Another patch, with various fallback implementations.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From c040e7aa31a7a12f804c8d32d403861390dec8d5 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Mon, 29 Jul 2019 11:25:49 +0200
Subject: [PATCH v4] Use explicit_bzero

Use the explicit_bzero() function in places where it is important that
security information such as passwords is cleared from memory.  There
might be other places where it could be useful; this is just an
initial collection.

For platforms that don't have explicit_bzero(), provide various
fallback implementations.  (explicit_bzero() itself isn't standard,
but as Linux/glibc and OpenBSD have it, it's the most common spelling,
so it makes sense to make that the invocation point.)

Discussion: 
https://www.postgresql.org/message-id/flat/42d26bde-5d5b-c90d-87ae-6cab875f73be%402ndquadrant.com
---
 configure                            | 15 +++++++-
 configure.in                         |  2 +
 src/backend/libpq/be-secure-common.c |  3 ++
 src/include/pg_config.h.in           |  6 +++
 src/include/port.h                   |  4 ++
 src/interfaces/libpq/fe-connect.c    |  8 ++++
 src/port/explicit_bzero.c            | 55 ++++++++++++++++++++++++++++
 7 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 src/port/explicit_bzero.c

diff --git a/configure b/configure
index 7a6bfc2339..d3b1108218 100755
--- a/configure
+++ b/configure
@@ -15143,7 +15143,7 @@ fi
 LIBS_including_readline="$LIBS"
 LIBS=`echo "$LIBS" | sed -e 's/-ledit//g' -e 's/-lreadline//g'`
 
-for ac_func in cbrt clock_gettime copyfile fdatasync getifaddrs getpeerucred 
getrlimit mbstowcs_l memmove poll posix_fallocate ppoll pstat 
pthread_is_threaded_np readlink setproctitle setproctitle_fast setsid shm_open 
strchrnul strsignal symlink sync_file_range uselocale utime utimes wcstombs_l
+for ac_func in cbrt clock_gettime copyfile fdatasync getifaddrs getpeerucred 
getrlimit mbstowcs_l memset_s memmove poll posix_fallocate ppoll pstat 
pthread_is_threaded_np readlink setproctitle setproctitle_fast setsid shm_open 
strchrnul strsignal symlink sync_file_range uselocale utime utimes wcstombs_l
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -15808,6 +15808,19 @@ esac
 
 fi
 
+ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero"
+if test "x$ac_cv_func_explicit_bzero" = xyes; then :
+  $as_echo "#define HAVE_EXPLICIT_BZERO 1" >>confdefs.h
+
+else
+  case " $LIBOBJS " in
+  *" explicit_bzero.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext"
+ ;;
+esac
+
+fi
+
 ac_fn_c_check_func "$LINENO" "fls" "ac_cv_func_fls"
 if test "x$ac_cv_func_fls" = xyes; then :
   $as_echo "#define HAVE_FLS 1" >>confdefs.h
diff --git a/configure.in b/configure.in
index dde3eec89f..c639a32a79 100644
--- a/configure.in
+++ b/configure.in
@@ -1596,6 +1596,7 @@ AC_CHECK_FUNCS(m4_normalize([
        getpeerucred
        getrlimit
        mbstowcs_l
+       memset_s
        memmove
        poll
        posix_fallocate
@@ -1694,6 +1695,7 @@ fi
 AC_REPLACE_FUNCS(m4_normalize([
        crypt
        dlopen
+       explicit_bzero
        fls
        getopt
        getrusage
diff --git a/src/backend/libpq/be-secure-common.c 
b/src/backend/libpq/be-secure-common.c
index 4abbef5bf1..880b758e70 100644
--- a/src/backend/libpq/be-secure-common.c
+++ b/src/backend/libpq/be-secure-common.c
@@ -86,6 +86,7 @@ run_ssl_passphrase_command(const char *prompt, bool 
is_server_start, char *buf,
        {
                if (ferror(fh))
                {
+                       explicit_bzero(buf, size);
                        ereport(loglevel,
                                        (errcode_for_file_access(),
                                         errmsg("could not read from command 
\"%s\": %m",
@@ -97,6 +98,7 @@ run_ssl_passphrase_command(const char *prompt, bool 
is_server_start, char *buf,
        pclose_rc = ClosePipeStream(fh);
        if (pclose_rc == -1)
        {
+               explicit_bzero(buf, size);
                ereport(loglevel,
                                (errcode_for_file_access(),
                                 errmsg("could not close pipe to external 
command: %m")));
@@ -104,6 +106,7 @@ run_ssl_passphrase_command(const char *prompt, bool 
is_server_start, char *buf,
        }
        else if (pclose_rc != 0)
        {
+               explicit_bzero(buf, size);
                ereport(loglevel,
                                (errcode_for_file_access(),
                                 errmsg("command \"%s\" failed",
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 512213aa32..8282d11dad 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -201,6 +201,9 @@
 /* Define to 1 if you have the <editline/readline.h> header file. */
 #undef HAVE_EDITLINE_READLINE_H
 
