1 /* Copyright (c) 2015-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #include "orconfig.h"
5 #include "lib/crypt_ops/crypto_util.h"
6
7 #include "lib/intmath/cmp.h"
8 #include "lib/malloc/malloc.h"
9
10 #include <string.h>
11 #include <stdio.h>
12 #include <sys/types.h>
13 #include <stdlib.h>
14
15 #ifdef HAVE_SYS_PARAM_H
16 #include <sys/param.h>
17 #endif
18
19 static unsigned fill_a_buffer_memset(void) __attribute__((noinline));
20 static unsigned fill_a_buffer_memwipe(void) __attribute__((noinline));
21 static unsigned fill_a_buffer_nothing(void) __attribute__((noinline));
22 static unsigned fill_heap_buffer_memset(void) __attribute__((noinline));
23 static unsigned fill_heap_buffer_memwipe(void) __attribute__((noinline));
24 static unsigned fill_heap_buffer_nothing(void) __attribute__((noinline));
25 static unsigned check_a_buffer(void) __attribute__((noinline));
26
27 extern const char *s; /* Make the linkage global */
28 const char *s = NULL;
29
30 #define BUF_LEN 2048
31
32 #define FILL_BUFFER_IMPL() \
33 do { \
34 unsigned int i; \
35 \
36 /* Fill up a 1k buffer with a recognizable pattern. */ \
37 for (i = 0; i < BUF_LEN; i += strlen(s)) { \
38 memcpy(buf+i, s, MIN(strlen(s), BUF_LEN-i)); \
39 } \
40 \
41 /* Use the buffer as input to a computation so the above can't get */ \
42 /* optimized away. */ \
43 for (i = 0; i < BUF_LEN; ++i) { \
44 sum += (unsigned char)buf[i]; \
45 } \
46 } while (0)
47
48 #ifdef OpenBSD
49 /* Disable some of OpenBSD's malloc protections for this test. This helps
50 * us do bad things, such as access freed buffers, without crashing. */
51 extern const char *malloc_options;
52 const char *malloc_options = "sufjj";
53 #endif /* defined(OpenBSD) */
54
55 static unsigned
fill_a_buffer_memset(void)56 fill_a_buffer_memset(void)
57 {
58 char buf[BUF_LEN];
59 unsigned sum = 0;
60 FILL_BUFFER_IMPL();
61 memset(buf, 0, sizeof(buf));
62 return sum;
63 }
64
65 static unsigned
fill_a_buffer_memwipe(void)66 fill_a_buffer_memwipe(void)
67 {
68 char buf[BUF_LEN];
69 unsigned sum = 0;
70 FILL_BUFFER_IMPL();
71 memwipe(buf, 0, sizeof(buf));
72 return sum;
73 }
74
75 static unsigned
fill_a_buffer_nothing(void)76 fill_a_buffer_nothing(void)
77 {
78 char buf[BUF_LEN];
79 unsigned sum = 0;
80 FILL_BUFFER_IMPL();
81 return sum;
82 }
83
84 static inline int
vmemeq(volatile char * a,const char * b,size_t n)85 vmemeq(volatile char *a, const char *b, size_t n)
86 {
87 while (n--) {
88 if (*a++ != *b++)
89 return 0;
90 }
91 return 1;
92 }
93
94 static unsigned
check_a_buffer(void)95 check_a_buffer(void)
96 {
97 unsigned int i;
98 volatile char buf[BUF_LEN];
99 unsigned sum = 0;
100
101 /* See if this buffer has the string in it.
102
103 YES, THIS DOES INVOKE UNDEFINED BEHAVIOR BY READING FROM AN UNINITIALIZED
104 BUFFER.
105
106 If you know a better way to figure out whether the compiler eliminated
107 the memset/memwipe calls or not, please let me know.
