Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added concept of expose_mut. reference to protected #2

Merged
merged 12 commits into from
Sep 8, 2024
Merged

added concept of expose_mut. reference to protected #2

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
b193160
added concept of expose_mut. reference to protected
radumarias Sep 8, 2024
e44992f
Merge branch 'patch-1'
radumarias Sep 8, 2024
fc8befa
Rename ci.yaml to ci.yaml
radumarias Sep 8, 2024
4a75c13
Update ci.yaml
radumarias Sep 8, 2024
36ebf1d
clippy
radumarias Sep 8, 2024
99ab6a7
Update ci.yaml
radumarias Sep 8, 2024
bdf08cf
Update ci.yaml
radumarias Sep 8, 2024
d6037a0
windows guard
radumarias Sep 8, 2024
afa62fb
use common const for mprotect flags
radumarias Sep 8, 2024
0adafee
Remove mprotect
Eyob94 Sep 8, 2024
0bc68a3
Merge branch 'master' into master
Eyob94 Sep 8, 2024
ee1a842
Remove unnecessary qualifications
Eyob94 Sep 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workspaces/ci.yaml → .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ jobs:
runs-on: ${{ matrix.runner }}
strategy:
matrix:
runner: [ubuntu-latest, macos-latest, windows-latest]
fail-fast: false
# runner: [ubuntu-latest, macos-latest, windows-latest]
runner: [windows-latest]
steps:
- uses: actions/checkout@v4

Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
/target
/.idea
4 changes: 3 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ version = "0.1.0"
edition = "2021"

[dependencies]
libc = "0.2.158"
memsec = "0.7.0"
zeroize = "1.8.1"

[target.'cfg(unix)'.dependencies]
libc = "0.2.158"
178 changes: 113 additions & 65 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,10 @@ use core::{
any,
fmt::{self, Debug},
};
use libc::{PROT_NONE, PROT_READ, PROT_WRITE};
use memsec::{mlock, mprotect, munlock};
use std::{mem, ptr::NonNull};

use std::ops::{Deref, DerefMut};
use std::ptr::NonNull;
use memsec::{mlock, mprotect, munlock, Prot};
use zeroize::{Zeroize, ZeroizeOnDrop};

pub use zeroize;

/// Wrapper for the inner secret. Can be exposed by [`ExposeSecret`]
Expand All @@ -25,29 +23,29 @@ pub struct SecretBox<S: Zeroize> {

impl<S: Zeroize> Zeroize for SecretBox<S> {
fn zeroize(&mut self) {
let len = mem::size_of_val(&*self.inner_secret);
self.inner_secret.as_mut().zeroize()
}
}

impl<S: Zeroize> Drop for SecretBox<S> {
fn drop(&mut self) {
let len = size_of_val(&*self.inner_secret);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the same as std::mem::size_of_val? It's not compiling on my computer

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be as it use mem. but add full path or remove and use again


let secret_ptr = self.inner_secret.as_ref() as *const S;

unsafe {
if !munlock(secret_ptr as *mut u8, len) {
eprintln!("Unable to munlock variable")
panic!("Unable to munlock variable")
}

if !mprotect(
NonNull::new(secret_ptr as *mut S).expect("Unable to convert ptr to NonNull"),
PROT_READ | PROT_WRITE,
Prot::ReadWriteExec,
) {
eprintln!("Unable to unprotect variable")
panic!("Unable to unprotect variable")
}
}

self.inner_secret.as_mut().zeroize()
}
}

impl<S: Zeroize> Drop for SecretBox<S> {
fn drop(&mut self) {
self.zeroize()
}
}
Expand All @@ -63,7 +61,7 @@ impl<S: Zeroize> From<Box<S>> for SecretBox<S> {
impl<S: Zeroize> SecretBox<S> {
/// Create a secret value using a pre-boxed value.
pub fn new(boxed_secret: Box<S>) -> Self {
let len = mem::size_of_val(&*boxed_secret);
let len = size_of_val(&*boxed_secret);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here


let secret_ptr = Box::into_raw(boxed_secret);

