Skip to content
This repository has been archived by the owner on Nov 6, 2020. It is now read-only.

Add type for passwords. #8920

Merged
merged 6 commits into from
Jun 22, 2018
Merged

Add type for passwords. #8920

merged 6 commits into from
Jun 22, 2018

Conversation

twittner
Copy link
Contributor

No description provided.

@parity-cla-bot
Copy link

It looks like @twittner signed our Contributor License Agreement. 👍

Many thanks,

Parity Technologies CLA Bot

@5chdn 5chdn added A0-pleasereview 🤓 Pull request needs code review. M4-core ⛓ Core client code / Rust. labels Jun 19, 2018
@5chdn 5chdn added this to the 1.12 milestone Jun 19, 2018
niklasad1
niklasad1 reviewed Jun 19, 2018
View reviewed changes
ethcore/src/account_provider/mod.rs
self.sstore.remove_account(&self.sstore.account_ref(&address)?, &password)?;
Ok(())
}

/// Changes the password of `account` from `password` to `new_password`. Fails if incorrect `password` given.
pub fn change_password(&self, address: &Address, password: String, new_password: String) -> Result<(), Error> {
pub fn change_password(&self, address: &Address, password: Password, new_password: Password) -> Result<(), Error> {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out-of-scope for this PR:
Why not pass-by_ref here?

niklasad1
niklasad1 reviewed Jun 19, 2018
View reviewed changes
ethcore/src/account_provider/mod.rs
self.sstore.change_password(&self.sstore.account_ref(address)?, &password, &new_password)
}

/// Exports an account for given address.
pub fn export_account(&self, address: &Address, password: String) -> Result<KeyFile, Error> {
pub fn export_account(&self, address: &Address, password: Password) -> Result<KeyFile, Error> {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out-of-scope for this PR:
Why not pass-by_ref here?

niklasad1
niklasad1 reviewed Jun 19, 2018
View reviewed changes
ethcore/src/account_provider/mod.rs
self.sstore.export_account(&self.sstore.account_ref(address)?, &password)
}

/// Helper method used for unlocking accounts.
fn unlock_account(&self, address: Address, password: String, unlock: Unlock) -> Result<(), Error> {
fn unlock_account(&self, address: Address, password: Password, unlock: Unlock) -> Result<(), Error> {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out-of-scope for this PR:
Why not pass-by_ref here?

niklasad1
niklasad1 reviewed Jun 19, 2018
View reviewed changes
ethkey/src/password.rs Outdated
let p = vec.as_mut_ptr();
for i in 0..n {
unsafe {
ptr::write_volatile(p.offset(i as isize), 0)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it could be worth to add a comment and explaining why write_volatile is used here. i.e., to actually make sure that passwords are erased and not LLVM performs some magic optimization!

Also consider to simply the code to:

    let ptr = unsafe { s.as_mut_vec() };
    for byte in ptr {
        unsafe { ptr::write_volatile(byte, 0) }
    }

niklasad1
niklasad1 suggested changes Jun 19, 2018
View reviewed changes
Copy link
Collaborator

@niklasad1 niklasad1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good but document why volatile writes are used to erase the passwords in the memory!

@andresilva andresilva self-requested a review June 22, 2018 00:32
@5chdn
Copy link
Contributor

5chdn commented Jun 22, 2018

Needs 2nd review.

andresilva
andresilva approved these changes Jun 22, 2018
View reviewed changes
Copy link
Contributor

@andresilva andresilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ethkey/src/password.rs Outdated

use std::ptr;

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we provide a custom Debug that prints a static Password(******)? 😄

@andresilva andresilva added A8-looksgood 🦄 Pull request is reviewed well. and removed A0-pleasereview 🤓 Pull request needs code review. labels Jun 22, 2018
dvdplm
dvdplm approved these changes Jun 22, 2018
View reviewed changes
Copy link
Collaborator

