coldstar-signer 0.2.0

Secure signing core — AES-256-GCM, Argon2id, Ed25519, secp256k1, ZK proofs, mlock'd memory
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463

//! Secure memory buffer implementation
//!
//! This module provides a memory-locked buffer that:
//! - Locks memory to prevent swapping (mlock/VirtualLock)
//! - Automatically zeroizes on drop
//! - Handles panic-safe cleanup
//! - Prevents copies of sensitive data
//!
//! Merged from devsyrem's complete implementation (LockingMode, Windows
//! support, SecureGuard, Deref/DerefMut, resize) with coldstar-rs backward-
//! compatible API (as_bytes, as_mut_bytes, from_bytes).

use std::ops::{Deref, DerefMut};
use std::ptr;
use zeroize::Zeroize;

use crate::error::SignerError;

/// A secure buffer that locks its memory and zeroizes on drop
///
/// # Memory Lifecycle
///
/// 1. Allocation: Buffer is allocated with specified capacity
/// 2. Locking: Memory is locked via mlock() to prevent swapping
/// 3. Usage: Data can be written/read within the locked region
/// 4. Cleanup: On drop (normal or panic), memory is:
///    - Zeroized (overwritten with zeros)
///    - Unlocked (munlock)
///    - Deallocated
///
/// # Security Properties
///
/// - Memory is never swapped to disk
/// - Contents are zeroized even on panic (via Drop)
/// - No implicit copies are made
/// - Debug output does not reveal contents
pub struct SecureBuffer {
    /// The underlying data buffer
    data: Vec<u8>,
    /// Whether memory is currently locked
    is_locked: bool,
}

/// Configuration for memory locking behavior
#[derive(Debug, Clone, Copy, PartialEq)]
pub enum LockingMode {
    /// Require memory locking - fail if mlock is not available
    Strict,
    /// Allow fallback if mlock fails (less secure, logs warning)
    Permissive,
}

impl SecureBuffer {
    /// Create a new secure buffer with strict memory locking.
    ///
    /// This is the recommended constructor for security-critical operations.
    /// It will fail if memory cannot be locked.
    ///
    /// # Arguments
    /// * `capacity` - The size in bytes to allocate
    ///
    /// # Returns
    /// * `Ok(SecureBuffer)` - A locked buffer
    /// * `Err(SignerError::MemoryLockFailed)` - If memory locking fails
    ///
    /// # Memory Lifecycle Note
    /// The buffer is zeroed on allocation and will be locked immediately.
    pub fn new(capacity: usize) -> Result<Self, SignerError> {
        Self::with_mode(capacity, LockingMode::Permissive)
    }

    /// Create a new secure buffer with configurable locking mode.
    ///
    /// # Arguments
    /// * `capacity` - The size in bytes to allocate
    /// * `mode` - Whether to require strict memory locking
    ///
    /// # Returns
    /// * `Ok(SecureBuffer)` - A buffer (locked if possible)
    /// * `Err(SignerError)` - If strict mode and locking fails
    pub fn with_mode(capacity: usize, mode: LockingMode) -> Result<Self, SignerError> {
        let data = vec![0u8; capacity];

        // Lock the memory to prevent swapping
        let locked = lock_memory(&data);

        if mode == LockingMode::Strict && !locked {
            return Err(SignerError::MemoryLockFailed(
                "mlock failed - memory may be swapped to disk. \
                 Check ulimit -l or run with CAP_IPC_LOCK capability."
                    .to_string(),
            ));
        }

        if !locked {
            eprintln!(
                "Warning: Memory locking failed. Private keys may be swapped to disk. \
                 Consider running with elevated privileges or increasing ulimit -l."
            );
        }

        Ok(Self {
            data,
            is_locked: locked,
        })
    }

    /// Create a new secure buffer with permissive mode (for testing/development).
    ///
    /// This allows the buffer to work even if mlock fails, but logs a warning.
    /// NOT recommended for production use with real private keys.
    pub fn new_permissive(capacity: usize) -> Result<Self, SignerError> {
        Self::with_mode(capacity, LockingMode::Permissive)
    }

    /// Create a secure buffer from existing data with strict locking.
    ///
    /// The source data is copied into locked memory and the original
    /// is NOT zeroized (caller's responsibility).
    ///
    /// # Memory Lifecycle Note
    /// The caller should zeroize any source data after calling this.
    pub fn from_slice(source: &[u8]) -> Result<Self, SignerError> {
        Self::from_slice_with_mode(source, LockingMode::Permissive)
    }

    /// Create a secure buffer from existing data with configurable locking.
    pub fn from_slice_with_mode(source: &[u8], mode: LockingMode) -> Result<Self, SignerError> {
        let mut buffer = Self::with_mode(source.len(), mode)?;
        buffer.data.copy_from_slice(source);
        Ok(buffer)
    }