Expand All @@ -74,9 +72,9 @@ impl<S: Zeroize> SecretBox<S> {

if !mprotect(
NonNull::new(secret_ptr).expect("Unable to convert box to NonNull"),
PROT_NONE,
Prot::NoAccess,
) {
panic!("Unable to protect secret")
panic!("Unable to mprotect secret")
}
}

Expand All @@ -93,7 +91,7 @@ impl<S: Zeroize + Default> SecretBox<S> {
/// Create a secret value using a function that can initialize the vale in-place.
pub fn new_with_mut(ctr: impl FnOnce(&mut S)) -> Self {
let mut secret = Self::default();
ctr(secret.expose_secret().inner_secret_mut());
ctr(&mut *secret.expose_secret_mut());
secret
}
}
Expand Down Expand Up @@ -129,10 +127,8 @@ impl<S: Zeroize + Clone> SecretBox<S> {

impl<S: Zeroize + Default> Default for SecretBox<S> {
fn default() -> Self {
Self {
inner_secret: Box::<S>::default(),
protected: false,
}
let inner_secret = Box::<S>::default();
SecretBox::new(inner_secret)
}
}

Expand All @@ -147,79 +143,111 @@ where
S: CloneableSecret,
{
fn clone(&self) -> Self {
SecretBox {
inner_secret: self.inner_secret.clone(),
protected: false,
}
SecretBox::new(self.inner_secret.clone())
}
}

impl<S: Zeroize> ExposeSecret<S> for SecretBox<S> {
fn expose_secret(&mut self) -> SecretGuard<'_, S> {
SecretGuard::new(self.inner_secret.as_mut(), self.protected)
SecretGuard::new(&self.inner_secret, &mut self.protected)
}

fn expose_secret_mut(&mut self) -> SecretGuardMut<'_, S> {
SecretGuardMut::new(&mut self.inner_secret, &mut self.protected)
}
}

/// Secret Guard that holds a mutable to reference to the secret
/// Secret Guard that holds a reference to the secret.
pub struct SecretGuard<'a, S>
where
S: Zeroize,
{
data: &'a S,
protected: &'a mut bool,
}

impl<S> Deref for SecretGuard<'_, S>
where
S: Zeroize,
{
type Target = S;

fn deref(&self) -> &Self::Target {
self.data
}
}

/// Secret Guard that holds a mutable to reference to the secret.
pub struct SecretGuardMut<'a, S>
where
S: Zeroize,
{
data: &'a mut S,
protected: bool,
protected: &'a mut bool,
}

impl<S> Deref for SecretGuardMut<'_, S>
where
S: Zeroize,
{
type Target = S;

fn deref(&self) -> &Self::Target {
self.data
}
}

impl<S> DerefMut for SecretGuardMut<'_, S>
where
S: Zeroize,
{
fn deref_mut(&mut self) -> &mut Self::Target {
self.data
}
}

impl<'a, S: Zeroize> SecretGuard<'a, S> {
/// Create a new SecretGuard instance.
pub fn new(data: &'a mut S, protected: bool) -> Self {
pub fn new(data: &'a S, protected: &'a mut bool) -> Self {
Self { data, protected }
}
/// Get a shared reference to the inner secret
pub fn inner_secret(&mut self) -> &S {
}

impl<'a, S: Zeroize> SecretGuardMut<'a, S> {
/// Create a new SecretGuard instance.
pub fn new(data: &'a mut S, protected: &'a mut bool) -> Self {
Self { data, protected }
}
}

impl<'a, S: Zeroize> Drop for SecretGuard<'a, S> {
fn drop(&mut self) {
let secret_ptr = self.data as *const S;

if self.protected {
if !*self.protected {
unsafe {
if !mprotect(
NonNull::new(secret_ptr as *mut S).expect("Unable to convert ptr to NonNull"),
PROT_READ,
Prot::NoAccess,
) {
panic!("Unable to protect secret_guard")
panic!("Unable to mprotect memory")
}
}
}
self.protected = false;
self.data
}

