From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: lexbind: how to replace lexical-let approach to hide secrets Date: Thu, 31 Mar 2011 10:42:25 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87ei5n8ffi.fsf@lifelogs.com> References: <4D926EA9.5080509@gmail.com> <4D92AD2B.40502@gmail.com> <87lizwd9lt.fsf_-_@lifelogs.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1301586188 5357 80.91.229.12 (31 Mar 2011 15:43:08 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Thu, 31 Mar 2011 15:43:08 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Mar 31 17:43:04 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Q5K1Q-0002iP-ES for ged-emacs-devel@m.gmane.org; Thu, 31 Mar 2011 17:43:04 +0200 Original-Received: from localhost ([127.0.0.1]:59605 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q5K1N-0003iY-Fs for ged-emacs-devel@m.gmane.org; Thu, 31 Mar 2011 11:42:53 -0400 Original-Received: from [140.186.70.92] (port=36539 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q5K1C-0003We-A5 for emacs-devel@gnu.org; Thu, 31 Mar 2011 11:42:50 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q5K1B-0003eP-2V for emacs-devel@gnu.org; Thu, 31 Mar 2011 11:42:42 -0400 Original-Received: from lo.gmane.org ([80.91.229.12]:57451) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q5K1A-0003e2-Nk for emacs-devel@gnu.org; Thu, 31 Mar 2011 11:42:41 -0400 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Q5K19-0002W7-7j for emacs-devel@gnu.org; Thu, 31 Mar 2011 17:42:39 +0200 Original-Received: from 38.98.147.130 ([38.98.147.130]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 31 Mar 2011 17:42:39 +0200 Original-Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 31 Mar 2011 17:42:39 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 61 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 38.98.147.130 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110016 (No Gnus v0.16) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:AqEzE2YA9Gf0LWeNblfwMn0ASRU= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 80.91.229.12 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:137948 Archived-At: On Wed, 30 Mar 2011 17:12:37 -0400 Stefan Monnier wrote: >> Slightly related: auth-source.el uses `lexical-let' to define lambda >> accessors for secrets (so printing them, for instance, won't show a >> password). Will the secrets still be hidden in the lexbind branch? SM> If you wan to hide the value, then use: SM> (let ((data (let ((sym (make-symbol "foo"))) SM> (set sym "secret") SM> sym))) SM> (lambda () (symbol-value data))) SM> which is similar to the what lexical-let ends up doing. I wonder if the above approach can simply replace the `lexical-let' macro in the lexbind branch. On Wed, 30 Mar 2011 23:56:59 +0200 David Kastrup wrote: DK> All of which, by necessity, contain the necessary material to get at the DK> secret in the bytecode/closure/funcell. Where, of course, it is DK> reasonable easy to retrieve it. And that is actually overkill, since DK> you can always just call that closure. DK> Anybody care to tell me what the point of this exercise is actually DK> supposed to be? 1) hide secrets so they are not printed when the auth-source return data structure is returned (as Daniel says below) 2) provide some abstraction for secrets so we can use something more secure when it's available in Emacs On Wed, 30 Mar 2011 15:29:12 -0700 Daniel Colascione wrote: DC> The idea is to prevent secrets being accidentally revealed in DC> backtraces, lisp evaluation results, and so on. DC> By the way: I didn't notice any secret erasure code in DC> auth-source.el. Shouldn't someone somewhere do something like this? I DC> didn't see anything in alloc.c that looks like it'd clear an object's DC> bytes upon deallocation. DC> (defun secure-erase-secret (my-secret) DC> (dotimes (i (length my-secret)) (setf (aref my-secret i) 0))) password-cache.el does something like this in ELisp. IMHO this should be done by Emacs; the core should provide a way to tag strings as "secret" so they are wiped on deallocation. I think this property should propagate when the string is copied. We can probably simulate some of this with closures but I think it would be 100 times cleaner at the C level. That way the consumer doesn't have to wipe the secret, just release it (but he should still be able to trigger the wipe explicitly if he knows he's done with the secret). Also the strings can then be stored in an encoded representation so it's not trivial to find them in memory. Ted