RFC: Create SecretBuffer and use it to help keep LibGit2's secrets

[mbauman]

This PR is building upon @omus' #24738, transitioned to using an IO-like API instead of an AbstractString one. It definitely makes some things more awkward, but on the plus side, it also has made me vet and correct many places where we were still transitioning the secrets through Strings in LibGit2.

It has the major downside that the returned object from Base.prompt changes drastically depending upon the password keyword. Edit: Base.prompt and Base.getpass are now detangled.

I initially tried following the approach in #24738, wherein all the credential information (including usernames and key paths) is considered secret. This proved to be horribly cumbersome and a huge dungeon of kludges and work-arounds. This PR now only considers the passwords themselves to be secret — and that works quite well.

[omus]

Fantastic work! You found some good solutions to some issues I was struggling with. The IO based SecureBuffer design worked out really well. I'll do some further testing yet.

[omus]

Find replace issue?

[omus]

Personal preference but I prefer seekstart

[omus]

Why is this change now necessary?

[mbauman]

I'm not sure if it's still necessary, but it definitely was at one point and it seems like a good improvement. Before we were trusting that the string representation of a expression was round-trippable. This isn't just Exprs, it also includes embedded credential objects spliced directly into the AST. If their stringification isn't round-trippable, this fails.

[omus]

We should just remove these lines

[omus]

This test file is out of date now. I appear to have forgotten to add this into the test suite...

[mbauman]

Oh man, I totally missed this — thanks!

[omus]

Here's a modernized version of this test suite:

using Base: SecretBuffer, SecretBuffer!, shred!, isshredded
using Base.Test

@testset "SecretBuffer" begin
    @testset "original unmodified" begin
        str = "foobar"
        secret = SecretBuffer(str)

        @test read(secret, String) == str
        seekstart(secret)

        @test shred!(secret) === secret
        @test read(secret, String) != ""
        @test str != "foobar"
    end

    @testset "finalizer" begin
        v = UInt8[1, 2]
        secret_a = SecretBuffer!(v)
        secret_b = secret_a

        secret_a = nothing
        GC.gc()

        @test all(iszero, v)
        @test !isshredded(secret_b)
    end
end

[omus]

I'll try to look into this

[omus]

These tests can be re-enabled if you set the non-secret fields of UserPasswordCredential and SSHCredential to "" in their respective shred! methods.

[omus]

My personal preference is to use == and && over multiple lines

[omus]

Great use of !. Highly approve!

[omus]

I initially tried following the approach in #24738, wherein all the credential information (including usernames and key paths) is considered secret. This proved to be horribly cumbersome and a huge dungeon of kludges and work-arounds. This PR now only considers the passwords themselves to be secret — and that works quite well.

I totally agree. I have seen these dungeons you speak of and dare not speak of them myself.

[omus]

CI failing due to:

Some tests did not pass: 74 passed, 0 failed, 2 errored, 0 broken.OldPkg/pkg: Error During Test at /tmp/julia/share/julia/stdlib/v0.7/OldPkg/test/pkg.jl:303
  Test threw exception MethodError(Base.securezero!, (LibGit2.CachedCredentials(Dict{String,LibGit2.AbstractCredential}()),), 0x00006b7f)
  Expression: OldPkg.update()
  MethodError: no method matching securezero!(::LibGit2.CachedCredentials)
  Closest candidates are:
    securezero!(!Matched::Cstring) at util.jl:444
    securezero!(!Matched::AbstractArray{#s620,N} where N where #s620<:Number) at util.jl:443

[vtjnash]

"Avoid initializing with converting..." reads poorly. Perhaps first mention that they can be initialized, then add the note to avoid String second?

[mbauman]

Missed an "and" there — I was intending: "Avoid initializing with and converting to". Good point about swapping ordering here.

[vtjnash]

Use codepoints

[vtjnash]

should be called unsafe_SecretBuffer!, calling our normal naming convention, and should take a length argument (with a default value of calling :strlen)

[mbauman]

Ugh, that's ugly. But I see your point.

