gparted/include/PasswordRAMStore.h

/* Copyright (C) 2018 Mike Fleetwood
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, see <http://www.gnu.org/licenses/>.
 */


/* PasswordRAMStore
 *
 * Memory only store of passwords and passphrases.  Works like an associative array with
 * a unique key used to identify each password.  Passwords are C strings which are stored
 * in a block of the process' virtual memory locked into RAM.  Looked up pointers to
 * passwords are valid at least until the next time the store is modified by an insert or
 * erase call.  Passwords are wiped from memory when no longer wanted.
 *
 * Recommend using LUKS UUIDs as the key when storing LUKS passphrases.
 */

#ifndef GPARTED_PASSWORDRAMSTORE_H
#define GPARTED_PASSWORDRAMSTORE_H

#include <glibmm/ustring.h>

namespace GParted
{

class PasswordRAMStore
{
friend class PasswordRAMStoreTest;  // To allow unit testing PasswordRAMStoreTest class
                                    // access to private methods.

public:
	static bool store( const Glib::ustring & key, const char * password );
	static bool erase( const Glib::ustring & key );
	static const char * lookup( const Glib::ustring & key );

private:
	static void erase_all();
	static const char * get_protected_mem();
};

} //GParted

#endif /* GPARTED_PASSWORDRAMSTORE_H */
Add PasswordRAMStore module (#795617) Application level requirements for secure password management were set out in "LUKS password handling, threats and preventative measures" [1]. The requirements are: 1) Passwords are stored in RAM and are not allowed to be paged to swap. (However hibernating with GParted still running will write all of RAM to swap). 2) Passwords are wiped from RAM when no longer needed. When each password is no longer needed and when GParted closes. 3) Passwords are referenced by unique key. Recommend using LUKS UUIDs as the unique key. (Each LUKS password should only ever need to be entered once for each execution of GParted. Therefore the passwords can't be stored in any of the existing data structures such as Partitions or LUKS_Info cache because all of these are cleared and reloaded on each device refresh). There seems to be two possible implementation methods: use an existing library to provide secure memory handling, or write our own. Libgcrypt [2] and libsodium [3] cryptographic libraries both provide secure memory handling. (Secure memory is quite simple really, some virtual memory locked into RAM which is zeroed when no longer needed). Linking to an encryption library just to provide secure memory seems like using a sledge hammer to crack a nut. Also because of requirement (3) above a module is needed to "own" the pointers to the passwords in the secure memory. Managing the secure memory ourselves is probably no more code that that needed to interface to libgcrypt. Therefore handle the secure memory ourselves. So far the module is only compiled. It is not used anywhere in GParted. [1] LUKS password handling, threats and preventative measures https://bugzilla.gnome.org/show_bug.cgi?id=627701#c56 [2] libgcrypt general purpose cryptographic library, as used in GNU Privacy Guard https://gnupg.org/related_software/libgcrypt/ [3] libsodium crypto library https://download.libsodium.org/doc/ Bug 795617 - Implement opening and closing of LUKS mappings 2017-10-06 13:50:41 -06:00			`/* Copyright (C) 2018 Mike Fleetwood`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 2 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program; if not, see <http://www.gnu.org/licenses/>.`
			`*/`


			`/* PasswordRAMStore`
			`*`
			`* Memory only store of passwords and passphrases. Works like an associative array with`
			`* a unique key used to identify each password. Passwords are C strings which are stored`
			`* in a block of the process' virtual memory locked into RAM. Looked up pointers to`
			`* passwords are valid at least until the next time the store is modified by an insert or`
			`* erase call. Passwords are wiped from memory when no longer wanted.`
			`*`
			`* Recommend using LUKS UUIDs as the key when storing LUKS passphrases.`
			`*/`

