Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wallet: SecureString to allow null characters #2690

Merged
merged 2 commits into from
Jul 4, 2023
Merged

wallet: SecureString to allow null characters #2690

merged 2 commits into from
Jul 4, 2023

Conversation

barton2526
Copy link
Member

SecureString is a std::string specialization with a secure allocator. However, in practice it's treated like a C- string (no explicit length and null-terminated). This can cause unexpected and potentially insecure behavior. For instance, if a user enters a passphrase with embedded null characters (which is possible through Qt and the JSON-RPC), it will ignore any characters after the first null, potentially giving the user a false sense of security.

Instead of assigning to SecureString via std::string::c_str(), assign it via a std::string_view of the original. This explicitly captures the size and still doesn't make any extraneous copies in memory.

Note to reviewers, the following all compile identically in recent GCC (x86-64 and ARM64) with -O2 (and -std=c++17):

std::string orig_string;
std::cin >> orig_string;
SecureString s;
s.reserve(100);
// The following all compile identically
s = orig_string;
s = std::string_view{orig_string};
s.assign(std::string_view{orig_string});
s.assign(orig_string.data(), orig_string.size());

So it's largely a matter of preference. However, one thing to keep in mind is that we want to avoid making unnecessary copies of any sensitive data in memory.

Something like SecureString s{orig_string}; is still invalid and probably unwanted in our case, since it'd get treated as a short string and optimized away from the secure allocator. I presume that's the reason for the reserve() calls.

Ref: bitcoin/bitcoin#27068

@barton2526
Pass all characters to SecureString including nulls
57af7fa 
`SecureString` is a `std::string` specialization with
a secure allocator. However, it's treated like a C-
string (no explicit length and null-terminated). This
can cause unexpected behavior. For instance, if a user
enters a passphrase with an embedded null character
(which is possible through Qt and the JSON-RPC), it will
ignore any characters after the null, giving the user
a false sense of security.

Instead of assigning `SecureString` via `std::string::c_str()`,
assign it via a `std::string_view` of the original. This
explicitly captures the size and doesn't make any extraneous
copies in memory.
@barton2526
Copy link
Member Author

I need help testing this.

@div72
Copy link
Member

div72 commented Jun 8, 2023

The diff looks fine, the std::string_view casts are completely useless but keeping them would be better to remain closer to upstream.

I haven't tested if it worked previously but I can confirm the GUI properly accepts the null with this PR, the problem is there's no sane way to pass a password with null for daemon users. You cannot pass it through gridcoinresearchd as the arguments are parsed as C-strings will be just cut off at null. Even if you could (or use curl etc.) the RPC interface chokes when null is passed and does not seem to properly interpret \0 or \u0000 in the JSON.

Pythonix
Pythonix reviewed Jun 13, 2023
View reviewed changes
src/wallet/rpcwallet.cpp Outdated Show resolved Hide resolved
@barton2526
Detailed error message for passphrases with null chars
ca934df 
Since users may have thought the null characters in their
passphrases were actually evaluated prior to this change,
they may be surprised to learn that their passphrases no
longer work. Give them feedback to explain how to remedy
the issue.
@jamescowens jamescowens self-requested a review June 26, 2023 16:05
@jamescowens jamescowens added this to the Miss Piggy milestone Jun 26, 2023
@jamescowens
Copy link
Member

Based on my testing, I think the chances of a problem here are minimal.

@jamescowens jamescowens merged commit dad1bd2 into gridcoin-community:development Jul 4, 2023
9 checks passed
@barton2526 barton2526 deleted the SecurerSecureString branch July 4, 2023 20:24
jamescowens added a commit to jamescowens/Gridcoin-Research that referenced this pull request Mar 2, 2024
@jamescowens
5.4.6.0, 2024-03-02, leisure, "Miss Piggy"
3044941 
Added
 - contrib: add nix file for compilation environment gridcoin-community#2660 (@div72)
 - gui: Make main Gridcoin window geometry save unique to datadir location gridcoin-community#2661 (@jamescowens)
 - build: Initial CMake support gridcoin-community#2676 (@CyberTailor)
 - util: Add `-shutdownnotify` and `startupnotify` options from upstream gridcoin-community#2688 (@barton2526)
 - gui, staking: Implement facilities for mandatory sidestakes and sidestake GUI gridcoin-community#2704 (@jamescowens)
 - gui, voting: Implement poll result caching and poll stale indicator gridcoin-community#2709 (@jamescowens)
 - gui, projects: Implement greylist state for projects in GUI projects table gridcoin-community#2715 (@jamescowens)
 - gui, poll: Implement poll expiration reminders gridcoin-community#2716 (@jamescowens)
 - serialize: allow variants to be serialized gridcoin-community#2729 (@div72)
 - gui: Implement poll field length limiters in GUI forms gridcoin-community#2742 (@jamescowens)