    /// Create a secure buffer from existing data with permissive locking.
    pub fn from_slice_permissive(source: &[u8]) -> Result<Self, SignerError> {
        Self::from_slice_with_mode(source, LockingMode::Permissive)
    }

    /// Backward-compatible alias: create from bytes (coldstar-rs API).
    pub fn from_bytes(bytes: &[u8]) -> Result<Self, SignerError> {
        Self::from_slice(bytes)
    }

    /// Get the length of the buffer
    pub fn len(&self) -> usize {
        self.data.len()
    }

    /// Check if the buffer is empty
    pub fn is_empty(&self) -> bool {
        self.data.is_empty()
    }

    /// Check if memory is locked
    pub fn is_locked(&self) -> bool {
        self.is_locked
    }

    /// Get a reference to the underlying data (devsyrem API)
    ///
    /// # Security Note
    /// The returned reference is only valid within the current scope.
    /// Do not store or copy the referenced data.
    pub fn as_slice(&self) -> &[u8] {
        &self.data
    }

    /// Get a mutable reference to the underlying data (devsyrem API)
    ///
    /// # Security Note
    /// Modifications should be done carefully. After use,
    /// call zeroize() explicitly if needed before the natural drop.
    pub fn as_mut_slice(&mut self) -> &mut [u8] {
        &mut self.data
    }

    /// Backward-compatible alias (coldstar-rs API)
    pub fn as_bytes(&self) -> &[u8] {
        &self.data
    }

    /// Backward-compatible alias (coldstar-rs API)
    pub fn as_mut_bytes(&mut self) -> &mut [u8] {
        &mut self.data
    }

    /// Explicitly zeroize the buffer contents
    ///
    /// This is also called automatically on drop.
    pub fn zeroize(&mut self) {
        self.data.zeroize();
    }

    /// Resize the buffer (maintains strict locking requirement)
    ///
    /// Note: This may cause reallocation. The old memory is zeroized
    /// before being freed. If memory locking fails on the new buffer,
    /// an error is returned and the original buffer is preserved.
    pub fn resize(&mut self, new_len: usize) -> Result<(), SignerError> {
        self.resize_with_mode(new_len, LockingMode::Strict)
    }

    /// Resize the buffer with configurable locking mode
    pub fn resize_with_mode(
        &mut self,
        new_len: usize,
        mode: LockingMode,
    ) -> Result<(), SignerError> {
        if new_len > self.data.len() {
            // Create new buffer first
            let mut new_data = vec![0u8; new_len];

            // Lock new memory before proceeding
            let new_locked = lock_memory(&new_data);

            if mode == LockingMode::Strict && !new_locked {
                // Don't proceed - original buffer is preserved
                return Err(SignerError::MemoryLockFailed(
                    "mlock failed on resized buffer".to_string(),
                ));
            }

            // Unlock old memory
            if self.is_locked {
                unlock_memory(&self.data);
            }

            // Copy data and zeroize old
            new_data[..self.data.len()].copy_from_slice(&self.data);
            self.data.zeroize();

            self.is_locked = new_locked;
            self.data = new_data;
        } else {
            // Shrinking: just truncate and zeroize the rest
            for byte in &mut self.data[new_len..] {
                *byte = 0;
            }
            self.data.truncate(new_len);
        }

        Ok(())
    }
}

impl Drop for SecureBuffer {
    fn drop(&mut self) {
        // CRITICAL: Zeroize memory before releasing
        // This happens even on panic due to Drop semantics
        self.data.zeroize();

        // Unlock the memory
        if self.is_locked {
            unlock_memory(&self.data);
        }

        // Memory will be freed by Vec's Drop
    }
}

impl Deref for SecureBuffer {
    type Target = [u8];

    fn deref(&self) -> &Self::Target {
        &self.data
    }
}

impl DerefMut for SecureBuffer {
    fn deref_mut(&mut self) -> &mut Self::Target {
        &mut self.data
    }
}

// Prevent accidental debug printing of sensitive data
impl std::fmt::Debug for SecureBuffer {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("SecureBuffer")
            .field("len", &self.data.len())
            .field("is_locked", &self.is_locked)
            .field("data", &"[REDACTED]")
            .finish()
    }
}

/// Lock memory to prevent swapping (platform-specific)
#[cfg(unix)]
fn lock_memory(data: &[u8]) -> bool {
    use std::ffi::c_void;

    if data.is_empty() {
        return true;
    }

    unsafe {
        let ptr = data.as_ptr() as *const c_void;
        let len = data.len();