			`#ifndef GPARTED_PASSWORDRAMSTORE_H`
			`#define GPARTED_PASSWORDRAMSTORE_H`

			`#include <glibmm/ustring.h>`

			`namespace GParted`
			`{`

			`class PasswordRAMStore`
			`{`
Add unit testing of erasing all passwords (#795617) Test that all passwords are zeroed by PasswordRAMStore::erase_all(), the same method as used in the PasswordRAMStore destructor. Bug 795617 - Implement opening and closing of LUKS mappings 2017-11-10 00:39:04 -07:00			`friend class PasswordRAMStoreTest; // To allow unit testing PasswordRAMStoreTest class`
Simplify obtaining address of password memory for unit tests (#795617) Use private access into the PasswordRAMStore class to directly obtain the address of the locked memory, rather than inferring it from the address of the first stored password. This simplifies PasswordRAMStoreTest::SetUpTestCase() and avoids encoding most of the implementation knowledge that the first password will be stored at the start of the protected memory. Bug 795617 - Implement opening and closing of LUKS mappings 2017-11-10 00:57:06 -07:00			`// access to private methods.`
Add unit testing of erasing all passwords (#795617) Test that all passwords are zeroed by PasswordRAMStore::erase_all(), the same method as used in the PasswordRAMStore destructor. Bug 795617 - Implement opening and closing of LUKS mappings 2017-11-10 00:39:04 -07:00
Add PasswordRAMStore module (#795617) Application level requirements for secure password management were set out in "LUKS password handling, threats and preventative measures" [1]. The requirements are: 1) Passwords are stored in RAM and are not allowed to be paged to swap. (However hibernating with GParted still running will write all of RAM to swap). 2) Passwords are wiped from RAM when no longer needed. When each password is no longer needed and when GParted closes. 3) Passwords are referenced by unique key. Recommend using LUKS UUIDs as the unique key. (Each LUKS password should only ever need to be entered once for each execution of GParted. Therefore the passwords can't be stored in any of the existing data structures such as Partitions or LUKS_Info cache because all of these are cleared and reloaded on each device refresh). There seems to be two possible implementation methods: use an existing library to provide secure memory handling, or write our own. Libgcrypt [2] and libsodium [3] cryptographic libraries both provide secure memory handling. (Secure memory is quite simple really, some virtual memory locked into RAM which is zeroed when no longer needed). Linking to an encryption library just to provide secure memory seems like using a sledge hammer to crack a nut. Also because of requirement (3) above a module is needed to "own" the pointers to the passwords in the secure memory. Managing the secure memory ourselves is probably no more code that that needed to interface to libgcrypt. Therefore handle the secure memory ourselves. So far the module is only compiled. It is not used anywhere in GParted. [1] LUKS password handling, threats and preventative measures https://bugzilla.gnome.org/show_bug.cgi?id=627701#c56 [2] libgcrypt general purpose cryptographic library, as used in GNU Privacy Guard https://gnupg.org/related_software/libgcrypt/ [3] libsodium crypto library https://download.libsodium.org/doc/ Bug 795617 - Implement opening and closing of LUKS mappings 2017-10-06 13:50:41 -06:00			`public:`
Change to insert or replace PasswordRAMStore::store() interface (#795617) Replace the insert() method (which reports an error when inserting a password with a key which already exists) with the store() method which replaces or inserts the password depending on whether the key already exists or not respectively. There is also an optimisation that nothing is changed if the password to be replaced is the same as the one already stored. The code in Win_GParted::open_encrypted_partition() is simplified now it doesn't have to implement this pattern of behaviour itself. Bug 795617 - Implement opening and closing of LUKS mappings 2018-04-23 10:15:23 -06:00			`static bool store( const Glib::ustring & key, const char * password );`
