Use RAII for all that zero-filling
This commit is contained in:
Celtic Minstrel
parent
894ee43643
commit
ebe360dfa5
1 changed files with 35 additions and 29 deletions
|
|
@ -31,11 +31,23 @@ See the COPYING file for more details.
|
|||
static lg::log_domain log_config("config");
|
||||
#define ERR_CFG LOG_STREAM(err , log_config)
|
||||
|
||||
class secure_buffer : public std::vector<unsigned char>
|
||||
{
|
||||
public:
|
||||
template<typename... T> secure_buffer(T&&... args)
|
||||
: vector<unsigned char>(std::forward<T>(args)...)
|
||||
{}
|
||||
~secure_buffer()
|
||||
{
|
||||
std::fill(begin(), end(), '\0');
|
||||
}
|
||||
};
|
||||
|
||||
struct login_info
|
||||
{
|
||||
std::string username, server;
|
||||
std::vector<unsigned char> key;
|
||||
login_info(const std::string& username, const std::string& server, const std::vector<unsigned char>& key)
|
||||
secure_buffer key;
|
||||
login_info(const std::string& username, const std::string& server, const secure_buffer& key)
|
||||
: username(username), server(server), key(key)
|
||||
{}
|
||||
login_info(const std::string& username, const std::string& server)
|
||||
|
|
@ -52,11 +64,11 @@ static std::vector<login_info> credentials;
|
|||
// Separate password entries with formfeed
|
||||
static const unsigned char CREDENTIAL_SEPARATOR = '\f';
|
||||
|
||||
static std::vector<unsigned char> encrypt(const std::vector<unsigned char>& text, const std::vector<unsigned char>& key);
|
||||
static std::vector<unsigned char> decrypt(const std::vector<unsigned char>& text, const std::vector<unsigned char>& key);
|
||||
static std::vector<unsigned char> build_key(const std::string& server, const std::string& login);
|
||||
static std::vector<unsigned char> escape(const std::vector<unsigned char>& text);
|
||||
static std::vector<unsigned char> unescape(const std::vector<unsigned char>& text);
|
||||
static secure_buffer encrypt(const secure_buffer& text, const secure_buffer& key);
|
||||
static secure_buffer decrypt(const secure_buffer& text, const secure_buffer& key);
|
||||
static secure_buffer build_key(const std::string& server, const std::string& login);
|
||||
static secure_buffer escape(const secure_buffer& text);
|
||||
static secure_buffer unescape(const secure_buffer& text);
|
||||
|
||||
static std::string get_system_username()
|
||||
{
|
||||
|
|
@ -84,7 +96,6 @@ static void clear_credentials()
|
|||
for(auto& cred : credentials) {
|
||||
std::fill(cred.username.begin(), cred.username.end(), '\0');
|
||||
std::fill(cred.server.begin(), cred.server.end(), '\0');
|
||||
std::fill(cred.key.begin(), cred.key.end(), '\0');
|
||||
}
|
||||
credentials.clear();
|
||||
}
|
||||
|
|
@ -152,11 +163,10 @@ namespace preferences
|
|||
|
||||
void set_password(const std::string& server, const std::string& login, const std::string& key)
|
||||
{
|
||||
std::vector<unsigned char> temp(key.begin(), key.end());
|
||||
secure_buffer temp(key.begin(), key.end());
|
||||
if(!remember_password()) {
|
||||
clear_credentials();
|
||||
credentials.emplace_back(login, server, encrypt(temp, build_key(server, login)));
|
||||
std::fill(temp.begin(), temp.end(), '\0');
|
||||
return;
|
||||
}
|
||||
auto cred = std::find_if(credentials.begin(), credentials.end(), [&](const login_info& cred) {
|
||||
|
|
@ -167,7 +177,6 @@ namespace preferences
|
|||
cred = credentials.emplace(credentials.end(), login, server);
|
||||
}
|
||||
cred->key = encrypt(temp, build_key(server, login));
|
||||
std::fill(temp.begin(), temp.end(), '\0');
|
||||
}
|
||||
|
||||
void load_credentials()
|
||||
|
|
@ -182,22 +191,20 @@ namespace preferences
|
|||
}
|
||||
filesystem::scoped_istream stream = filesystem::istream_file(cred_file, false);
|
||||
// Credentials file is a binary blob, so use streambuf iterator
|
||||
std::vector<unsigned char> data((std::istreambuf_iterator<char>(*stream)), (std::istreambuf_iterator<char>()));
|
||||
secure_buffer data((std::istreambuf_iterator<char>(*stream)), (std::istreambuf_iterator<char>()));
|
||||
data = decrypt(data, build_key("global", get_system_username()));
|
||||
if(data.empty() || data[0] != CREDENTIAL_SEPARATOR) {
|
||||
ERR_CFG << "Invalid data in credentials file\n";
|
||||
std::fill(data.begin(), data.end(), '\0');
|
||||
return;
|
||||
}
|
||||
for(const std::string& elem : utils::split(std::string(data.begin(), data.end()), CREDENTIAL_SEPARATOR, utils::REMOVE_EMPTY)) {
|
||||
size_t at = elem.find_last_of('@');
|
||||
size_t eq = elem.find_first_of('=', at + 1);
|
||||
if(at != std::string::npos && eq != std::string::npos) {
|
||||
std::vector<unsigned char> key(elem.begin() + eq + 1, elem.end());
|
||||
secure_buffer key(elem.begin() + eq + 1, elem.end());
|
||||
credentials.emplace_back(elem.substr(0, at), elem.substr(at + 1, eq - at - 1), unescape(key));
|
||||
}
|
||||
}
|
||||
std::fill(data.begin(), data.end(), '\0');
|
||||
}
|
||||
|
||||
