Merge branch 'ebassi/secure-buffer' into 'master'

Add secure entry buffer

Closes #3119 and #2403

See merge request GNOME/gtk!2545
This commit is contained in:
Matthias Clasen 2020-09-08 23:48:25 +00:00
commit 887d0b7411
10 changed files with 1783 additions and 5 deletions

View File

@ -69,6 +69,9 @@
/* Define to 1 if you have the `mkstemp' function. */
#mesondefine HAVE_MKSTEMP
/* Define to 1 if you have the `mlock` function. */
#mesondefine HAVE_MLOCK
/* Define to 1 if you have a working `mmap' system call. */
#mesondefine HAVE_MMAP

View File

@ -63,7 +63,6 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkCssProvider, g_object_unref)
G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkDrawingArea, g_object_unref)
G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkEditable, g_object_unref)
G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkEntry, g_object_unref)
G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkEntryBuffer, g_object_unref)
G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkEntryCompletion, g_object_unref)
G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkEventController, g_object_unref)
G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkExpander, g_object_unref)

View File

@ -137,6 +137,8 @@ void gtk_entry_buffer_emit_deleted_text (GtkEntryBuffe
guint position,
guint n_chars);
G_DEFINE_AUTOPTR_CLEANUP_FUNC(GtkEntryBuffer, g_object_unref)
G_END_DECLS
#endif /* __GTK_ENTRY_BUFFER_H__ */

View File

@ -24,15 +24,16 @@
#include "gtktextprivate.h"
#include "gtkeditable.h"
#include "gtkeventcontrollerkey.h"
#include "gtkgestureclick.h"
#include "gtkbox.h"
#include "gtkimage.h"
#include "gtkintl.h"
#include "gtkprivate.h"
#include "gtkwidgetprivate.h"
#include "gtkmarshalers.h"
#include "gtkpasswordentrybufferprivate.h"
#include "gtkprivate.h"
#include "gtkstylecontext.h"
#include "gtkeventcontrollerkey.h"
#include "gtkwidgetprivate.h"
/**
* SECTION:gtkpasswordentry
@ -41,7 +42,10 @@
*
* #GtkPasswordEntry is entry that has been tailored for entering secrets.
* It does not show its contents in clear text, does not allow to copy it
* to the clipboard, and it shows a warning when Caps Lock is engaged.
* to the clipboard, and it shows a warning when Caps Lock is engaged. If
* the underlying platform allows it, GtkPasswordEntry will also place the
* text in a non-pageable memory area, to avoid it being written out to
* disk by the operating system.
*
* Optionally, it can offer a way to reveal the contents in clear text.
*
@ -159,8 +163,10 @@ static void
gtk_password_entry_init (GtkPasswordEntry *entry)
{
GtkPasswordEntryPrivate *priv = gtk_password_entry_get_instance_private (entry);
GtkEntryBuffer *buffer = gtk_password_entry_buffer_new ();
priv->entry = gtk_text_new ();
gtk_text_set_buffer (GTK_TEXT (priv->entry), buffer);
gtk_text_set_visibility (GTK_TEXT (priv->entry), FALSE);
gtk_widget_set_parent (priv->entry, GTK_WIDGET (entry));
gtk_editable_init_delegate (GTK_EDITABLE (entry));
@ -175,6 +181,9 @@ gtk_password_entry_init (GtkPasswordEntry *entry)
gtk_widget_add_css_class (GTK_WIDGET (entry), I_("password"));
gtk_password_entry_set_extra_menu (entry, NULL);
/* Transfer ownership to the GtkText widget */
g_object_unref (buffer);
}
static void

