Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shred CredentialPayload upon approval/rejection #24884

Merged
merged 6 commits into from
Dec 5, 2017
Merged

Shred CredentialPayload upon approval/rejection #24884

merged 6 commits into from
Dec 5, 2017

Conversation

omus
Copy link
Member

@omus omus commented Dec 2, 2017

As I mentioned in #24731 there were some security issues with CredentialPayload where credentials were not being zeroed after they were done being used.

The changes in this PR ensure that credential information is wiped out during normal use and fixes some minor issues where credentials were being wiped too early when they were rejected. Note that I am specifically not wiping the explicit and cache fields from CredentialPayload as this is credential information being provided from the caller and should be wiped by the caller.

Additionally, I addressed some minor details including:

  • Properly showing process output within challenge_prompt (assists in debugging)
  • Displaying a message about the expected warning during LibGit2 tests
  • Code indentation

omus added 6 commits December 2, 2017 08:46
@omus
Code formatting fixes
fbbddd3
@omus
Display message about expected warning
ab301ef
@omus
challenge_prompt shows process output on ProcessError
2aff7f4
@omus
Zero LibGit2 credential payload in approve/reject
de6bdba 
Previously running securezero! on credentials in the
reject(::CredentialCache, ...) results in the credentials being wiped
before reject(::GitConfig, ...) was run.
@omus
Always return payload from credential_loop
8678491
@omus
Add additional shred tests
2a671be 
Note I switched the credential_loop to have a shred keyword as it seems
best to default have the function use the same default as the standard
LibGit2 credential loop.
@omus omus added libgit2 The libgit2 library or the LibGit2 stdlib module security System security concerns and vulnerabilities labels Dec 2, 2017
@omus
Copy link
Member Author

omus commented Dec 2, 2017

cc: @stevengj

@StefanKarpinski
Copy link
Member

StefanKarpinski commented Dec 5, 2017
edited
Loading

Given approval from @stevengj, please merge as appropriate!

@omus omus merged commit d78bed1 into master Dec 5, 2017
@omus omus deleted the cv/libgit2-payload-zero branch December 5, 2017 21:23
evetion pushed a commit to evetion/julia that referenced this pull request Dec 12, 2017
@omus @evetion
Shred CredentialPayload upon approval/rejection (JuliaLang#24884)
7962cdb 
* Zero LibGit2 credential payload in approve/reject

Previously running securezero! on credentials in the
reject(::CredentialCache, ...) results in the credentials being wiped
before reject(::GitConfig, ...) was run.

* Always return payload from credential_loop

* Add additional shred tests

Note I switched the credential_loop to have a shred keyword as it seems
best to default have the function use the same default as the standard
LibGit2 credential loop.

* challenge_prompt shows process output on ProcessError

* Display message about expected warning

* Code formatting fixes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevengj stevengj stevengj approved these changes

Assignees
No one assigned
Labels
libgit2 The libgit2 library or the LibGit2 stdlib module security System security concerns and vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@omus @StefanKarpinski @stevengj