        // mlock() locks the memory region containing the specified address range
        libc::mlock(ptr, len) == 0
    }
}

#[cfg(unix)]
fn unlock_memory(data: &[u8]) {
    use std::ffi::c_void;

    if data.is_empty() {
        return;
    }

    unsafe {
        let ptr = data.as_ptr() as *const c_void;
        let len = data.len();
        libc::munlock(ptr, len);
    }
}

#[cfg(windows)]
fn lock_memory(data: &[u8]) -> bool {
    if data.is_empty() {
        return true;
    }

    unsafe {
        use std::ffi::c_void;
        extern "system" {
            fn VirtualLock(lpAddress: *const c_void, dwSize: usize) -> i32;
        }

        VirtualLock(data.as_ptr() as *const c_void, data.len()) != 0
    }
}

#[cfg(windows)]
fn unlock_memory(data: &[u8]) {
    if data.is_empty() {
        return;
    }

    unsafe {
        use std::ffi::c_void;
        extern "system" {
            fn VirtualUnlock(lpAddress: *const c_void, dwSize: usize) -> i32;
        }

        VirtualUnlock(data.as_ptr() as *const c_void, data.len());
    }
}

#[cfg(not(any(unix, windows)))]
fn lock_memory(_data: &[u8]) -> bool {
    // Platform doesn't support memory locking
    // Continue anyway but log a warning
    eprintln!("Warning: Memory locking not supported on this platform");
    false
}

#[cfg(not(any(unix, windows)))]
fn unlock_memory(_data: &[u8]) {
    // No-op on unsupported platforms
}

/// A guard that holds a secure reference and zeroizes on drop
///
/// Useful for temporary access to sensitive data within a scope.
pub struct SecureGuard<'a> {
    data: &'a mut [u8],
}

impl<'a> SecureGuard<'a> {
    /// Create a new guard for the given mutable slice
    pub fn new(data: &'a mut [u8]) -> Self {
        Self { data }
    }
}

impl<'a> Deref for SecureGuard<'a> {
    type Target = [u8];

    fn deref(&self) -> &Self::Target {
        self.data
    }
}

impl<'a> DerefMut for SecureGuard<'a> {
    fn deref_mut(&mut self) -> &mut Self::Target {
        self.data
    }
}

impl<'a> Drop for SecureGuard<'a> {
    fn drop(&mut self) {
        // Zeroize on drop
        for byte in self.data.iter_mut() {
            unsafe {
                ptr::write_volatile(byte, 0);
            }
        }
        std::sync::atomic::compiler_fence(std::sync::atomic::Ordering::SeqCst);
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_secure_buffer_creation_permissive() {
        let buffer = SecureBuffer::new_permissive(32).unwrap();
        assert_eq!(buffer.len(), 32);
        assert!(buffer.as_slice().iter().all(|&b| b == 0));
    }

    #[test]
    fn test_secure_buffer_from_slice_permissive() {
        let data = [1u8, 2, 3, 4, 5];
        let buffer = SecureBuffer::from_slice_permissive(&data).unwrap();
        assert_eq!(buffer.as_slice(), &data);
    }

    #[test]
    fn test_secure_buffer_from_bytes_compat() {
        let data = b"supersecretkey!!";
        let buf = SecureBuffer::from_bytes(data).unwrap();
        assert_eq!(buf.as_bytes(), data);
        assert_eq!(buf.len(), 16);
    }

    #[test]
    fn test_secure_buffer_zeroize() {
        let mut buffer = SecureBuffer::from_slice_permissive(&[1, 2, 3, 4]).unwrap();
        buffer.zeroize();
        assert!(buffer.as_slice().iter().all(|&b| b == 0));
    }

    #[test]
    fn test_debug_redacts_data() {
        let buffer = SecureBuffer::from_slice_permissive(&[0xDE, 0xAD, 0xBE, 0xEF]).unwrap();
        let debug_str = format!("{:?}", buffer);
        assert!(debug_str.contains("[REDACTED]"));
        assert!(!debug_str.contains("DEAD"));
        assert!(!debug_str.contains("BEEF"));
    }

    #[test]
    fn test_empty_buffer() {
        let buf = SecureBuffer::new(0).unwrap();
        assert!(buf.is_empty());
    }

    #[test]
    fn test_strict_mode_checks_locking() {
        let result = SecureBuffer::with_mode(32, LockingMode::Strict);
        match result {
            Ok(buf) => assert!(buf.is_locked(), "Strict mode should only succeed if locked"),
            Err(SignerError::MemoryLockFailed(_)) => {
                // Expected on systems without mlock
            }
            Err(e) => panic!("Unexpected error: {}", e),
        }
    }
}