[omus]

Definitely ugly

[vtjnash]

p isn't defined. missing test coverage?

[vtjnash]

That's usually only applicable for conversion to ::Type{Cstring} (and also should check that there are no embedded \nul values)

[mbauman]

Ah, yes, that'd be much better — I'll change this to a conversion to Cstring and fixup the accompanying ccalls.

[vtjnash]

the check for nothing is unnecessary

[vtjnash]

Seems like this still should be copy(b.password)

[vtjnash]

Seems like this can be part of the copy! definition

[omus]

In this case yes but the copy! method could be used for duplication where you do not want to destroy the source.

[vtjnash]

Isn't cred the destination?

[omus]

Yes it is. I had some wires crossed. Your suggestion is good 👍

[vtjnash]

I had to go check myself too. That's perhaps a good point too though, that we should destroy the source argument? Maybe take!(dest, src) for that, or just do it manually.

[vtjnash]

keep String

[vtjnash]

keep as String

[vtjnash]

it would likely be cheaper and faster to call shred! unconditionally

[omus]

Agreed. Originally this code issued a warning to alert developers that they weren't explicitly calling shred!

[omus]

"secure data is no longer required"

[mbauman]

Not a typo

[omus]

len not defined

[omus]

We may also want to do this if key == "url" since that URL could contain a password

[mbauman]

We still parse that URL with a regex which stashes things into Strings. I decided to just consider URLs insecure, but perhaps we should re-write that, too.

[omus]

That approach makes sense. I think we should add a comment which calls the potential security issue and leave it at that. The "url" key doesn't seem commonly used so it isn't a big concern for me.

[mbauman]

Any ideas as to where this would most make sense to document? Another alternative would just be to completely not support passwords in URLs. We'd just throw an error if m[:password] exists. I kinda like that.

[omus]

I think it makes sense to open an issue about this and reference the issue below if key == "url". I believe we can address the issue later by rewriting the URL parsing and reading in the password with a SecretBuffer. We can try to tackle this now but I don't want to add extra work for you.

Raising an error will still result in the password information being stored in a string which is no better than what we currently have.

[mbauman]

Thanks for the very thorough reviews Jameson and Curtis!

[mbauman]

I somewhat cannot believe that this passes tests on Windows as I've done all the win-specific changes blindly. Is there reasonable test coverage that I can trust that? Or should I hunt down a windows VM to do some extra interactive testing myself?

[Keno]

I usually call things good enough if tests pass, but ping me on slack for access to a Windows test VM if you want.

[staticfloat]

You're a beast. Looks great to me.

[staticfloat]

I think it bears creating a docstring for the ::String constructor that mentions that the string will not be zeroed out.

[staticfloat]

The way this is phrased makes it sound like data and "the original source argument" are two different things? Perhaps rephrase to something like "Initialize a new SecretBuffer from data, securely zeroing it afterwards."

[staticfloat]

It seems like copy(nothing) should just return nothing. :P

[chethega]

I know that secretbuffer is meant for uninitialized memory disclosure scenarios and the following does not matter for use in libgit2. Nevertheless, I think it would be good practice to make comparison constant time for something called secretbuffer. Somebody will eventually misuse it to compare a secret to an attacker-supplied string and leak the secret via timing side-channel.

[chethega]

A simple sample implementation could be (no early return, no branching, no conditional moves, @noinline to prevent the compiler from being clever):

@noinline function _bufcmp(data1::Vector{UInt8}, data2::Vector{UInt8}, sz::Int)
    res = UInt8(0)
    for i = 1:sz
        res |= xor(data1[i], data2[i])
    end
    return res
end

==(s1::SecretBuffer, s2::SecretBuffer) = (s1.ptr == s2.ptr) && (s1.size == s2.size) && (UInt8(0) == _bufcmp(s1.data, s2.data, s1.size))

[mbauman]

That's a good point. These methods are also just strange in the first place. They break with the convention for other IO subtypes — those don't do equality by value. Plus I just now noticed there's a bug in the agreement between hash and ==.

