secretmangle 0.3.0

A library for mangling sensitive data in memory with a random key.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305

pub mod xor_intrinsic;

use std::sync::atomic::{fence, Ordering};
use std::marker::PhantomData;
use std::mem::MaybeUninit;
use std::ptr::NonNull;

/// XORs the data behind first pointer using key from second pointer.
/// The mangling operation is guaranteed to not be reordered after
/// any later operation, by usage of atomic fence with SeqCst semantics.
/// (See <https://github.com/RustCrypto/utils/blob/34c554f13500dd11566922048d6e865787d6fa51/zeroize/src/lib.rs#L301-L304>
/// for more details.)
///
/// # Safety
/// - `data` and `key` must be correctly aligned for `T`
/// - `data` and `key` must have at least `size_of::<T>()` bytes allocated
/// - `data` and `key` must either be non-overlapping or the same
///
/// No requirements on initialization status are made.
unsafe fn xor_chunks<T>(data: *mut u8, key: *const u8) {
    unsafe {
        xor_intrinsic::xor_chunks_intrinsic_baseline::<T>(data, key);
    }
    fence(Ordering::SeqCst);
}

/// Utility for masking a structure in program's heap with a random key,
/// supporting an arbitrary content type.
///
/// This version is written using assembly (not even common Unsafe Rust).
/// If your data is [`bytemuck::NoUninit`] (that is, Copy and has no padding), you can
/// also use [`crate::MangledBox`].
///
/// It is recommended to use [`std::clone::CloneToUninit`] to initialize
/// the contents of the box rather than constructing it on stack, since the
/// latter option might leave some trace of value being masked.
pub struct MangledBoxArbitrary<T> {
    /// Heap allocation with bytes mangled by XORing with `key`.
    data: Box<MaybeUninit<T>>,

    /// T-sized buffer containing a cryptographically secure random key.
    key: MaybeUninit<T>,
}

impl<T> MangledBoxArbitrary<T> {
    /// Constructs a new [`MangledBoxArbitrary`] with a random key and arbitrary data.
    pub fn new() -> Self {
        let data = Box::new_zeroed();
        // ^ [`data`] starts with arbitrary data from perspective of outer
        //   program; therefore we may choose anything, including that the block
        //   might had data equal to key (their XOR being zero).

        let mut key = MaybeUninit::uninit();
        getrandom::fill_uninit(key.as_bytes_mut()).expect("no keygen");
        // ^ fill_uninit guarantees that [`key`] is fully initialized on success

        Self { data, key }
    }

    /// Rekeys the box, preserving its contents.
    pub fn rekey(&mut self) {
        let mut diff_key = MaybeUninit::<T>::uninit();
        getrandom::fill_uninit(diff_key.as_bytes_mut()).expect("no keygen");

        unsafe {
            xor_chunks::<T>(
                Box::as_mut_ptr(&mut self.data).cast::<u8>(),
                diff_key.as_ptr().cast::<u8>(),
            );
            xor_chunks::<T>(
                self.key.as_mut_ptr().cast::<u8>(),
                diff_key.as_ptr().cast::<u8>(),
            );
        }
    }

    pub(crate) fn with_mangled<F, R>(&mut self, f: F) -> R
    where
        F: FnOnce(NonNull<T>) -> R {
        
        let data_ptr: *mut T = Box::as_mut_ptr(&mut self.data).cast::<T>();
        f(NonNull::new(data_ptr).unwrap())
    }

    /// Unmangles the contents and invokes the provided closure on it.
    /// Whether the closure panics or returns normally, the contents
    /// are remangled.
    pub fn with_unmangled<F, R>(&mut self, f: F) -> R
    where
        F: FnOnce(NonNull<T>) -> R,
    {
        let data_ptr = Box::as_mut_ptr(&mut self.data).cast::<u8>();
        let key_ptr = self.key.as_ptr().cast::<u8>();

        // Never panics as that's a pointer into Box allocation.
        // Compiler is probably able to optimize this check out.
        let data_nn: NonNull<u8> = NonNull::new(data_ptr).unwrap();

        // # Safety
        // 1. Both pointers point to some `MaybeUninit<T>`, so aligned
        // 2. [`data_ptr`] and [`key_ptr`] point to an allocation of at least
        //    `size_of::<T>()` bytes because they are obtained from references
        //    to `MaybeUninit<T>`.
        // 3. [`data_ptr`] points to heap allocation and [`key_ptr`] to
        //    stack, therefore they do not overlap.
        unsafe {
            xor_chunks::<T>(data_ptr, key_ptr);
        }

        /// Structure that handles remangling the pointed-to memory when
        /// dropped (both upon panic and successful [`with_unmangled`]
        /// completion). It is scoped because it is unsafe to construct.
        struct RemangleGuard<T> {
            data: *mut u8,
            key: *const u8,
            token: PhantomData<T>,
        }
        impl<T> Drop for RemangleGuard<T> {
            fn drop(&mut self) {
                unsafe { xor_chunks::<T>(self.data, self.key) }
            }
        }