/// Get an exclusive reference to the inner secret
pub fn inner_secret_mut(&mut self) -> &mut S {
let secret_ptr = self.data as *const S;

unsafe {
if !mprotect(
NonNull::new(secret_ptr as *mut S).expect("Unable to convert ptr to NonNull"),
PROT_READ | PROT_WRITE,
) {
panic!("Unable to protect secret_guard")
}
}
self.protected = false;
self.data
}
}

impl<'a, S: Zeroize> Drop for SecretGuard<'a, S> {
impl<'a, S: Zeroize> Drop for SecretGuardMut<'a, S> {
fn drop(&mut self) {
let secret_ptr = self.data as *const S;

if !self.protected {
if !*self.protected {
unsafe {
if !mprotect(
NonNull::new(secret_ptr as *mut S).expect("Unable to convert ptr to NonNull"),
PROT_NONE,
Prot::NoAccess,
) {
panic!("Unable to protect memory")
panic!("Unable to mprotect memory")
}
}
}
Expand All @@ -231,13 +259,17 @@ pub trait CloneableSecret: Clone + Zeroize {}

/// Create a SecretGuard that holds a reference to the secret
pub trait ExposeSecret<S: Zeroize> {
/// Expose secret: this is the only method providing access to a secret.
/// Expose secret as non-mutable.
fn expose_secret(&mut self) -> SecretGuard<'_, S>;

/// Expose secret as mutable.
fn expose_secret_mut(&mut self) -> SecretGuardMut<'_, S>;
}

#[cfg(test)]
mod tests {
use super::*;

#[derive(Debug, Clone, Default)]
struct TestSecret {
data: Vec<u8>,
Expand Down Expand Up @@ -269,7 +301,7 @@ mod tests {
fn test_secret_box_drop_zeroizes() {
let secret = Box::new(TestSecret::new(10));
let mut secret_box = SecretBox::new(secret);
assert!(secret_box.expose_secret().inner_secret().check_non_zero());
assert!((*secret_box.expose_secret()).check_non_zero());

drop(secret_box);

Expand All @@ -284,17 +316,17 @@ mod tests {
let secret = Box::new(TestSecret::new(10));
let mut secret_box = SecretBox::new(secret);
{
let mut exposed = secret_box.expose_secret();
exposed.inner_secret_mut().data[0] = 42;
let mut exposed = secret_box.expose_secret_mut();
(*exposed).data[0] = 42;
}

assert_eq!(secret_box.expose_secret().inner_secret().data[0], 42);
assert_eq!((*secret_box.expose_secret()).data[0], 42);
}

#[test]
fn test_secret_box_new_with_ctr() {
let mut secret_box = SecretBox::new_with_ctr(|| TestSecret::new(10));
assert!(secret_box.expose_secret().inner_secret().check_non_zero());
assert!((*secret_box.expose_secret()).check_non_zero());
}

#[test]
Expand All @@ -303,8 +335,24 @@ mod tests {
SecretBox::try_new_with_ctr(|| Ok(TestSecret::new(10)));

match result {
Ok(mut secret_box) => assert!(secret_box.expose_secret().inner_secret().check_non_zero()),
Ok(mut secret_box) => assert!((*secret_box.expose_secret()).check_non_zero()),
Err(_) => panic!("Expected Ok variant"),
}
}

#[test]
fn test_mprotect() {
let a = 2;
let ptr = &a as *const i32;
unsafe {
assert!(mprotect(NonNull::new(ptr as *mut i32).unwrap(), Prot::NoAccess));
assert!(mprotect(NonNull::new(ptr as *mut i32).unwrap(), Prot::ReadOnly));
assert!(mprotect(NonNull::new(ptr as *mut i32).unwrap(), Prot::WriteOnly));
assert!(mprotect(NonNull::new(ptr as *mut i32).unwrap(), Prot::ReadWrite));
assert!(mprotect(NonNull::new(ptr as *mut i32).unwrap(), Prot::ReadExec));
assert!(mprotect(NonNull::new(ptr as *mut i32).unwrap(), Prot::WriteExec));
assert!(mprotect(NonNull::new(ptr as *mut i32).unwrap(), Prot::Execute));
assert!(mprotect(NonNull::new(ptr as *mut i32).unwrap(), Prot::ReadWriteExec));
}
}
}