View File

@ -0,0 +1,196 @@
/* gtkpasswordentrybuffer.c: Entry buffer with secure allocation
*
Copyright 2009 Stefan Walter
* Copyright 2020 GNOME Foundation
*
* SPDX-License-Identifier: LGPL-2.1-or-later
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
#include "config.h"
#include "gtkpasswordentrybufferprivate.h"
#include "gtksecurememoryprivate.h"
#include <string.h>
/* Initial size of buffer, in bytes */
#define MIN_SIZE 16
struct _GtkPasswordEntryBuffer
{
GtkEntryBuffer parent_instance;
char *text;
gsize text_size;
gsize text_bytes;
guint text_chars;
};
G_DEFINE_TYPE (GtkPasswordEntryBuffer, gtk_password_entry_buffer, GTK_TYPE_ENTRY_BUFFER)
static const char *
gtk_password_entry_buffer_real_get_text (GtkEntryBuffer *buffer,
gsize *n_bytes)
{
GtkPasswordEntryBuffer *self = GTK_PASSWORD_ENTRY_BUFFER (buffer);
if (n_bytes != NULL)
*n_bytes = self->text_bytes;
if (!self->text)
return "";
return self->text;
}
static guint
gtk_password_entry_buffer_real_get_length (GtkEntryBuffer *buffer)
{
GtkPasswordEntryBuffer *self = GTK_PASSWORD_ENTRY_BUFFER (buffer);
return self->text_chars;
}
static guint
gtk_password_entry_buffer_real_insert_text (GtkEntryBuffer *buffer,
guint position,
const char *chars,
guint n_chars)
{
GtkPasswordEntryBuffer *self = GTK_PASSWORD_ENTRY_BUFFER (buffer);
gsize n_bytes = g_utf8_offset_to_pointer (chars, n_chars) - chars;
/* Need more memory */
if (n_bytes + self->text_bytes + 1 > self->text_size)
{
/* Calculate our new buffer size */
while (n_bytes + self->text_bytes + 1 > self->text_size)
{
if (self->text_size == 0)
{
self->text_size = MIN_SIZE;
}
else
{
if (2 * self->text_size < GTK_ENTRY_BUFFER_MAX_SIZE)
{
self->text_size *= 2;
}
else
{
self->text_size = GTK_ENTRY_BUFFER_MAX_SIZE;
if (n_bytes > self->text_size - self->text_bytes - 1)
{
n_bytes = self->text_size - self->text_bytes - 1;
n_bytes = g_utf8_find_prev_char (chars, chars + n_bytes + 1) - chars;
n_chars = g_utf8_strlen (chars, n_bytes);
}
break;
}
}
}
self->text = gtk_secure_realloc (self->text, self->text_size);
}
/* Actual text insertion */
gsize at = g_utf8_offset_to_pointer (self->text, position) - self->text;
memmove (self->text + at + n_bytes, self->text + at, self->text_bytes - at);
memcpy (self->text + at, chars, n_bytes);
/* Book keeping */
self->text_bytes += n_bytes;
self->text_chars += n_chars;
self->text[self->text_bytes] = '\0';
gtk_entry_buffer_emit_inserted_text (buffer, position, chars, n_chars);
return n_chars;
}
static guint
gtk_password_entry_buffer_real_delete_text (GtkEntryBuffer *buffer,
guint position,
guint n_chars)
{
GtkPasswordEntryBuffer *self = GTK_PASSWORD_ENTRY_BUFFER (buffer);
if (position > self->text_chars)
position = self->text_chars;
if (position + n_chars > self->text_chars)
n_chars = self->text_chars - position;
if (n_chars > 0)
{
gsize start = g_utf8_offset_to_pointer (self->text, position) - self->text;
gsize end = g_utf8_offset_to_pointer (self->text, position + n_chars) - self->text;
memmove (self->text + start, self->text + end, self->text_bytes + 1 - end);
self->text_chars -= n_chars;
self->text_bytes -= (end - start);
gtk_entry_buffer_emit_deleted_text (buffer, position, n_chars);
}
return n_chars;
}
static void
gtk_password_entry_buffer_finalize (GObject *gobject)
{
GtkPasswordEntryBuffer *self = GTK_PASSWORD_ENTRY_BUFFER (gobject);
g_clear_pointer (&self->text, gtk_secure_free);
self->text_bytes = 0;
self->text_size = 0;
self->text_chars = 0;
G_OBJECT_CLASS (gtk_password_entry_buffer_parent_class)->finalize (gobject);
}
static void
gtk_password_entry_buffer_class_init (GtkPasswordEntryBufferClass *klass)
{
GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
GtkEntryBufferClass *buffer_class = GTK_ENTRY_BUFFER_CLASS (klass);
gobject_class->finalize = gtk_password_entry_buffer_finalize;
buffer_class->get_text = gtk_password_entry_buffer_real_get_text;
buffer_class->get_length = gtk_password_entry_buffer_real_get_length;
buffer_class->insert_text = gtk_password_entry_buffer_real_insert_text;
buffer_class->delete_text = gtk_password_entry_buffer_real_delete_text;
}
static void
gtk_password_entry_buffer_init (GtkPasswordEntryBuffer *self)
{
}
/*< private >
* gtk_password_entry_buffer_new:
*
* Creates a new #GtkEntryBuffer using secure memory allocations.
*
* Returns: (transfer full): the newly created instance
*/
GtkEntryBuffer *
gtk_password_entry_buffer_new (void)
{
return g_object_new (GTK_TYPE_PASSWORD_ENTRY_BUFFER, NULL);
}