Add PasswordRAMStore module (#795617) Application level requirements for secure password management were set out in "LUKS password handling, threats and preventative measures" [1]. The requirements are: 1) Passwords are stored in RAM and are not allowed to be paged to swap. (However hibernating with GParted still running will write all of RAM to swap). 2) Passwords are wiped from RAM when no longer needed. When each password is no longer needed and when GParted closes. 3) Passwords are referenced by unique key. Recommend using LUKS UUIDs as the unique key. (Each LUKS password should only ever need to be entered once for each execution of GParted. Therefore the passwords can't be stored in any of the existing data structures such as Partitions or LUKS_Info cache because all of these are cleared and reloaded on each device refresh). There seems to be two possible implementation methods: use an existing library to provide secure memory handling, or write our own. Libgcrypt [2] and libsodium [3] cryptographic libraries both provide secure memory handling. (Secure memory is quite simple really, some virtual memory locked into RAM which is zeroed when no longer needed). Linking to an encryption library just to provide secure memory seems like using a sledge hammer to crack a nut. Also because of requirement (3) above a module is needed to "own" the pointers to the passwords in the secure memory. Managing the secure memory ourselves is probably no more code that that needed to interface to libgcrypt. Therefore handle the secure memory ourselves. So far the module is only compiled. It is not used anywhere in GParted. [1] LUKS password handling, threats and preventative measures https://bugzilla.gnome.org/show_bug.cgi?id=627701#c56 [2] libgcrypt general purpose cryptographic library, as used in GNU Privacy Guard https://gnupg.org/related_software/libgcrypt/ [3] libsodium crypto library https://download.libsodium.org/doc/ Bug 795617 - Implement opening and closing of LUKS mappings 2017-10-06 13:50:41 -06:00			`static bool erase( const Glib::ustring & key );`
			`static const char * lookup( const Glib::ustring & key );`
Add unit testing of erasing all passwords (#795617) Test that all passwords are zeroed by PasswordRAMStore::erase_all(), the same method as used in the PasswordRAMStore destructor. Bug 795617 - Implement opening and closing of LUKS mappings 2017-11-10 00:39:04 -07:00
			`private:`
			`static void erase_all();`
Simplify obtaining address of password memory for unit tests (#795617) Use private access into the PasswordRAMStore class to directly obtain the address of the locked memory, rather than inferring it from the address of the first stored password. This simplifies PasswordRAMStoreTest::SetUpTestCase() and avoids encoding most of the implementation knowledge that the first password will be stored at the start of the protected memory. Bug 795617 - Implement opening and closing of LUKS mappings 2017-11-10 00:57:06 -07:00			`static const char * get_protected_mem();`
Add PasswordRAMStore module (#795617) Application level requirements for secure password management were set out in "LUKS password handling, threats and preventative measures" [1]. The requirements are: 1) Passwords are stored in RAM and are not allowed to be paged to swap. (However hibernating with GParted still running will write all of RAM to swap). 2) Passwords are wiped from RAM when no longer needed. When each password is no longer needed and when GParted closes. 3) Passwords are referenced by unique key. Recommend using LUKS UUIDs as the unique key. (Each LUKS password should only ever need to be entered once for each execution of GParted. Therefore the passwords can't be stored in any of the existing data structures such as Partitions or LUKS_Info cache because all of these are cleared and reloaded on each device refresh). There seems to be two possible implementation methods: use an existing library to provide secure memory handling, or write our own. Libgcrypt [2] and libsodium [3] cryptographic libraries both provide secure memory handling. (Secure memory is quite simple really, some virtual memory locked into RAM which is zeroed when no longer needed). Linking to an encryption library just to provide secure memory seems like using a sledge hammer to crack a nut. Also because of requirement (3) above a module is needed to "own" the pointers to the passwords in the secure memory. Managing the secure memory ourselves is probably no more code that that needed to interface to libgcrypt. Therefore handle the secure memory ourselves. So far the module is only compiled. It is not used anywhere in GParted. [1] LUKS password handling, threats and preventative measures https://bugzilla.gnome.org/show_bug.cgi?id=627701#c56 [2] libgcrypt general purpose cryptographic library, as used in GNU Privacy Guard https://gnupg.org/related_software/libgcrypt/ [3] libsodium crypto library https://download.libsodium.org/doc/ Bug 795617 - Implement opening and closing of LUKS mappings 2017-10-06 13:50:41 -06:00			`};`

			`} //GParted`

			`#endif /* GPARTED_PASSWORDRAMSTORE_H */`