From 9fb9354c89570de1e71817ca80c9535c502c9c69 Mon Sep 17 00:00:00 2001
From: Håkon Nessjøen <haakon.nessjoen@gmail.com>
Date: Sat, 29 Jun 2013 13:00:01 +0200
Subject: Added some paranoid memory locking on linux

---
 mactelnet.c  | 14 +++++++++++++-
 mactelnetd.c | 12 ++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/mactelnet.c b/mactelnet.c
index 580d5ae..7710cc1 100644
--- a/mactelnet.c
+++ b/mactelnet.c
@@ -37,6 +37,7 @@
 #include <string.h>
 #ifdef __LINUX__
 #include <linux/if_ether.h>
+#include <sys/mman.h>
 #endif
 #include "md5.h"
 #include "protocol.h"
@@ -197,6 +198,11 @@ static void send_auth(char *username, char *password) {
 	int plen;
 	md5_state_t state;
 
+#if defined(__LINUX__) && defined(_POSIX_MEMLOCK_RANGE)
+	mlock(md5data, sizeof(md5data));
+	mlock(md5sum, sizeof(md5data));
+#endif
+
 	/* Concat string of 0 + password + encryptionkey */
 	md5data[0] = 0;
 	strncpy(md5data + 1, password, 82);
@@ -460,6 +466,9 @@ int main (int argc, char **argv) {
 
 			case 'p':
 				/* Save password */
+#if defined(__LINUX__) && defined(_POSIX_MEMLOCK_RANGE)
+				mlock(password, sizeof(password));
+#endif
 				strncpy(password, optarg, sizeof(password) - 1);
 				password[sizeof(password) - 1] = '\0';
 				have_password = 1;
@@ -586,11 +595,14 @@ int main (int argc, char **argv) {
 	if (!have_password) {
 		char *tmp;
 		tmp = getpass(quiet_mode ? "" : _("Password: "));
+#if defined(__LINUX__) && defined(_POSIX_MEMLOCK_RANGE)
+		mlock(password, sizeof(password));
+#endif
 		strncpy(password, tmp, sizeof(password) - 1);
 		password[sizeof(password) - 1] = '\0';
 		/* security */
 		memset(tmp, 0, strlen(tmp));
-#ifdef __GNUC__
+#ifdef __LINUX__
 		free(tmp);
 #endif
 	}
diff --git a/mactelnetd.c b/mactelnetd.c
index cdb2727..b90ce2f 100644
--- a/mactelnetd.c
+++ b/mactelnetd.c
@@ -45,6 +45,7 @@
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/sysinfo.h>
+#include <sys/mman.h>
 #include <pwd.h>
 #include <utmp.h>
 #include <syslog.h>
@@ -385,6 +386,14 @@ static void user_login(struct mt_connection *curconn, struct mt_mactelnet_hdr *p
 
 	if ((user = find_user(curconn->username)) != NULL) {
 		md5_state_t state;
+#ifdef _POSIX_MEMLOCK_RANGE
+		mlock(md5data, sizeof(md5data));
+		mlock(md5sum, sizeof(md5sum));
+		if (user->password != NULL) {
+			mlock(user->password, strlen(user->password));
+		}
+#endif
+
 		/* Concat string of 0 + password + encryptionkey */
 		md5data[0] = 0;
 		strncpy(md5data + 1, user->password, 82);
@@ -589,6 +598,9 @@ static void handle_data_packet(struct mt_connection *curconn, struct mt_mactelne
 
 		} else if (cpkt.cptype == MT_CPTYPE_PASSWORD) {
 
+#ifdef _POSIX_MEMLOCK_RANGE
+			mlock(curconn->trypassword, 17);
+#endif
 			memcpy(curconn->trypassword, cpkt.data, 17);
 			got_pass_packet = 1;
 
-- 
cgit v1.2.3