View File

@ -0,0 +1,33 @@
/* gtkpasswordentrybufferprivate.h: Entry buffer using secure allocation
*
* Copyright 2020 GNOME Foundation
*
* SPDX-License-Identifier: LGPL-2.1-or-later
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
#pragma once
#include <gtk/gtkentrybuffer.h>
G_BEGIN_DECLS
#define GTK_TYPE_PASSWORD_ENTRY_BUFFER (gtk_password_entry_buffer_get_type())
G_DECLARE_FINAL_TYPE (GtkPasswordEntryBuffer, gtk_password_entry_buffer, GTK, PASSWORD_ENTRY_BUFFER, GtkEntryBuffer)
GtkEntryBuffer * gtk_password_entry_buffer_new (void);
G_END_DECLS

1434
gtk/gtksecurememory.c Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,95 @@
/* gtksecurememoryprivate.h - Allocator for non-pageable memory
Copyright 2007 Stefan Walter
Copyright 2020 GNOME Foundation
SPDX-License-Identifier: LGPL-2.0-or-later
The Gnome Keyring Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.
The Gnome Keyring Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details.
You should have received a copy of the GNU Library General Public
License along with the Gnome Library; see the file COPYING.LIB. If not,
see <http://www.gnu.org/licenses/>.
Author: Stef Walter <stef@memberwebs.com>
*/
#pragma once
#include <stdlib.h>
/*
* Main functionality
*
* Allocations return NULL on failure.
*/
#define GTK_SECURE_USE_FALLBACK 0x0001
void * gtk_secure_alloc_full (const char *tag,
size_t length,
int options);
void * gtk_secure_realloc_full (const char *tag,
void *p,
size_t length,
int options);
void gtk_secure_free (void *p);
void gtk_secure_free_full (void *p,
int fallback);
void gtk_secure_clear (void *p,
size_t length);
int gtk_secure_check (const void *p);
void gtk_secure_validate (void);
char * gtk_secure_strdup_full (const char *tag,
const char *str,
int options);
char * gtk_secure_strndup_full (const char *tag,
const char *str,
size_t length,
int options);
void gtk_secure_strclear (char *str);
void gtk_secure_strfree (char *str);
/* Simple wrappers */
static inline void *gtk_secure_alloc (size_t length) {
return gtk_secure_alloc_full ("gtk", length, GTK_SECURE_USE_FALLBACK);
}
static inline void *gtk_secure_realloc (void *p, size_t length) {
return gtk_secure_realloc_full ("gtk", p, length, GTK_SECURE_USE_FALLBACK);
}
static inline void *gtk_secure_strdup (const char *str) {
return gtk_secure_strdup_full ("gtk", str, GTK_SECURE_USE_FALLBACK);
}
static inline void *gtk_secure_strndup (const char *str, size_t length) {
return gtk_secure_strndup_full ("gtk", str, length, GTK_SECURE_USE_FALLBACK);
}
typedef struct {
const char *tag;
size_t request_length;
size_t block_length;
} gtk_secure_rec;
gtk_secure_rec * gtk_secure_records (unsigned int *count);

View File

@ -121,6 +121,7 @@ gtk_private_sources = files([
'gtkmenutrackeritem.c',
'gtkpango.c',
'gskpango.c',
'gtkpasswordentrybuffer.c',
'gtkpathbar.c',
'gtkplacessidebar.c',
'gtkplacesview.c',
@ -134,6 +135,7 @@ gtk_private_sources = files([
'gtkscaler.c',
'gtksearchengine.c',
'gtksearchenginemodel.c',
'gtksecurememory.c',
'gtksizerequestcache.c',
'gtksortkeys.c',
'gtkstyleanimation.c',

View File

@ -217,6 +217,11 @@ if cc.compiles(uint128_t_src, name : '__uint128_t available')
cdata.set('HAVE_UINT128_T', 1)
endif
# Check for mlock
if cc.has_function('mlock', prefix: '#include <sys/mman.h>')
cdata.set('HAVE_MLOCK', 1)
endif
# Disable deprecation checks for all libraries we depend on on stable branches.
# This is so newer versions of those libraries don't cause more warnings with
# a stable GTK version.