        // # Safety
        // 1. Both pointers point to some `MaybeUninit<T>`, so aligned
        // 2. [`data_ptr`] and [`key_ptr`] point to an allocation of at least
        //    `size_of::<T>()` bytes because they are obtained from references
        //    to `MaybeUninit<T>`.
        // 3. [`data_ptr`] points to heap allocation and [`key_ptr`] to
        //    stack, therefore they do not overlap.
        let _guard = RemangleGuard::<T> {
            data: data_ptr,
            key: key_ptr,
            token: PhantomData,
        };

        f(data_nn.cast())
    }

    /// Drops the contents of the box, leaving it logically uninitialized.
    ///
    /// Using this is required to run any internal destructors, because the
    /// Drop implementation cannot know if there is any value to destroy.
    ///
    /// # Safety
    /// [`Self::with_unmangled`] must have initialized the contents.
    pub unsafe fn drop_in_place(&mut self) {
        self.with_unmangled(|p| unsafe { p.drop_in_place() });
    }
}

impl<T> Default for MangledBoxArbitrary<T> {
    fn default() -> Self {
        Self::new()
    }
}

impl<T> Drop for MangledBoxArbitrary<T> {
    fn drop(&mut self) {
        let data_ptr = Box::as_mut_ptr(&mut self.data).cast::<u8>();
        let key_ptr = self.key.as_mut_ptr().cast::<u8>();

        // # Safety
        // 1. Both pointers point to some `MaybeUninit<T>`, so aligned
        // 2. Both pointers were obtained from `&mut MaybeUninit<T>`
        //    to an allocation of at least `size_of::<T>()`.
        // 3. Each call passes the same pointer in both arguments.
        unsafe {
            xor_chunks::<T>(data_ptr, data_ptr);
            xor_chunks::<T>(key_ptr, key_ptr);
        }
    }
}

#[cfg(all(test, not(miri)))]
mod tests {
    use std::clone::CloneToUninit;
    use std::cell::RefCell;
    use std::ptr::NonNull;
    use std::rc::Rc;

    use super::MangledBoxArbitrary as MangledBox;

    fn ensure_send<T: Send>(_v: &T) {}
    fn ensure_sync<T: Sync>(_v: &T) {}

    #[test]
    fn zst() {
        let mut empty_box = MangledBox::<()>::new();
        ensure_send(&empty_box);
        ensure_sync(&empty_box);

        empty_box.with_unmangled(|_| {});
    }

    #[derive(Clone, Copy)]
    #[repr(C, align(64))]
    struct Align64;

    #[test]
    fn overaligned_zst() {
        let mut align64_box = MangledBox::<Align64>::new();
        ensure_send(&align64_box);
        ensure_sync(&align64_box);

        align64_box.with_unmangled(|p| {
            assert_eq!(
                p.as_ptr().align_offset(64),
                0,
                "alignment not preserved on overaligned ZST type"
            );
        });
    }

    struct ReportDrop(Rc<RefCell<bool>>);
    impl Drop for ReportDrop {
        fn drop(&mut self) {
            *self.0.borrow_mut() = true;
        }
    }

    #[test]
    fn drop_at_correct_time() {
        let drop_reported = Rc::new(RefCell::new(false));
        let drop_reported_clone = drop_reported.clone();

        {
            let mut box_ = MangledBox::<ReportDrop>::new();
            box_.with_unmangled(|p: NonNull<ReportDrop>| {
                // We DO NOT construct `ReportDrop` on stack.
                // `let val = ReportDrop(drop_reported_clone);`
                // would be a semantic misuse of this mangled box.

                let place: *mut u8 = p.as_ptr().cast();
                // Safety: `with_unmangled` promises that [`place`] points
                // to an allocation valid for `ReportDrop`.
                // `clone_to_uninit` does not require that [`place`] is
                // initialized beforehand, nor does `with_unmangled` require
                // that [`place`] is initialized after closure exits.
                unsafe { drop_reported_clone.clone_to_uninit(place) };
            });
            assert!(!*drop_reported.borrow(), "dropped a live box");

            unsafe {
                box_.drop_in_place();
            }
            assert!(*drop_reported.borrow(), "did not receive drop report");
        }
    }

    #[test]
    fn no_auto_drop() {
        let drop_reported = Rc::new(RefCell::new(false));
        let drop_reported_clone = drop_reported.clone();

        {
            let mut box_ = MangledBox::<ReportDrop>::new();
            box_.with_unmangled(|p: NonNull<ReportDrop>| {
                // We DO NOT construct `ReportDrop` on stack.
                // `let val = ReportDrop(drop_reported_clone);`
                // would be a semantic misuse of this mangled box.

                let place: *mut u8 = p.as_ptr().cast();
                // Safety: `with_unmangled` promises that [`place`] points
                // to an allocation valid for `ReportDrop`.
                // `clone_to_uninit` does not require that [`place`] is
                // initialized beforehand, nor does `with_unmangled` require
                // that [`place`] is initialized after closure exits.
                unsafe { drop_reported_clone.clone_to_uninit(place) };
            });
            assert!(!*drop_reported.borrow(), "dropped a live box");

            // Now, do not drop the contents but drop the `box_` itself.
        }
        assert!(
            !*drop_reported.borrow(),
            "box forwarded drop when it could not prove content is initialized"
        );
    }

    #[test]
    fn real_structures_string() {
        use std::fmt::Write;

        let mut box_ = MangledBox::<String>::new();
        box_.with_unmangled(|p| unsafe {
            p.write("hello".to_owned());
        });
        box_.with_unmangled(|mut p| {
            assert_eq!(unsafe { p.as_ref() }, "hello");
            unsafe {
                p.as_mut().push_str(" Rust!");
            }
        });
        box_.rekey();
        box_.with_unmangled(|p| {
            let mut s = String::with_capacity(13);
            write!(s, "{:?}", unsafe { p.as_ref() }).unwrap();
            assert_eq!(s, "\"hello Rust!\"");
        });
        unsafe {
            box_.drop_in_place();
        }
    }
}