new wipeable_string class to replace std::string passphrases

xdraylin · Nov 27, 2017 · 3dffe71 · 3dffe71
1 parent 7a2a574
commit 3dffe71
Show file tree

Hide file tree

Showing 15 changed files with 293 additions and 68 deletions.
diff --git a/contrib/epee/include/net/http_auth.h b/contrib/epee/include/net/http_auth.h
@@ -33,7 +33,7 @@
 #include <functional>
 #include <string>
 #include <utility>
-
+#include "wipeable_string.h"
 #include "http_base.h"
 
 #undef MONERO_DEFAULT_LOG_CATEGORY
@@ -48,12 +48,12 @@ namespace net_utils
     struct login
     {
       login() : username(), password() {}
-      login(std::string username_, std::string password_)
+      login(std::string username_, wipeable_string password_)
         : username(std::move(username_)), password(std::move(password_))
       {}
 
       std::string username;
-      std::string password;
+      wipeable_string password;
     };
 
     //! Implements RFC 2617 digest auth. Digests from RFC 7616 can be added.

diff --git a/contrib/epee/include/wipeable_string.h b/contrib/epee/include/wipeable_string.h
@@ -0,0 +1,70 @@
+// Copyright (c) 2017, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#pragma once
+
+#include <stddef.h>
+#include <vector>
+#include <string>
+
+namespace epee
+{
+  class wipeable_string
+  {
+  public:
+    wipeable_string() {}
+    wipeable_string(const wipeable_string &other);
+    wipeable_string(wipeable_string &&other);
+    wipeable_string(const std::string &other);
+    wipeable_string(std::string &&other);
+    wipeable_string(const char *s);
+    ~wipeable_string();
+    void wipe();
+    void push_back(char c);
+    void pop_back();
+    const char *data() const noexcept { return buffer.data(); }
+    size_t size() const noexcept { return buffer.size(); }
+    bool empty() const noexcept { return buffer.empty(); }
+    void resize(size_t sz);
+    void reserve(size_t sz);
+    void clear();
+    bool operator==(const wipeable_string &other) const noexcept { return buffer == other.buffer; }
+    bool operator!=(const wipeable_string &other) const noexcept { return buffer != other.buffer; }
+    wipeable_string &operator=(wipeable_string &&other);
+    wipeable_string &operator=(const wipeable_string &other);
+
+    static void set_wipe(void *(*f)(void*, size_t)) { wipefunc = f; }
+
+  private:
+    void grow(size_t sz, size_t reserved = 0);
+
+  private:
+    std::vector<char> buffer;
+    static void *(*wipefunc)(void*, size_t);
+  };
+}
diff --git a/contrib/epee/src/CMakeLists.txt b/contrib/epee/src/CMakeLists.txt
@@ -26,7 +26,7 @@
 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
 # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-add_library(epee STATIC hex.cpp http_auth.cpp mlog.cpp net_utils_base.cpp string_tools.cpp)
+add_library(epee STATIC hex.cpp http_auth.cpp mlog.cpp net_utils_base.cpp string_tools.cpp wipeable_string.cpp)
 if (USE_READLINE AND GNU_READLINE_FOUND)
   add_library(epee_readline STATIC readline_buffer.cpp)
 endif()

diff --git a/contrib/epee/src/http_auth.cpp b/contrib/epee/src/http_auth.cpp
@@ -125,6 +125,14 @@ namespace
       {
         (*this)(boost::string_ref(arg));
       }
+      void operator()(const epee::wipeable_string& arg) const
+      {
+        md5::MD5Update(
+          std::addressof(ctx),
+          reinterpret_cast<const std::uint8_t*>(arg.data()),
+          arg.size()
+        );
+      }
 
       md5::MD5_CTX& ctx;
     };

diff --git a/contrib/epee/src/wipeable_string.cpp b/contrib/epee/src/wipeable_string.cpp
@@ -0,0 +1,146 @@
+// Copyright (c) 2017, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include <string.h>
+#include "misc_log_ex.h"
+#include "wipeable_string.h"
+
+namespace epee
+{
+
+void *(*wipeable_string::wipefunc)(void*, size_t) = NULL;
+
+wipeable_string::wipeable_string(const wipeable_string &other):
+  buffer(other.buffer)
+{
+}
+
+wipeable_string::wipeable_string(wipeable_string &&other)
+{
+  if (&other == this)
+    return;
+  buffer = std::move(other.buffer);
+}
+
+wipeable_string::wipeable_string(const std::string &other)
+{
+  grow(other.size());
+  memcpy(buffer.data(), other.c_str(), size());
+}
+
+wipeable_string::wipeable_string(std::string &&other)
+{
+  CHECK_AND_ASSERT_THROW_MES(wipefunc, "wipefunc is not set");
+  grow(other.size());
+  memcpy(buffer.data(), other.c_str(), size());
+  if (!other.empty())
+  {
+    wipefunc(&other[0], other.size()); // we're kinda left with this again aren't we
+    other = std::string();
+  }
+}
+
+wipeable_string::wipeable_string(const char *s)
+{
+  grow(strlen(s));
+  memcpy(buffer.data(), s, size());
+}
+
+wipeable_string::~wipeable_string()
+{
+  wipe();
+}
+
+void wipeable_string::wipe()
+{
+  CHECK_AND_ASSERT_THROW_MES(wipefunc, "wipefunc is not set");
+  wipefunc(buffer.data(), buffer.size() * sizeof(char));
+}
+
+void wipeable_string::grow(size_t sz, size_t reserved)
+{
+  CHECK_AND_ASSERT_THROW_MES(wipefunc, "wipefunc is not set");
+  if (reserved == 0)
+    reserved = sz;
+  CHECK_AND_ASSERT_THROW_MES(reserved >= sz, "reserved < sz");
+  if (reserved <= buffer.capacity())
+    return;
+  size_t old_sz = buffer.size();
+  std::unique_ptr<char[]> tmp{new char[old_sz]};
+  memcpy(tmp.get(), buffer.data(), old_sz * sizeof(char));
+  wipefunc(buffer.data(), old_sz * sizeof(char));
+  buffer.reserve(reserved);
+  buffer.resize(sz);
+  memcpy(buffer.data(), tmp.get(), sz * sizeof(char));
+  wipefunc(tmp.get(), old_sz * sizeof(char));
+}
+
+void wipeable_string::push_back(char c)
+{
+  grow(size() + 1);
+  buffer.push_back(c);
+}
+
+void wipeable_string::pop_back()
+{
+  resize(size() - 1);
+}
+
+void wipeable_string::resize(size_t sz)
+{
+  CHECK_AND_ASSERT_THROW_MES(wipefunc, "wipefunc is not set");
+  if (sz < buffer.size())
+    wipefunc(buffer.data() + sz, buffer.size() - sz);
+  grow(sz);
+}
+
+void wipeable_string::reserve(size_t sz)
+{
+  grow(size(), sz);
+}
+
+void wipeable_string::clear()
+{
+  resize(0);
+}
+
+wipeable_string &wipeable_string::operator=(wipeable_string &&other)
+{
+  if (&other != this)
+    buffer = std::move(other.buffer);
+  return *this;
+}
+
+wipeable_string &wipeable_string::operator=(const wipeable_string &other)
+{
+  if (&other != this)
+    buffer = other.buffer;
+  return *this;
+}
+
+}
diff --git a/src/common/password.cpp b/src/common/password.cpp
@@ -56,7 +56,7 @@ namespace
     return 0 != _isatty(_fileno(stdin));
   }
 