void save_credentials()
|
||||
|
|
@ -206,7 +213,7 @@ namespace preferences
|
|||
filesystem::delete_file(filesystem::get_credentials_file());
|
||||
return;
|
||||
}
|
||||
std::vector<unsigned char> credentials_data(1, CREDENTIAL_SEPARATOR);
|
||||
secure_buffer credentials_data(1, CREDENTIAL_SEPARATOR);
|
||||
size_t offset = 1;
|
||||
for(const auto& cred : credentials) {
|
||||
credentials_data.resize(credentials_data.size() + cred.size(), CREDENTIAL_SEPARATOR);
|
||||
|
|
@ -216,7 +223,7 @@ namespace preferences
|
|||
std::copy(cred.server.begin(), cred.server.end(), credentials_data.begin() + offset);
|
||||
offset += cred.server.size();
|
||||
credentials_data[offset++] = '=';
|
||||
std::vector<unsigned char> key_escaped = escape(cred.key);
|
||||
secure_buffer key_escaped = escape(cred.key);
|
||||
// Escaping may increase the length, so resize again if so
|
||||
credentials_data.resize(credentials_data.size() + key_escaped.size() - cred.key.size());
|
||||
std::copy(key_escaped.begin(), key_escaped.end(), credentials_data.begin() + offset);
|
||||
|
|
@ -224,20 +231,19 @@ namespace preferences
|
|||
}
|
||||
try {
|
||||
filesystem::scoped_ostream credentials_file = filesystem::ostream_file(filesystem::get_credentials_file());
|
||||
std::vector<unsigned char> encrypted = encrypt(credentials_data, build_key("global", get_system_username()));
|
||||
secure_buffer encrypted = encrypt(credentials_data, build_key("global", get_system_username()));
|
||||
credentials_file->write(reinterpret_cast<const char*>(encrypted.data()), encrypted.size());
|
||||
} catch(filesystem::io_exception&) {
|
||||
ERR_CFG << "error writing to credentials file '" << filesystem::get_credentials_file() << "'" << std::endl;
|
||||
}
|
||||
std::fill(credentials_data.begin(), credentials_data.end(), '\0');
|
||||
}
|
||||
}
|
||||
|
||||
// TODO: Key-stretching (bcrypt was recommended)
|
||||
std::vector<unsigned char> build_key(const std::string& server, const std::string& login)
|
||||
secure_buffer build_key(const std::string& server, const std::string& login)
|
||||
{
|
||||
std::string sysname = get_system_username();
|
||||
std::vector<unsigned char> result(std::max<size_t>(server.size() + login.size() + sysname.size(), 32));
|
||||
secure_buffer result(std::max<size_t>(server.size() + login.size() + sysname.size(), 32));
|
||||
size_t i = 0;
|
||||
std::generate(result.begin(), result.end(), [&i]() {return 'x' ^ i++;});
|
||||
std::copy(login.begin(), login.end(), result.begin());
|
||||
|
|
@ -246,14 +252,14 @@ std::vector<unsigned char> build_key(const std::string& server, const std::strin
|
|||
return result;
|
||||
}
|
||||
|
||||
static std::vector<unsigned char> rc4_crypt(const std::vector<unsigned char>& text, const std::vector<unsigned char>& key)
|
||||
static secure_buffer rc4_crypt(const secure_buffer& text, const secure_buffer& key)
|
||||
{
|
||||
RC4_KEY cipher_key;
|
||||
RC4_set_key(&cipher_key, key.size(), key.data());
|
||||
const size_t block_size = key.size();
|
||||
const size_t blocks = text.size() / block_size;
|
||||
const size_t extra = text.size() % block_size;
|
||||
std::vector<unsigned char> result(text.size(), '\0');
|
||||
secure_buffer result(text.size(), '\0');
|
||||
for(size_t i = 0; i < blocks * block_size; i += block_size) {
|
||||
RC4(&cipher_key, block_size, text.data() + i, result.data() + i);
|
||||
}
|
||||
|
|
@ -264,19 +270,19 @@ static std::vector<unsigned char> rc4_crypt(const std::vector<unsigned char>& te
|
|||
return result;
|
||||
}
|
||||
|
||||
std::vector<unsigned char> encrypt(const std::vector<unsigned char>& text, const std::vector<unsigned char>& key)
|
||||
secure_buffer encrypt(const secure_buffer& text, const secure_buffer& key)
|
||||
{
|
||||
return rc4_crypt(text, key);
|
||||
}
|
||||
|
||||
std::vector<unsigned char> decrypt(const std::vector<unsigned char>& text, const std::vector<unsigned char>& key)
|
||||
secure_buffer decrypt(const secure_buffer& text, const secure_buffer& key)
|
||||
{
|
||||
return rc4_crypt(text, key);
|
||||
}
|
||||
|
||||
std::vector<unsigned char> unescape(const std::vector<unsigned char>& text)
|
||||
secure_buffer unescape(const secure_buffer& text)
|
||||
{
|
||||
std::vector<unsigned char> unescaped;
|
||||
secure_buffer unescaped;
|
||||
unescaped.reserve(text.size());
|
||||
bool escaping = false;
|
||||
for(char c : text) {
|
||||
|
|
@ -299,9 +305,9 @@ std::vector<unsigned char> unescape(const std::vector<unsigned char>& text)
|
|||
return unescaped;
|
||||
}
|
||||
|
||||
std::vector<unsigned char> escape(const std::vector<unsigned char>& text)
|
||||
secure_buffer escape(const secure_buffer& text)
|
||||
{
|
||||
std::vector<unsigned char> escaped;
|
||||
secure_buffer escaped;
|
||||
escaped.reserve(text.size());
|
||||
for(char c : text) {
|
||||
if(c == '\x1') {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue