Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-5693] CryptoService using memfd_secret on Linux #979

Closed
wants to merge 41 commits into from
+1,896 โˆ’0
Closed

[PM-5693] CryptoService using memfd_secret on Linux #979

Show file tree
Hide file tree
Changes from 36 commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
d7c7c3e
Initial CryptoService impl
dani-garcia Jul 26, 2024
6068e84
More work
dani-garcia Aug 23, 2024
50dc1b4
Refactor keystore to also handle resizes
dani-garcia Aug 23, 2024
216eb25
Merge branch 'main' into ps/secure-crypto-service
dani-garcia Aug 23, 2024
4b846ed
Fix
dani-garcia Aug 23, 2024
7a01168
Paralelization plus alternative to locatekey
dani-garcia Aug 23, 2024
c649bf0
WASM support
dani-garcia Aug 23, 2024
b901ef7
Merge branch 'main' into ps/secure-crypto-service
dani-garcia Sep 20, 2024
e2129ad
Remove unnecessary trait
dani-garcia Sep 23, 2024
f708fcc
Inline cryptoengine
dani-garcia Sep 23, 2024
30854f7
Impl KeyStore in Slice struct directly
dani-garcia Sep 23, 2024
bed894a
Reset the values to None after munlock has zeroized them
dani-garcia Sep 23, 2024
709dfce
Merge branch 'main' into ps/secure-crypto-service
dani-garcia Sep 23, 2024
f7eda88
Fmt
dani-garcia Sep 23, 2024
ce2343e
Add benchmark
dani-garcia Sep 24, 2024
bcd712f
Respect no-memory-hardening flag
dani-garcia Sep 24, 2024
38343d2
Fix cfg flags, silence warnings
dani-garcia Sep 24, 2024
f34ce02
Export memfd correctly
dani-garcia Sep 24, 2024
cc27320
Fix memtest
dani-garcia Sep 24, 2024
281619d
Merge branch 'main' into ps/secure-crypto-service
dani-garcia Sep 24, 2024
32d298f
Try fat LTO to fix windows
dani-garcia Sep 24, 2024
c43aa08
Disable memsec on windows to fix it
dani-garcia Sep 24, 2024
dd37d1d
Incorrect optional dep
dani-garcia Sep 24, 2024
45f3d32
Try updating windows in memsec
dani-garcia Sep 24, 2024
1f70169
Remove unnecessary bound
dani-garcia Sep 25, 2024
22a8b17
Move store impl around a bit
dani-garcia Sep 25, 2024
c63f656
Make KeyStore pub
dani-garcia Sep 25, 2024
db3f8d4
Merge branch 'main' into ps/secure-crypto-service-impl
dani-garcia Oct 2, 2024
eb81684
Some renames/simplifications
dani-garcia Oct 2, 2024
d279626
Add some missing implementations
dani-garcia Oct 2, 2024
d5f1ede
Rename
dani-garcia Oct 3, 2024
8652d79
Introduce mutable context
dani-garcia Oct 3, 2024
fdb0263
Refactor keyref/encryptable locations
dani-garcia Oct 4, 2024
6ea6267
Some additions needed to migrate the code
dani-garcia Oct 7, 2024
32088c7
Merge branch 'main' into ps/secure-crypto-service
dani-garcia Oct 7, 2024
f882fb2
Remove bench
dani-garcia Oct 7, 2024
bec4786
Remove using
dani-garcia Oct 7, 2024
c2ffea6
Fix TODO
dani-garcia Oct 8, 2024
c0d2b63
Comment
dani-garcia Oct 8, 2024
cacf4db
Merge branch 'main' into ps/secure-crypto-service
dani-garcia Oct 8, 2024
f4ca816
Fmt
dani-garcia Oct 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions crates/bitwarden-crypto/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@ uniffi = { workspace = true, optional = true }
uuid = { workspace = true }
zeroize = { version = ">=1.7.0, <2.0", features = ["derive", "aarch64"] }

[target.'cfg(not(target_arch = "wasm32"))'.dependencies]
memsec = { version = "0.7.0", features = [
"alloc_ext",
], git = "https://github.com/dani-garcia/memsec", rev = "3d2e272d284442637bac0a7d94f76883960db7e2" }
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

memsec is using windows-sys 0.45, which was causing build errors similar to the ones fixed by #1053.

Using the latest windows-sys 0.59 seems to solve the problem for me. TODO: Open a PR upstream?


[dev-dependencies]
criterion = "0.5.1"
rand_chacha = "0.3.1"
Expand Down
2 changes: 2 additions & 0 deletions crates/bitwarden-crypto/src/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ pub enum CryptoError {
MissingKey(Uuid),
#[error("The item was missing a required field: {0}")]
MissingField(&'static str),
#[error("Missing Key for Ref. {0}")]
MissingKey2(String),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't change the MissingKey variant without breaking the code, so for now I'll do this and rename it on the second PR.


#[error("Insufficient KDF parameters")]
InsufficientKdfParameters,
Expand Down
289 changes: 289 additions & 0 deletions crates/bitwarden-crypto/src/keys/encryptable.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,289 @@
use super::key_ref::{AsymmetricKeyRef, KeyRef, SymmetricKeyRef};
use crate::{service::CryptoServiceContext, AsymmetricEncString, CryptoError, EncString};

// Just like LocateKey but this time we're not locating anything, just returning a ref

pub trait UsesKey<Key: KeyRef> {
fn uses_key(&self) -> Key;
}

// This extension trait allows any type to be wrapped with `UsingKey`
// to make it easy to encrypt/decrypt it with the desired key,
// this way we don't need to have a separate `encrypt_with_key` function
pub trait UsingKeyExt<Key: KeyRef>: Sized {
fn using_key(self, key: Key) -> UsingKey<Key, Self> {
UsingKey { key, value: self }
}

Check warning on line 16 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L14-L16 

Added lines #L14 - L16 were not covered by tests
}
impl<Key: KeyRef, T> UsingKeyExt<Key> for T {}
pub struct UsingKey<Key: KeyRef, T: ?Sized> {
key: Key,
value: T,
}
impl<Key: KeyRef, T> UsesKey<Key> for UsingKey<Key, T> {
fn uses_key(&self) -> Key {
self.key
}

Check warning on line 26 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L24-L26 

Added lines #L24 - L26 were not covered by tests
}
impl<
SymmKeyRef: SymmetricKeyRef,
AsymmKeyRef: AsymmetricKeyRef,
Key: KeyRef,
T: Encryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
Output,
> Encryptable<SymmKeyRef, AsymmKeyRef, Key, Output> for UsingKey<Key, T>
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
_key: Key,
) -> Result<Output, crate::CryptoError> {
self.value.encrypt(ctx, self.key)
}

Check warning on line 42 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L36-L42 

Added lines #L36 - L42 were not covered by tests
}
impl<
SymmKeyRef: SymmetricKeyRef,
AsymmKeyRef: AsymmetricKeyRef,
Key: KeyRef,
T: Decryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
Output,
> Decryptable<SymmKeyRef, AsymmKeyRef, Key, Output> for UsingKey<Key, T>
{
fn decrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
_key: Key,
) -> Result<Output, crate::CryptoError> {
self.value.decrypt(ctx, self.key)
}

Check warning on line 58 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L52-L58 

Added lines #L52 - L58 were not covered by tests
}

pub trait Encryptable<
SymmKeyRef: SymmetricKeyRef,
AsymmKeyRef: AsymmetricKeyRef,
Key: KeyRef,
Output,
>
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: Key,
) -> Result<Output, crate::CryptoError>;
}

pub trait Decryptable<
SymmKeyRef: SymmetricKeyRef,
AsymmKeyRef: AsymmetricKeyRef,
Key: KeyRef,
Output,
>
{
fn decrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: Key,
) -> Result<Output, crate::CryptoError>;
}

// Basic Encryptable/Decryptable implementations to and from bytes

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Decryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, Vec<u8>> for EncString
{
fn decrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: SymmKeyRef,
) -> Result<Vec<u8>, crate::CryptoError> {
ctx.decrypt_data_with_symmetric_key(key, self)
}

Check warning on line 100 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L94-L100 

Added lines #L94 - L100 were not covered by tests
}

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Decryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, Vec<u8>> for AsymmetricEncString
{
fn decrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: AsymmKeyRef,
) -> Result<Vec<u8>, crate::CryptoError> {
ctx.decrypt_data_with_asymmetric_key(key, self)
}

Check warning on line 112 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L106-L112 

Added lines #L106 - L112 were not covered by tests
}

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Encryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, EncString> for &[u8]
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: SymmKeyRef,
) -> Result<EncString, crate::CryptoError> {
ctx.encrypt_data_with_symmetric_key(key, self)
}

Check warning on line 124 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L118-L124 

Added lines #L118 - L124 were not covered by tests
}

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Encryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, AsymmetricEncString> for &[u8]
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: AsymmKeyRef,
) -> Result<AsymmetricEncString, crate::CryptoError> {
ctx.encrypt_data_with_asymmetric_key(key, self)
}

Check warning on line 136 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L130-L136 

Added lines #L130 - L136 were not covered by tests
}

// Encryptable/Decryptable implementations to and from strings

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Decryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, String> for EncString
{
fn decrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: SymmKeyRef,
) -> Result<String, crate::CryptoError> {
let bytes: Vec<u8> = self.decrypt(ctx, key)?;
String::from_utf8(bytes).map_err(|_| CryptoError::InvalidUtf8String)
}

Check warning on line 151 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L144-L151 

Added lines #L144 - L151 were not covered by tests
}

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Decryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, String> for AsymmetricEncString
{
fn decrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: AsymmKeyRef,
) -> Result<String, crate::CryptoError> {
let bytes: Vec<u8> = self.decrypt(ctx, key)?;
String::from_utf8(bytes).map_err(|_| CryptoError::InvalidUtf8String)
}

Check warning on line 164 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L157-L164 

Added lines #L157 - L164 were not covered by tests
}

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Encryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, EncString> for &str
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: SymmKeyRef,
) -> Result<EncString, crate::CryptoError> {
self.as_bytes().encrypt(ctx, key)
}

Check warning on line 176 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L170-L176 

Added lines #L170 - L176 were not covered by tests
}

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Encryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, AsymmetricEncString> for &str
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: AsymmKeyRef,
) -> Result<AsymmetricEncString, crate::CryptoError> {
self.as_bytes().encrypt(ctx, key)
}

Check warning on line 188 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L182-L188 

Added lines #L182 - L188 were not covered by tests
}

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Encryptable<SymmKeyRef, AsymmKeyRef, SymmKeyRef, EncString> for String
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: SymmKeyRef,
) -> Result<EncString, crate::CryptoError> {
self.as_bytes().encrypt(ctx, key)
}

Check warning on line 200 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L194-L200 

Added lines #L194 - L200 were not covered by tests
}

impl<SymmKeyRef: SymmetricKeyRef, AsymmKeyRef: AsymmetricKeyRef>
Encryptable<SymmKeyRef, AsymmKeyRef, AsymmKeyRef, AsymmetricEncString> for String
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: AsymmKeyRef,
) -> Result<AsymmetricEncString, crate::CryptoError> {
self.as_bytes().encrypt(ctx, key)
}

Check warning on line 212 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L206-L212 

Added lines #L206 - L212 were not covered by tests
}

// Generic implementations for Optional values

impl<
SymmKeyRef: SymmetricKeyRef,
AsymmKeyRef: AsymmetricKeyRef,
Key: KeyRef,
T: Encryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
Output,
> Encryptable<SymmKeyRef, AsymmKeyRef, Key, Option<Output>> for Option<T>
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: Key,
) -> Result<Option<Output>, crate::CryptoError> {
self.as_ref()
.map(|value| value.encrypt(ctx, key))
.transpose()
}

Check warning on line 233 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L225-L233 

Added lines #L225 - L233 were not covered by tests
}

impl<
SymmKeyRef: SymmetricKeyRef,
AsymmKeyRef: AsymmetricKeyRef,
Key: KeyRef,
T: Decryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
Output,
> Decryptable<SymmKeyRef, AsymmKeyRef, Key, Option<Output>> for Option<T>
{
fn decrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: Key,
) -> Result<Option<Output>, crate::CryptoError> {
self.as_ref()
.map(|value| value.decrypt(ctx, key))
.transpose()
}

Check warning on line 252 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L244-L252 

Added lines #L244 - L252 were not covered by tests
}

// Generic implementations for Vec values

impl<
SymmKeyRef: SymmetricKeyRef,
AsymmKeyRef: AsymmetricKeyRef,
Key: KeyRef,
T: Encryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
Output,
> Encryptable<SymmKeyRef, AsymmKeyRef, Key, Vec<Output>> for Vec<T>
{
fn encrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: Key,
) -> Result<Vec<Output>, crate::CryptoError> {
self.iter().map(|value| value.encrypt(ctx, key)).collect()
}

Check warning on line 271 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L265-L271 

Added lines #L265 - L271 were not covered by tests
}

impl<
SymmKeyRef: SymmetricKeyRef,
AsymmKeyRef: AsymmetricKeyRef,
Key: KeyRef,
T: Decryptable<SymmKeyRef, AsymmKeyRef, Key, Output>,
Output,
> Decryptable<SymmKeyRef, AsymmKeyRef, Key, Vec<Output>> for Vec<T>
{
fn decrypt(
&self,
ctx: &mut CryptoServiceContext<SymmKeyRef, AsymmKeyRef>,
key: Key,
) -> Result<Vec<Output>, crate::CryptoError> {
self.iter().map(|value| value.decrypt(ctx, key)).collect()
}

Check warning on line 288 in crates/bitwarden-crypto/src/keys/encryptable.rs

View check run for this annotation

Codecov / codecov/patch

crates/bitwarden-crypto/src/keys/encryptable.rs#L282-L288 

Added lines #L282 - L288 were not covered by tests
}
Loading
Loading