108 */
109 for (i = 0; i < BUF_LEN - strlen(s); ++i) {
110 if (vmemeq(buf+i, s, strlen(s)))
111 ++sum;
112 }
113
114 return sum;
115 }
116
117 static char *heap_buf = NULL;
118
119 static unsigned
fill_heap_buffer_memset(void)120 fill_heap_buffer_memset(void)
121 {
122 char *buf = heap_buf = raw_malloc(BUF_LEN);
123 unsigned sum = 0;
124 FILL_BUFFER_IMPL();
125 memset(buf, 0, BUF_LEN);
126 raw_free(buf);
127 return sum;
128 }
129
130 static unsigned
fill_heap_buffer_memwipe(void)131 fill_heap_buffer_memwipe(void)
132 {
133 char *buf = heap_buf = raw_malloc(BUF_LEN);
134 unsigned sum = 0;
135 FILL_BUFFER_IMPL();
136 memwipe(buf, 0, BUF_LEN);
137 raw_free(buf);
138 return sum;
139 }
140
141 static unsigned
fill_heap_buffer_nothing(void)142 fill_heap_buffer_nothing(void)
143 {
144 char *buf = heap_buf = raw_malloc(BUF_LEN);
145 unsigned sum = 0;
146 FILL_BUFFER_IMPL();
147 raw_free(buf);
148 return sum;
149 }
150
151 static unsigned
check_heap_buffer(void)152 check_heap_buffer(void)
153 {
154 unsigned int i;
155 unsigned sum = 0;
156 volatile char *buf = heap_buf;
157
158 /* See if this buffer has the string in it.
159
160 YES, THIS DOES INVOKE UNDEFINED BEHAVIOR BY READING FROM A FREED BUFFER.
161
162 If you know a better way to figure out whether the compiler eliminated
163 the memset/memwipe calls or not, please let me know.
164 */
165 for (i = 0; i < BUF_LEN - strlen(s); ++i) {
166 if (vmemeq(buf+i, s, strlen(s)))
167 ++sum;
168 }
169
170 return sum;
171 }
172
173 static struct testcase {
174 const char *name;
175 /* this spacing satisfies make check-spaces */
176 unsigned
177 (*fill_fn)(void);
178 unsigned
179 (*check_fn)(void);
180 } testcases[] = {
181 { "nil", fill_a_buffer_nothing, check_a_buffer },
182 { "nil-heap", fill_heap_buffer_nothing, check_heap_buffer },
183 { "memset", fill_a_buffer_memset, check_a_buffer },
184 { "memset-heap", fill_heap_buffer_memset, check_heap_buffer },
185 { "memwipe", fill_a_buffer_memwipe, check_a_buffer },
186 { "memwipe-heap", fill_heap_buffer_memwipe, check_heap_buffer },
187 { NULL, NULL, NULL }
188 };
189
190 int
main(int argc,char ** argv)191 main(int argc, char **argv)
192 {
193 unsigned x, x2;
194 int i;
195 int working = 1;
196 unsigned found[6];
197 (void) argc; (void) argv;
198
199 s = "squamous haberdasher gallimaufry";
200
201 memset(found, 0, sizeof(found));
202
203 for (i = 0; testcases[i].name; ++i) {
204 x = testcases[i].fill_fn();
205 found[i] = testcases[i].check_fn();
206
207 x2 = fill_a_buffer_nothing();
208
209 if (x != x2) {
210 working = 0;
211 }
212 }
213
214 if (!working || !found[0] || !found[1]) {
215 printf("It appears that this test case may not give you reliable "
216 "information. Sorry.\n");
217 }
218
219 if (!found[2] && !found[3]) {
220 printf("It appears that memset is good enough on this platform. Good.\n");
221 }
222
223 if (found[4] || found[5]) {
224 printf("ERROR: memwipe does not wipe data!\n");
225 return 1;
226 } else {
227 printf("OKAY: memwipe seems to work.\n");
228 return 0;
229 }
230 }
231