char **endptr);
#endif #endif

8
src/interfaces/libpq/fe-connect.c
View File

@ -3885,7 +3885,10 @@ freePGconn(PGconn *conn)
if (conn->connhost[i].port != NULL) if (conn->connhost[i].port != NULL)
free(conn->connhost[i].port); free(conn->connhost[i].port);
if (conn->connhost[i].password != NULL) if (conn->connhost[i].password != NULL)
{
explicit_bzero(conn->connhost[i].password, strlen(conn->connhost[i].password));
free(conn->connhost[i].password); free(conn->connhost[i].password);
}
} }
free(conn->connhost); free(conn->connhost);
} }
@ -3919,7 +3922,10 @@ freePGconn(PGconn *conn)
if (conn->pguser) if (conn->pguser)
free(conn->pguser); free(conn->pguser);
if (conn->pgpass) if (conn->pgpass)
{
explicit_bzero(conn->pgpass, strlen(conn->pgpass));
free(conn->pgpass); free(conn->pgpass);
}
if (conn->pgpassfile) if (conn->pgpassfile)
free(conn->pgpassfile); free(conn->pgpassfile);
if (conn->keepalives) if (conn->keepalives)
@ -6931,6 +6937,7 @@ passwordFromFile(const char *hostname, const char *port, const char *dbname,
if (!ret) if (!ret)
{ {
/* Out of memory. XXX: an error message would be nice. */ /* Out of memory. XXX: an error message would be nice. */
explicit_bzero(buf, sizeof(buf));
return NULL; return NULL;
} }
@ -6947,6 +6954,7 @@ passwordFromFile(const char *hostname, const char *port, const char *dbname,
} }
fclose(fp); fclose(fp);
explicit_bzero(buf, sizeof(buf));
return NULL; return NULL;
#undef LINELEN #undef LINELEN

55
src/port/explicit_bzero.c Normal file
View File

@ -0,0 +1,55 @@
/*-------------------------------------------------------------------------
*
* explicit_bzero.c
*
* Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
*
* IDENTIFICATION
* src/port/explicit_bzero.c
*
*-------------------------------------------------------------------------
*/
#include "c.h"
#if defined(HAVE_MEMSET_S)
void
explicit_bzero(void *buf, size_t len)
{
(void) memset_s(buf, len, 0, len);
}
#elif defined(WIN32)
void
explicit_bzero(void *buf, size_t len)
{
(void) SecureZeroMemory(buf, len);
}
#else
/*
* Indirect call through a volatile pointer to hopefully avoid dead-store
* optimisation eliminating the call. (Idea taken from OpenSSH.) We can't
* assume bzero() is present either, so for simplicity we define our own.
*/
static void
bzero2(void *buf, size_t len)
{
memset(buf, 0, len);
}
static void (* volatile bzero_p)(void *, size_t) = bzero2;
void
explicit_bzero(void *buf, size_t len)
{
bzero_p(buf, len);
}
#endif

2
src/tools/msvc/Mkvcbuild.pm
View File

@ -93,7 +93,7 @@ sub mkvcbuild
$solution = CreateSolution($vsVersion, $config); $solution = CreateSolution($vsVersion, $config);
our @pgportfiles = qw( our @pgportfiles = qw(
chklocale.c fls.c fseeko.c getrusage.c inet_aton.c random.c chklocale.c explicit_bzero.c fls.c fseeko.c getrusage.c inet_aton.c random.c
srandom.c getaddrinfo.c gettimeofday.c inet_net_ntop.c kill.c open.c srandom.c getaddrinfo.c gettimeofday.c inet_net_ntop.c kill.c open.c
erand48.c snprintf.c strlcat.c strlcpy.c dirmod.c noblock.c path.c erand48.c snprintf.c strlcat.c strlcpy.c dirmod.c noblock.c path.c
dirent.c dlopen.c getopt.c getopt_long.c dirent.c dlopen.c getopt.c getopt_long.c