I'd love to figure out how to remove them, but they are used both in LibGit2's source and its tests and I don't have a good replacement.

[Keno]

What's missing to merge this?

[stevengj]

It has the major downside that the returned object from Base.prompt changes drastically depending upon the password keyword.

Maybe promptpassword (getpass?) should just be a separate function?

[stevengj]

Shouldn't it log a warning or something if !isshredded(s)? Waiting until gc runs seems like a bad idea.

[iblislin]

FreeBSD CI got a segfault. seems related.
(starts from line 97: https://freebsdci.julialang.org/#/builders/1/builds/10478/steps/8/logs/stdio

[martinholters]

Ref. #27702 regarding likely cause of the segfault.

[mbauman]

Ok, once CI gives this the green-light I think it's good to go. I believe I've addressed all review comments now.

[stevengj]

winprompt seems misnamed now… should it be wingetpass?

[stevengj]

(also, the word "secure" appears in this sentence twice, which seems a bit redundant)

[mbauman]

It returns a username/password pair. It's more like wingetcredentials or some such. But these are all un-exported functions and can be changed down the line. I'm inclined to leave it be.

[stevengj]

Should prompt have a default value, e.g. "Password"?

[mbauman]

It can always be added later if someone else feels strongly about it.

[stevengj]

": " ?

[mbauman]

The extra space there doesn't matter all that much because (ideally) the typed input doesn't get echo'ed back. In any case, this was required to match Base.prompt's behavior, which doesn't use a space either.

[stevengj]

The system might still show a blinking cursor of some kind. On MacOS it displays a key cursor

I think that Base.prompt should also show a space, as it looks even uglier to omit the space when the input is not hidden.

[stevengj]

It would be nice to have something analogous to the Python Keyring library, but I guess that could be an external package.

[omus]

These CachedCredentials uses in Pkg3 should be shredded:

julia/stdlib/Pkg/src/Operations.jl

Line 433 in c1eb3e8

creds = LibGit2.CachedCredentials()

julia/stdlib/Pkg/src/Types.jl

Line 420 in c1eb3e8

creds = LibGit2.CachedCredentials()

julia/stdlib/Pkg/src/Types.jl

Line 488 in c1eb3e8

creds = LibGit2.CachedCredentials()

julia/stdlib/Pkg/src/Types.jl

Line 793 in c1eb3e8

creds = LibGit2.CachedCredentials()

[mbauman]

Oh interesting; perhaps I should add a warning if those credential wrapper objects are shredded by the finalizer, too? That's why SecretString isn't warning here — the secrets they hold get explicitly shredded by a different finalizer, so when their finalizer runs all looks well.

Edit: no, that's wrong — none of the LibGit2 credential objects have finalizers. Perhaps our test suite just doesn't exercise those methods with repos that require passwords?

[stevengj]

Honestly, it seems a bit weird to me that we add a colon at all. Can't we let the caller decide this? For example, what if they want to display a prompt "True (y/n)? " or "Enter password here => "?

[mbauman]

It all stems from the behavior of Base.prompt, where you can also specify a default, which will appear as message [default]:.

[omus]

I would guess that the Pkg tests do not target repos requiring passwords. In that case the CachedCredentials instance will contain no secrets and no finalizer warning would appear. If a credential was used it would be cached and then secret's finalizer would warn us about the unshredded secret.

[mbauman]

There we go, finally some green checks are starting to roll in from CI. I propose we merge this as it stands so Keno can finally tag a beta. Base.prompt, Base.getpass, and Base.winprompt are all documented-but-unexported APIs, and we can bikeshed them to our hearts delight in a different PR. The main point here is to get secure handling correct and avoid the segfaults that have plagued the buildbots.

[ararslan]

This appears to have caused an issue with using credential helpers. I think @omus is investigating.

[ararslan]

This needs a space between ! and warning for it to be recognized correctly. Currently it shows up literally as !!!warning in the docstring rather than being rendered nicely.