@dvdplm dvdplm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a good improvement. I wonder if we should accompany this with std::mem::drop(password) calls in the appropriate places as well?
Minor grumble: indentation in a few places look off: https://github.com/paritytech/parity/pull/8920/files#diff-d3979a57cbb0a0d1504cc1f5bab2d007R36 and https://github.com/paritytech/parity/pull/8920/files#diff-4d8151f665cbc6bf2a9fe83d64a61b64R35

andresilva
andresilva reviewed Jun 22, 2018
View reviewed changes
ethkey/src/password.rs Outdated
impl Drop for Password {
fn drop(&mut self) {
unsafe {
for byte_ref in self.0.as_mut_vec() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace indentation spaces with tabs.

andresilva
andresilva reviewed Jun 22, 2018
View reviewed changes
util/mem/src/lib.rs Outdated
ptr::write_volatile(p.offset(i as isize), 0)
unsafe {
for byte_ref in self.mem.as_mut() {
ptr::write_volatile(byte_ref, 0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tabs :)

@andresilva andresilva added A5-grumble 🔥 Pull request has minor issues that must be addressed before merging. and removed A8-looksgood 🦄 Pull request is reviewed well. labels Jun 22, 2018
@dvdplm dvdplm added A8-looksgood 🦄 Pull request is reviewed well. and removed A5-grumble 🔥 Pull request has minor issues that must be addressed before merging. labels Jun 22, 2018
@dvdplm dvdplm merged commit 41348de into master Jun 22, 2018
@twittner twittner deleted the tw/password-type branch June 22, 2018 13:13
@niklasad1
Copy link
Collaborator

@dvdplm

Explicit mem::drop is just to drop a value earlier than when it goes out-of-scope and in this case it doesn´t make sense to me! In this case, drop will called on the String after the drop on Password has been executed!

Also in context of this issue the essential part is the zero out the memory in RAM holding the password because after Rust is dropping the value (calling free() I guess), it's no guarantee that it actually gets destroyed it´s up the each Operating System's free() implementation to decide what to do with the memory. It might just be in memory until a malloc() call with the specific chunk size arrives for efficiency reasons!

@dvdplm
Copy link
Collaborator

dvdplm commented Jun 22, 2018

@niklasad1 makes sense, especially considering that String is not Copy. My (wrong) thinking was this: perhaps there are places in the code where the Password is copied as part of a method call and so if we are worried about the data lingering in memory we might want to zero out the mem of the copy asap instead of waiting for it to go out of scope. Brainfart. :)

@andresilva
Copy link
Contributor

@niklasad1 I think what @dvdplm meant was to use drop to make sure the value is dropped as soon as possible (before end of scope), the idea would be to minimize the amount of time sensitive information remains in memory. I didn't check the "owning" sites to see if there was any place where it made sense to drop eagerly.

dvdplm added a commit that referenced this pull request Jun 22, 2018
@dvdplm
Merge branch 'master' into refactor/hashdb-generic
deed06e 
* master:
  Add type for passwords. (#8920)
  deps: bump fs-swap (#8953)
  Eliminate some more `transmute()` (#8879)
  Restrict vault.json permssion to owner and using random suffix for temp vault.json file (#8932)
  print SS.self_public when starting SS node (#8949)
  scripts: minor improvements (#8930)
ordian added a commit to ordian/parity that referenced this pull request Jun 27, 2018
@ordian
Merge branch 'master' of https://github.com/paritytech/parity into wa…
7617ced 
…rp_sync_on_light_client

* 'master' of https://github.com/paritytech/parity:
  parity: omit redundant last imported block number in light sync informant (openethereum#8962)
  Disable hardware-wallets on platforms that don't support `libusb` (openethereum#8464)
  Bump error-chain and quick_error versions (openethereum#8972)
  EVM benchmark utilities (openethereum#8944)
  parity: hide legacy options from cli --help (openethereum#8967)
  scripts: fix docker build tag on latest using master (openethereum#8952)
  Add type for passwords. (openethereum#8920)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@andresilva andresilva andresilva approved these changes

@niklasad1 niklasad1 niklasad1 approved these changes

@dvdplm dvdplm dvdplm approved these changes

Assignees
No one assigned
Labels
A8-looksgood 🦄 Pull request is reviewed well. M4-core ⛓ Core client code / Rust.
Projects
None yet
Milestone
2.0 Ethereum
Development

Successfully merging this pull request may close these issues.
6 participants
@twittner @parity-cla-bot @5chdn @niklasad1 @dvdplm @andresilva