+/* Define to 1 if you have the `explicit_bzero' function. */
+#undef HAVE_EXPLICIT_BZERO
+
 /* Define to 1 if you have the `fdatasync' function. */
 #undef HAVE_FDATASYNC
 
@@ -401,6 +404,9 @@
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
 
+/* Define to 1 if you have the `memset_s' function. */
+#undef HAVE_MEMSET_S
+
 /* Define to 1 if the system has the type `MINIDUMP_TYPE'. */
 #undef HAVE_MINIDUMP_TYPE
 
diff --git a/src/include/port.h b/src/include/port.h
index b5c03d912b..0a4801434e 100644
--- a/src/include/port.h
+++ b/src/include/port.h
@@ -381,6 +381,10 @@ extern int isinf(double x);
 #endif                                                 /* __clang__ && 
!__cplusplus */
 #endif                                                 /* !HAVE_ISINF */
 
+#ifndef HAVE_EXPLICIT_BZERO
+extern void explicit_bzero(void *buf, size_t len);
+#endif
+
 #ifndef HAVE_STRTOF
 extern float strtof(const char *nptr, char **endptr);
 #endif
diff --git a/src/interfaces/libpq/fe-connect.c 
b/src/interfaces/libpq/fe-connect.c
index a329ebbf93..01ad3ae3e5 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -3884,7 +3884,10 @@ freePGconn(PGconn *conn)
                        if (conn->connhost[i].port != NULL)
                                free(conn->connhost[i].port);
                        if (conn->connhost[i].password != NULL)
+                       {
+                               explicit_bzero(conn->connhost[i].password, 
strlen(conn->connhost[i].password));
                                free(conn->connhost[i].password);
+                       }
                }
                free(conn->connhost);
        }
@@ -3918,7 +3921,10 @@ freePGconn(PGconn *conn)
        if (conn->pguser)
                free(conn->pguser);
        if (conn->pgpass)
+       {
+               explicit_bzero(conn->pgpass, strlen(conn->pgpass));
                free(conn->pgpass);
+       }
        if (conn->pgpassfile)
                free(conn->pgpassfile);
        if (conn->keepalives)
@@ -6934,6 +6940,7 @@ passwordFromFile(const char *hostname, const char *port, 
const char *dbname,
                if (!ret)
                {
                        /* Out of memory. XXX: an error message would be nice. 
*/
+                       explicit_bzero(buf, sizeof(buf));
                        return NULL;
                }
 
@@ -6950,6 +6957,7 @@ passwordFromFile(const char *hostname, const char *port, 
const char *dbname,
        }
 
        fclose(fp);
+       explicit_bzero(buf, sizeof(buf));
        return NULL;
 
 #undef LINELEN
diff --git a/src/port/explicit_bzero.c b/src/port/explicit_bzero.c
new file mode 100644
index 0000000000..21164ded84
--- /dev/null
+++ b/src/port/explicit_bzero.c
@@ -0,0 +1,55 @@
+/*-------------------------------------------------------------------------
+ *
+ * explicit_bzero.c
+ *
+ * Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "c.h"
+
+#if defined(HAVE_MEMSET_S)
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+       (void) memset_s(buf, len, 0, len);
+}
+
+#elif defined(WIN32)
+
+#include "c.h"
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+       (void) SecureZeroMemory(buf, len);
+}
+
+#else
+
+#include "c.h"
+
+/*
+ * Indirect call through a volatile pointer to hopefully avoid dead-store
+ * optimisation eliminating the call.  (Idea taken from OpenSSH.)  We can't
+ * assume bzero() is present either, so for simplicity we define our own.
+ */
+
+static void
+bzero2(void *buf, size_t len)
+{
+       memset(buf, 0, len);
+}
+
+static void (* volatile bzero_p)(void *, size_t) = bzero2;
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+       bzero_p(buf, len);
+}
+
+#endif

base-commit: 1e2fddfa33d3c7cc93ca3ee0f32852699bd3e012
-- 
2.22.0

Reply via email to