Split out erasing all passwords into a separate method (#795617)

Move zeroing of the locked memory into separate PWStore::erase_all()
private method.  Then use this in the PWStore destructor.  This is so
that zeroing of all passwords can be unit tested independently of
destructing the singleton PWStore object.

Bug 795617 - Implement opening and closing of LUKS mappings
This commit is contained in:
Mike Fleetwood 2017-11-08 16:32:47 +00:00 committed by Curtis Gedak
parent c6657aab9e
commit e2cb8b3126
1 changed files with 24 additions and 16 deletions

View File

@ -47,6 +47,7 @@ public:
private: private:
iterator find_key( const Glib::ustring & key ); iterator find_key( const Glib::ustring & key );
void erase_all();
std::vector<PWEntry> pw_entries; // Linear vector of password entries std::vector<PWEntry> pw_entries; // Linear vector of password entries
char * protected_mem; // Block of virtual memory locked into RAM char * protected_mem; // Block of virtual memory locked into RAM
@ -94,24 +95,9 @@ PWStore::PWStore()
PWStore::~PWStore() PWStore::~PWStore()
{ {
// WARNING: erase_all();
// memset() can be optimised away if the compiler knows the memory is not accessed
// again. In this case the pointer to the zeroed memory is passed to munmap()
// afterwards so the compiler has to assume the memory is accessed so can't
// optimise the memset() away.
// Reference:
// * SEI CERT C Coding Standard, MSC06-C. Beware of compiler optimizations
// https://www.securecoding.cert.org/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations
//
// NOTE:
// For secure overwriting of memory C11 has memset_s(), Linux kernel has
// memzero_explicit(), FreeBSD/OpenBSD have explicit_bzero() and Windows has
// SecureZeroMemory().
if ( protected_mem != NULL ) if ( protected_mem != NULL )
{
memset( protected_mem, '\0', ProtectedMemSize );
munmap( protected_mem, ProtectedMemSize ); munmap( protected_mem, ProtectedMemSize );
}
} }
bool PWStore::insert( const Glib::ustring & key, const char * password ) bool PWStore::insert( const Glib::ustring & key, const char * password )
@ -184,6 +170,28 @@ PWStore::iterator PWStore::find_key( const Glib::ustring & key )
return pw_entries.end(); return pw_entries.end();
} }
void PWStore::erase_all()
{
pw_entries.clear();
if ( protected_mem != NULL );
// WARNING:
// memset() can be optimised away if the compiler knows the memory is not
// accessed again. In this case this memset() is in a separate method
// which usually bounds such optimisations. Also in the parent method the
// the pointer to the zeroed memory is passed to munmap() afterwards which
// the compiler has to assume the memory is accessed so it can't optimise
// the memset() away.
// Reference:
// * SEI CERT C Coding Standard, MSC06-C. Beware of compiler optimizations
// https://www.securecoding.cert.org/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations
//
// NOTE:
// For secure overwriting of memory C11 has memset_s(), Linux kernel has
// memzero_explicit(), FreeBSD/OpenBSD have explicit_bzero() and Windows
// has SecureZeroMemory().
memset( protected_mem, '\0', ProtectedMemSize );
}
// The single password RAM store // The single password RAM store
static PWStore single_pwstore; static PWStore single_pwstore;