Changed
 - consensus, contract, scraper, protocol, project, beacon, rpc: Replace remaining appcache sections with native structures gridcoin-community#2639 (@jamescowens)
 - build: update libsecp256k1 to v0.3.0 gridcoin-community#2655 (@div72)
 - build: Replace $(AT) with .SILENT gridcoin-community#2674 (@barton2526)
 - build: allow system bdb gridcoin-community#2675 (@div72)
 - Resize Header Column with Additional Text gridcoin-community#2683 (@PrestackI)
 - rpc: use RPCErrorCode everywhere gridcoin-community#2687 (@Pythonix)
 - wallet: SecureString to allow null characters gridcoin-community#2690 (@barton2526)
 - random: port some upstream changes gridcoin-community#2696 (@div72)
 - depends: Bump dependencies gridcoin-community#2692 (@barton2526)
 - doc: Update link to Discord server gridcoin-community#2693 (@adriaanjoubert)
 - rpc: Change capitalization, remove whitespace of rpc keys gridcoin-community#2711 (@Pythonix)
 - ci: bump MacOS version to 12 gridcoin-community#2713 (@div72)
 - depends: no-longer nuke libc++abi.so* in native_clang package gridcoin-community#2719 (@div72)
 - doc: update windows `-fstack-clash-protection` doc gridcoin-community#2720 (@div72)
 - Silence `-Wcast-function-type` warning gridcoin-community#2721 (@div72)
 - build: Use newest `config.{guess,sub}` available gridcoin-community#2722 (@div72)
 - refactor: use the try_lock result in TryEnter gridcoin-community#2723 (@div72)
 - Updates for file src/qt/locale/bitcoin_en.ts in pt_PT gridcoin-community#2726 (@gridcoin-community)
 - ci: do not silently fail gridcoin-community#2727 (@div72)
 - Properly include Boost Array header gridcoin-community#2730 (@theMarix)
 - build: Update depends zlib to 1.3.1 gridcoin-community#2734 (@jamescowens)
 - util: Enhance Fraction class overflow resistance gridcoin-community#2735 (@jamescowens)
 - refactor: Fix compilation warnings gridcoin-community#2737 (@jamescowens)
 - gui, util: Improve upgrade dialog gridcoin-community#2738 (@jamescowens)
 - util: Improve allocation class gridcoin-community#2740 (@jamescowens)
 - translations: translation updates for Miss Piggy release gridcoin-community#2745 (@jamescowens)

Removed
 - gui: Disable snapshot GUI action gridcoin-community#2700 (@jamescowens)
 - build, crypto, script: remove most of OpenSSL usage gridcoin-community#2705 (@div72)
 - util: remove WSL 1 workaround in fs gridcoin-community#2717 (@div72)

Fixed
 - diagnostics: fix missing arg in ETTS warning gridcoin-community#2684 (@div72)
 - misc: fix include guard in netaddress.h gridcoin-community#2695 (@div72)
 - gui: Fix expired pending beacon display gridcoin-community#2698 (@jamescowens)
 - consensus: Fix 20230904 testnet forking issue gridcoin-community#2703 (@jamescowens)
 - gui: Fix filter by type in Transaction View gridcoin-community#2708 (@jamescowens)
 - depends: make fontconfig build under clang-16 gridcoin-community#2718 (@div72)
 - diag: fix researcher mode check gridcoin-community#2725 (@div72)
 - gui: Add missing switch cases for ALREADY_IN_MEMPOOL gridcoin-community#2728 (@jamescowens)
 - beacon, registry: Fix beacon history stall gridcoin-community#2731 (@jamescowens)
 - build: Implement comp_double comparison function in certain tests gridcoin-community#2741 (@jamescowens)
 - ci: change Qt path in CMake CI gridcoin-community#2743 (@div72)
 - net: Correct -tor argument handling gridcoin-community#2744 (@jamescowens)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pythonix Pythonix Pythonix left review comments

@jamescowens jamescowens Awaiting requested review from jamescowens

Assignees

@barton2526 barton2526

Labels
compatibility security
Projects
None yet
Milestone
Miss Piggy
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@barton2526 @div72 @jamescowens @Pythonix