gparted/include/PasswordRAMStore.h

54 lines
1.8 KiB
C
Raw Normal View History

Add PasswordRAMStore module (#795617) Application level requirements for secure password management were set out in "LUKS password handling, threats and preventative measures" [1]. The requirements are: 1) Passwords are stored in RAM and are not allowed to be paged to swap. (However hibernating with GParted still running will write all of RAM to swap). 2) Passwords are wiped from RAM when no longer needed. When each password is no longer needed and when GParted closes. 3) Passwords are referenced by unique key. Recommend using LUKS UUIDs as the unique key. (Each LUKS password should only ever need to be entered once for each execution of GParted. Therefore the passwords can't be stored in any of the existing data structures such as Partitions or LUKS_Info cache because all of these are cleared and reloaded on each device refresh). There seems to be two possible implementation methods: use an existing library to provide secure memory handling, or write our own. Libgcrypt [2] and libsodium [3] cryptographic libraries both provide secure memory handling. (Secure memory is quite simple really, some virtual memory locked into RAM which is zeroed when no longer needed). Linking to an encryption library just to provide secure memory seems like using a sledge hammer to crack a nut. Also because of requirement (3) above a module is needed to "own" the pointers to the passwords in the secure memory. Managing the secure memory ourselves is probably no more code that that needed to interface to libgcrypt. Therefore handle the secure memory ourselves. So far the module is only compiled. It is not used anywhere in GParted. [1] LUKS password handling, threats and preventative measures https://bugzilla.gnome.org/show_bug.cgi?id=627701#c56 [2] libgcrypt general purpose cryptographic library, as used in GNU Privacy Guard https://gnupg.org/related_software/libgcrypt/ [3] libsodium crypto library https://download.libsodium.org/doc/ Bug 795617 - Implement opening and closing of LUKS mappings
2017-10-06 13:50:41 -06:00
/* Copyright (C) 2018 Mike Fleetwood
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/* PasswordRAMStore
*
* Memory only store of passwords and passphrases. Works like an associative array with
* a unique key used to identify each password. Passwords are C strings which are stored
* in a block of the process' virtual memory locked into RAM. Looked up pointers to
* passwords are valid at least until the next time the store is modified by an insert or
* erase call. Passwords are wiped from memory when no longer wanted.
*
* Recommend using LUKS UUIDs as the key when storing LUKS passphrases.
*/
#ifndef GPARTED_PASSWORDRAMSTORE_H
#define GPARTED_PASSWORDRAMSTORE_H
#include <glibmm/ustring.h>
namespace GParted
{
class PasswordRAMStore
{
friend class PasswordRAMStoreTest; // To allow unit testing PasswordRAMStoreTest class
// access to private erase_all() method.
Add PasswordRAMStore module (#795617) Application level requirements for secure password management were set out in "LUKS password handling, threats and preventative measures" [1]. The requirements are: 1) Passwords are stored in RAM and are not allowed to be paged to swap. (However hibernating with GParted still running will write all of RAM to swap). 2) Passwords are wiped from RAM when no longer needed. When each password is no longer needed and when GParted closes. 3) Passwords are referenced by unique key. Recommend using LUKS UUIDs as the unique key. (Each LUKS password should only ever need to be entered once for each execution of GParted. Therefore the passwords can't be stored in any of the existing data structures such as Partitions or LUKS_Info cache because all of these are cleared and reloaded on each device refresh). There seems to be two possible implementation methods: use an existing library to provide secure memory handling, or write our own. Libgcrypt [2] and libsodium [3] cryptographic libraries both provide secure memory handling. (Secure memory is quite simple really, some virtual memory locked into RAM which is zeroed when no longer needed). Linking to an encryption library just to provide secure memory seems like using a sledge hammer to crack a nut. Also because of requirement (3) above a module is needed to "own" the pointers to the passwords in the secure memory. Managing the secure memory ourselves is probably no more code that that needed to interface to libgcrypt. Therefore handle the secure memory ourselves. So far the module is only compiled. It is not used anywhere in GParted. [1] LUKS password handling, threats and preventative measures https://bugzilla.gnome.org/show_bug.cgi?id=627701#c56 [2] libgcrypt general purpose cryptographic library, as used in GNU Privacy Guard https://gnupg.org/related_software/libgcrypt/ [3] libsodium crypto library https://download.libsodium.org/doc/ Bug 795617 - Implement opening and closing of LUKS mappings
2017-10-06 13:50:41 -06:00
public:
static bool insert( const Glib::ustring & key, const char * password );
static bool erase( const Glib::ustring & key );
static const char * lookup( const Glib::ustring & key );
private:
static void erase_all();
Add PasswordRAMStore module (#795617) Application level requirements for secure password management were set out in "LUKS password handling, threats and preventative measures" [1]. The requirements are: 1) Passwords are stored in RAM and are not allowed to be paged to swap. (However hibernating with GParted still running will write all of RAM to swap). 2) Passwords are wiped from RAM when no longer needed. When each password is no longer needed and when GParted closes. 3) Passwords are referenced by unique key. Recommend using LUKS UUIDs as the unique key. (Each LUKS password should only ever need to be entered once for each execution of GParted. Therefore the passwords can't be stored in any of the existing data structures such as Partitions or LUKS_Info cache because all of these are cleared and reloaded on each device refresh). There seems to be two possible implementation methods: use an existing library to provide secure memory handling, or write our own. Libgcrypt [2] and libsodium [3] cryptographic libraries both provide secure memory handling. (Secure memory is quite simple really, some virtual memory locked into RAM which is zeroed when no longer needed). Linking to an encryption library just to provide secure memory seems like using a sledge hammer to crack a nut. Also because of requirement (3) above a module is needed to "own" the pointers to the passwords in the secure memory. Managing the secure memory ourselves is probably no more code that that needed to interface to libgcrypt. Therefore handle the secure memory ourselves. So far the module is only compiled. It is not used anywhere in GParted. [1] LUKS password handling, threats and preventative measures https://bugzilla.gnome.org/show_bug.cgi?id=627701#c56 [2] libgcrypt general purpose cryptographic library, as used in GNU Privacy Guard https://gnupg.org/related_software/libgcrypt/ [3] libsodium crypto library https://download.libsodium.org/doc/ Bug 795617 - Implement opening and closing of LUKS mappings
2017-10-06 13:50:41 -06:00
};
} //GParted
#endif /* GPARTED_PASSWORDRAMSTORE_H */