-  bool read_from_tty(std::string& pass)
+  bool read_from_tty(epee::wipeable_string& pass)
   {
     static constexpr const char BACKSPACE = 8;
 
@@ -88,8 +88,7 @@ namespace
       {
         if (!pass.empty())
         {
-          pass.back() = '\0';
-          pass.resize(pass.size() - 1);
+          pass.pop_back();
         }
       }
       else
@@ -127,7 +126,7 @@ namespace
     return ch;
   }
 
-  bool read_from_tty(std::string& aPass)
+  bool read_from_tty(epee::wipeable_string& aPass)
   {
     static constexpr const char BACKSPACE = 127;
 
@@ -148,8 +147,7 @@ namespace
       {
         if (!aPass.empty())
         {
-          aPass.back() = '\0';
-          aPass.resize(aPass.size() - 1);
+          aPass.pop_back();
         }
       }
       else
@@ -163,15 +161,7 @@ namespace
 
 #endif // end !WIN32
 
-  void clear(std::string& pass) noexcept
-  {
-    // technically, the std::string documentation says the data should not be modified,
-    // but there seems to be no way to get a non const raw pointer to the data
-    memwipe((void*)pass.data(), pass.size());
-    pass.clear();
-  }
-
-  bool read_from_tty(const bool verify, const char *message, std::string& pass1, std::string& pass2)
+  bool read_from_tty(const bool verify, const char *message, epee::wipeable_string& pass1, epee::wipeable_string& pass2)
   {
     while (true)
     {
@@ -187,8 +177,8 @@ namespace
         if(pass1!=pass2)
         {
           std::cout << "Passwords do not match! Please try again." << std::endl;
-          clear(pass1);
-          clear(pass2);
+          pass1.clear();
+          pass2.clear();
         }
         else //new password matches
           return true;
@@ -201,7 +191,7 @@ namespace
     return false;
   }
 
-  bool read_from_file(std::string& pass)
+  bool read_from_file(epee::wipeable_string& pass)
   {
     pass.reserve(tools::password_container::max_password_size);
     for (size_t i = 0; i < tools::password_container::max_password_size; ++i)
@@ -236,7 +226,7 @@ namespace tools
 
   password_container::~password_container() noexcept
   {
-    clear(m_password);
+    m_password.clear();
   }
 
   boost::optional<password_container> password_container::prompt(const bool verify, const char *message)
@@ -252,9 +242,8 @@ namespace tools
   boost::optional<login> login::parse(std::string&& userpass, bool verify, const std::function<boost::optional<password_container>(bool)> &prompt)
   {
     login out{};
-    password_container wipe{std::move(userpass)};
 
-    const auto loc = wipe.password().find(':');
+    const auto loc = userpass.find(':');
     if (loc == std::string::npos)
     {
       auto result = prompt(verify);
@@ -265,10 +254,11 @@ namespace tools
     }
     else
     {
-      out.password = password_container{wipe.password().substr(loc + 1)};
+      out.password = password_container{userpass.substr(loc + 1)};
     }
 
-    out.username = wipe.password().substr(0, loc);
+    out.username = userpass.substr(0, loc);
+    password_container wipe{std::move(userpass)};
     return {std::move(out)};
   }
 } 
diff --git a/src/common/password.h b/src/common/password.h
@@ -32,6 +32,7 @@
 
 #include <string>
 #include <boost/optional/optional.hpp>
+#include "wipeable_string.h"
 
 namespace tools
 {
@@ -58,11 +59,10 @@ namespace tools
     password_container& operator=(const password_container&) = delete;
     password_container& operator=(password_container&&) = default;
 
-    const std::string& password() const noexcept { return m_password; }
+    const epee::wipeable_string &password() const noexcept { return m_password; }
 
   private:
-    //! TODO Custom allocator that locks to RAM?
-    std::string m_password;
+    epee::wipeable_string m_password;
   };
 
   struct login