From 52f96e78f26b86e4a0e6ec7d98eb454d6ff508ae Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <michael@stapelberg.de>
Date: Tue, 3 Jan 2012 16:17:58 +0000
Subject: [PATCH] Lock the password buffer in memory, clear it in RAM after
 verifying

---
 i3lock.c | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/i3lock.c b/i3lock.c
index d236adf..a056091 100644
--- a/i3lock.c
+++ b/i3lock.c
@@ -24,6 +24,7 @@
 #include <string.h>
 #include <math.h>
 #include <ev.h>
+#include <sys/mman.h>
 
 
 #ifndef NOLIBCAIRO
@@ -51,7 +52,7 @@ static xcb_key_symbols_t *symbols;
 static xcb_screen_t *scr;
 static pam_handle_t *pam_handle;
 static int input_position = 0;
-/* holds the password you enter (in UTF-8) */
+/* Holds the password you enter (in UTF-8). */
 static char password[512];
 static bool modeswitch_active = false;
 static bool iso_level3_shift_active = false;
@@ -91,6 +92,23 @@ static cairo_surface_t *img = NULL;
 static bool tile = false;
 #endif
 
+/*
+ * Clears the memory which stored the password to be a bit safer against
+ * cold-boot attacks.
+ *
+ */
+static void clear_password_memory() {
+    /* A volatile pointer to the password buffer to prevent the compiler from
+     * optimizing this out. */
+    volatile char *vpassword = password;
+    for (int c = 0; c < sizeof(password); c++)
+        /* We store a non-random pattern which consists of the (irrelevant)
+         * index plus (!) the value of the beep variable. This prevents the
+         * compiler from optimizing the calls away, since the value of 'beep'
+         * is not known at compile-time. */
+        vpassword[c] = c + (int)beep;
+}
+
 /*
  * Draws global image with fill color onto a pixmap with the given
  * resolution and returns it.
@@ -330,6 +348,7 @@ static void input_done() {
 
     if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
         printf("successfully authenticated\n");
+        clear_password_memory();
         exit(0);
     }
 
@@ -458,6 +477,7 @@ static void handle_key_press(xcb_key_press_event_t *event) {
         input_done();
     case XK_Escape:
         input_position = 0;
+        clear_password_memory();
         password[input_position] = '\0';
         return;
 
@@ -809,7 +829,13 @@ int main(int argc, char *argv[]) {
     /* Initialize PAM */
     ret = pam_start("i3lock", username, &conv, &pam_handle);
     if (ret != PAM_SUCCESS)
-        errx(EXIT_FAILURE, "PAM: %s\n", pam_strerror(pam_handle, ret));
+        errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
+
+    /* Lock the area where we store the password in memory, we don’t want it to
+     * be swapped to disk. Since Linux 2.6.9, this does not require any
+     * privileges, just enough bytes in the RLIMIT_MEMLOCK limit. */
+    if (mlock(password, sizeof(password)) != 0)
+        err(EXIT_FAILURE, "Could not lock page in memory, check RLIMIT_MEMLOCK");
 
     /* Initialize connection to X11 */
     if ((conn = xcb_connect(NULL, &screen)) == NULL ||