path: root/client/gtk.c
diff options
authorLinus Walleij <linus@foobar.localdomain>2010-02-20 19:47:24 +0100
committerSamuel Lidén Borell <>2010-02-20 20:38:05 +0100
commit2605e8dd6ffd0b8cc710a3f91d58192cd510473a (patch)
tree2a9e5a2ad6d93b36c39d0666ec31e0b23a58b7ef /client/gtk.c
parent63ff9686cde62f406601483c85ab7759a3b4a429 (diff)
Provide a secure memory pool and use it
This implements a secure memory pool for use in fribid, allocating a page at a time for secure use. We currently only use one page for the passphrase, but an arbitrary number of pages can be made available. We currently don't need more intelligence than this. The page pool is mmap():ed in to make sure it's on even pages, and the entire pool is then mlock():ed to hinder it from being spooled out as swap. This also augments the platform_sign function so that it takes the piece of (secure) memory used to store the password as a parameter, and copied the passphrase into it as soon as it's retrieved, so that it is not allocated or passed around elsewhere. Signed-off-by: Linus Walleij <>
Diffstat (limited to 'client/gtk.c')
1 files changed, 11 insertions, 6 deletions
diff --git a/client/gtk.c b/client/gtk.c
index c148dbd..b3df837 100644
--- a/client/gtk.c
+++ b/client/gtk.c
@@ -343,9 +343,14 @@ static void selectExternalFile() {
* Waits for the user to fill in the dialog, and loads the P12 file for
* the selected subject.
-bool platform_sign(char **signature, int *siglen, KeyfileSubject **person, char **password) {
+bool platform_sign(char **signature, int *siglen, KeyfileSubject **person,
+ char **password, int password_maxlen) {
guint response;
+ // Restrict the password to the length of the preallocated
+ // password buffer
+ gtk_entry_set_max_length(passwordEntry, password_maxlen-1);
while ((response = gtk_dialog_run(signDialog)) == RESPONSE_EXTERNAL) {
// User pressed "External file..."
@@ -373,11 +378,11 @@ bool platform_sign(char **signature, int *siglen, KeyfileSubject **person, char
- // The contents of the text field is automatically cleared when the
- // GtkEntry widget is destroyed, so the password won't stay in memory.
- *password = strdup(gtk_entry_get_text(passwordEntry));
+ // Copy the password to the secure buffer
+ strncpy(*password, gtk_entry_get_text(passwordEntry), password_maxlen-1);
+ // Be sure to terminate this under all circumstances
+ *password[password_maxlen-1] = '\0';
return true;
} else {
// User pressed cancel or closed the dialog
return false;