lib3h_sodium 0.0.10

lib3h libsodium wrapper providing memory secure api access
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

use lib3h_crypto_api::{Buffer, CryptoError, CryptoResult, ProtectState};

use crate::check_init;
use libc::c_void;

/// A secure buffer implementation of lib3h_crypto_api::Buffer
/// making use of libsodium's implementation of mlock and mprotect.
pub struct SecureBuffer {
    z: *mut c_void,
    s: usize,
    p: std::cell::RefCell<ProtectState>,
}

unsafe impl Send for SecureBuffer {}

impl Drop for SecureBuffer {
    fn drop(&mut self) {
        unsafe {
            rust_sodium_sys::sodium_free(self.z);
        }
    }
}

impl Clone for SecureBuffer {
    fn clone(&self) -> Self {
        let mut out = SecureBuffer::new(self.s);
        out.write(0, &self.read_lock())
            .expect("could not write new");
        out
    }
}

impl std::fmt::Debug for SecureBuffer {
    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
        match *self.p.borrow() {
            ProtectState::NoAccess => write!(f, "SecureBuffer( {:?} )", "<NO_ACCESS>"),
            _ => write!(f, "SecureBuffer( {:?} )", *self),
        }
    }
}

impl std::ops::Deref for SecureBuffer {
    type Target = [u8];

    fn deref(&self) -> &Self::Target {
        if *self.p.borrow() == ProtectState::NoAccess {
            panic!("Deref, but state is NoAccess");
        }
        unsafe { &std::slice::from_raw_parts(self.z as *const u8, self.s)[..self.s] }
    }
}

impl std::ops::DerefMut for SecureBuffer {
    fn deref_mut(&mut self) -> &mut Self::Target {
        if *self.p.borrow() != ProtectState::ReadWrite {
            panic!("DerefMut, but state is not ReadWrite");
        }
        unsafe { &mut std::slice::from_raw_parts_mut(self.z as *mut u8, self.s)[..self.s] }
    }
}

impl SecureBuffer {
    pub fn new(size: usize) -> Self {
        check_init();
        let z = unsafe {
            // sodium_malloc requires memory-aligned sizes,
            // round up to the nearest 8 bytes.
            let align_size = (size + 7) & !7;
            let z = rust_sodium_sys::sodium_malloc(align_size);
            if z.is_null() {
                panic!("sodium_malloc could not allocate");
            }
            rust_sodium_sys::sodium_memzero(z, align_size);
            rust_sodium_sys::sodium_mprotect_noaccess(z);
            z
        };

        SecureBuffer {
            z,
            s: size,
            p: std::cell::RefCell::new(ProtectState::NoAccess),
        }
    }
}

impl Buffer for SecureBuffer {
    fn box_clone(&self) -> Box<dyn Buffer> {
        Box::new(self.clone())
    }

    fn as_buffer(&self) -> &dyn Buffer {
        &*self
    }

    fn as_buffer_mut(&mut self) -> &mut dyn Buffer {
        &mut *self
    }

    fn len(&self) -> usize {
        self.s
    }

    fn is_empty(&self) -> bool {
        self.s == 0
    }

    fn set_no_access(&self) {
        if *self.p.borrow() == ProtectState::NoAccess {
            panic!("already no access... bad logic");
        }
        unsafe {
            rust_sodium_sys::sodium_mprotect_noaccess(self.z);
        }
        *self.p.borrow_mut() = ProtectState::NoAccess;
    }

    fn set_readable(&self) {
        if *self.p.borrow() != ProtectState::NoAccess {
            panic!("not no access... bad logic");
        }
        unsafe {
            rust_sodium_sys::sodium_mprotect_readonly(self.z);
        }
        *self.p.borrow_mut() = ProtectState::ReadOnly;
    }

    fn set_writable(&self) {
        if *self.p.borrow() != ProtectState::NoAccess {
            panic!("not no access... bad logic");
        }
        unsafe {
            rust_sodium_sys::sodium_mprotect_readwrite(self.z);
        }
        *self.p.borrow_mut() = ProtectState::ReadWrite;
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn it_handles_alignment() {
        // the underlying memory should be 8,
        // but every function should treat it as 1.
        let mut b = SecureBuffer::new(1);
        assert_eq!(1, b.len());
        {
            let r: &[u8] = &b.read_lock()[..];
            assert_eq!(1, r.len());
        }
        {
            let w: &mut [u8] = &mut b.write_lock()[..];
            assert_eq!(1, w.len());
        }
    }
}