Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zeroize types/fields containing secrets #1492

Merged
merged 8 commits into from Oct 20, 2023
Merged

Zeroize types/fields containing secrets #1492

merged 8 commits into from Oct 20, 2023

Conversation

ctz
Copy link
Member

@ctz ctz commented Sep 23, 2023
edited

This is for #265. After the Microsoft incident publicised a couple of months ago, I think I changed my mind about the relative importance of this. It also goes hand-in-hand with having more types containing secrets, introduced in the recent crypto provider work.

closes #265

@codecov
Copy link

codecov bot commented Sep 23, 2023
edited

Codecov Report

Merging #1492 (5fac683) into main (1fbb608) will decrease coverage by 0.03%.
The diff coverage is 100.00%.

❗ Current head 5fac683 differs from pull request most recent head 3f90aba. Consider uploading reports for the commit 3f90aba to get more accurate results

@@            Coverage Diff             @@
##             main    #1492      +/-   ##
==========================================
- Coverage   96.49%   96.46%   -0.03%     
==========================================
  Files          74       74              
  Lines       15110    15110              
==========================================
- Hits        14580    14576       -4     
- Misses        530      534       +4
Files Coverage Δ
rustls/src/client/handy.rs 98.74% <100.00%> (-0.07%) ⬇️
rustls/src/client/tls12.rs 98.53% <100.00%> (ø)
rustls/src/client/tls13.rs 97.05% <100.00%> (ø)
rustls/src/crypto/cipher.rs 85.71% <100.00%> (+0.45%) ⬆️
rustls/src/crypto/hmac.rs 100.00% <100.00%> (ø)
rustls/src/crypto/mod.rs 100.00% <100.00%> (ø)
rustls/src/msgs/base.rs 90.29% <100.00%> (-2.50%) ⬇️
rustls/src/msgs/persist.rs 99.29% <100.00%> (-0.01%) ⬇️
rustls/src/server/tls12.rs 96.89% <100.00%> (-0.01%) ⬇️
rustls/src/server/tls13.rs 96.98% <100.00%> (ø)
... and 1 more

... and 6 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@djc djc mentioned this pull request Oct 2, 2023
Closed
15 tasks
@cpu
Copy link
Member

cpu commented Oct 16, 2023

just for CI results currently.

@ctz The CI results seem promising. Is this something that could be reviewed if it were rebased on main or are there still aspects in flux?

@ctz
Copy link
Member Author

ctz commented Oct 16, 2023

Yes I plan to rebase & prepare this for review.

@ctz ctz force-pushed the jbp-zeroize branch 3 times, most recently from 8da4904 to e05fc67 Compare October 18, 2023 10:21
@ctz
Copy link
Member Author

ctz commented Oct 19, 2023

#1544 should mean I can drop the last couple of commits on this PR. Then I think it will be ready.

@ctz
AeadKey: zeroize on drop
a3c7f86
@ctz
SharedSecret: zeroize on drop
3834a7e
@ctz
hmac::Tag: zeroize on drop
f7c74ba 
This is not always a secret quantity, but treating it as such covers
zeroisation on `OkmBlock`, and hence tls13::key_schedule.  It also
covers some intermediate values in hkdf computations.
@ctz
tls12::ConnectionSecrets: zeroize on drop
76d74de
@ctz
PayloadU8: impl Zeroize
84725be 
So we can wrap it in `zeroize::Zeroizing`
@ctz
ClientSessionCommon::master_secret: zeroize on drop
b626eaa
@ctz
ServerSessionValue::master_secret zeroize on drop
19b6a49
@ctz
persist: avoid passing secrets in as Vec<u8>
3f90aba 
This avoids having them as 'loose' unzeroized type on the way to being moved
to their final home.

This is sufficient, because:

- tls12: the secret comes from
  `tls12::ConnectionSecrets::master_secret()` which borrows from its
  internal storage; `tls12::ConnectionSecrets::drop` zeroes this
  storage.
- tls13: the secret comes from
  `resumption_master_secret_and_derive_ticket_psk`, of type `hkdf::OkmBlock`,
  which we borrow from.  Only once the borrow finishes will that be
  zeroized.
@ctz ctz marked this pull request as ready for review October 19, 2023 15:30
cpu
cpu approved these changes Oct 19, 2023
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I notice the icount benchmarks show a small bump, but it doesn't seem very significant. Perhaps worth running the local benchmarks to see if the instruction delta affects wallclock perf?

@ctz
Copy link
Member Author

ctz commented Oct 20, 2023

I notice the icount benchmarks show a small bump, but it doesn't seem very significant. Perhaps worth running the local benchmarks to see if the instruction delta affects wallclock perf?

FYI @aochagavia this PR might be a good case study for the new method of performance measurement -- instruction counts show a small (and expected) bump, but might cause an outsized impact on real-world performance.

@ctz ctz added this pull request to the merge queue Oct 20, 2023
Merged via the queue into main with commit 19d5eda Oct 20, 2023
39 of 40 checks passed
@ctz ctz deleted the jbp-zeroize branch October 20, 2023 09:12
This was referenced Oct 27, 2023
Closed
Merged
github-merge-queue bot pushed a commit to rustls/rcgen that referenced this pull request Dec 9, 2023
@cpu
Add external types CI check + config (#183)
8798e81 
Having types from dependent crates appear in rcgen's public API makes
taking semver incompatible updates to those dependencies tricky: we need
to treat it as a semver incompatible change to rcgen itself. To make
sure whenever this type leak happens that it was done because of a
deliberate choice this branch adds
[cargo-check-external-types](https://github.com/awslabs/cargo-check-external-types)
to CI.

Three existing types that leaked into the API are fixed:
`ring::error::KeyRejected`, `ring::error::Unspecified`, and
`pem::PemError`. In each case it's simple to translate the specific
error types from the dependency into our own `Error` variants that don't
expose the type.

Two types are allow-listed: `time::offset_date_time::OffsetDateTime` and
`zeroize::Zeroize`.

The first, `OffsetDateTime` is used throughout the public API. It isn't
clear to me if we want to keep that as part of the public API and treat
`time` updates carefully, or if we should pursue using a more generic
representation. I've left this out for now so it can be discussed.

The second, `Zeroize`, could probably be avoided by implementing `Drop`
and calling `zeroize` on the sensitive fields manually. That's the
approach Rustls implemented
(rustls/rustls#1492). I've left this out for in
case there was a reason to prefer implementing the trait on the public
types.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@cpu cpu cpu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use zeroize for best-effort secret zeroisation
3 participants
@ctz @cpu @djc