realm / realm-core / jorgen.edelbo_334

/*************************************************************************

 *

 * Copyright 2016 Realm Inc.

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 **************************************************************************/

#include <realm/util/encrypted_file_mapping.hpp>

#include <realm/util/backtrace.hpp>

#include <realm/util/file_mapper.hpp>

#include <sstream>

#if REALM_ENABLE_ENCRYPTION

#include <realm/util/aes_cryptor.hpp>

#include <realm/util/errno.hpp>

#include <realm/util/sha_crypto.hpp>

#include <realm/util/terminate.hpp>

#include <realm/utilities.hpp>

#include <algorithm>

#include <array>

#include <chrono>

#include <cstdlib>

#include <cstring>

#include <iostream>

#include <string_view>

#include <thread>

#ifdef REALM_DEBUG

#include <cstdio>

#endif

#if defined(_WIN32)

#include <Windows.h>

#include <bcrypt.h>

#pragma comment(lib, "bcrypt.lib")

#else

#include <sys/mman.h>

#include <unistd.h>

#endif

namespace realm::util {

// When Realm's file encryption was originally designed, we had the constraint

// that all encryption and decryption had to happen in aligned system page size

// sized blocks due to the use of signal handlers to lazily decrypt data and

// track where writes occurrs. This is no longer the case, but may still help

// explain why the file layout looks the way it does.

//

// Encryption is performed on 4096 byte data pages. Each group of 64 data pages

// is arranged into a "block", which has a 4096 byte header containing the IVs

// and HMACs for the following pages. Each page has *two* IVs and HMACs stored.

// iv2/hmac2 contain the values which were last used to successfully decrypt

// the page, while iv1/hmac1 is the values which were used to last encrypt the

// page.

//

// Writing new encrypted data has the following steps:

//

// 1. Copy iv1/hmac1 to iv2/hmac2 in the IVTable

// 2. Increment iv1

// 3. Encrypt the page in memory

// 4. Compute the hmac for the new encrypted data.

// 5. If the hmac matches the previous hmac, goto 2 (this will not ever actually happen)

// 6. Write the new IVTable for the page.

// 7. fsync() (or F_BARRIERFSYNC on Apple)

// 8. Write the new encrypted data

//

// If we are interrupted before #6, no i/o has happened and the data on disk is

// fine. If we are interrupted between #6 and #8, then when we next try to read

// the page the hmac check using hmac1 will fail, but the check using hmac2

// will succeed and we will be able to read the old data. We then copy

// iv2/hmac2 back to the active fields and continue as normal.

//

// This scheme breaks if we have a partial write of the 4k page. This is

// impossible with SSDs, which can only write in their atomic block size, and

// it would be extremely unusual for that to be smaller than 4k. It may be a

// problem when running on HDDs, though.

//

// Reading from an encrypted file is done by creating a mapping and then

// calling `read_barrier(addr, size)` to mark the section of the mapping which

// needs to be populated. This decrypts each of the pages which cover that

// range and places the plaintext into memory. If any of the pages were already

// decrypted, this is a no-op that skips reading anything and just assumes that

// the data was up-to-date.

//

// Writing is done with `read_barrier(addr, size, true)` before performing any

// writes to mark the range as writeable, and then `write_barrier(addr, size)`

// to mark bytes which were actually written to. `write_barrier()` eagerly

// copies all of the written bytes to any other active mappings on the same

// file which have those pages decrypted in memory. This is spooky

// threading-wise, and is only made safe by Realm's MVCC semantics - if we're

// writing to a section of the file we know that no one can be legally reading

// those exact bytes, and we must be writing to different bytes in the same

// page. This copying makes it so that we never have to recheck the disk; once

// we have read and decrypted a page for a mapping, that page is forevermore

// valid and up-to-date.

//

// All dirty data is kept buffered in memory until `flush()` is called.

//

// In multi-process scenarios (or just multiple File instances for a single

// file in a single process, which doesn't happen when using the public API

// normally), eagerly keeping decrypted pages up to date is impossible, and we

// sometimes need to recheck the disk. Here we once again take advantage of

// Realm being MVCC with discrete points where we may need to see newer

// versions of the data on disk. When the reader view is updated, if there have

// been any external writes to the file SlabAlloc calls

// `mark_pages_for_iv_check()`, which puts all up-to-date pages into a

// potentially-stale state. The next time each page is accessed, we reread the

// IVTable for that page. If it's the same as the IVTable for the plaintext we

// have in memory then the page is marked as being up-to-date, and if it's

// different we reread the page.

//

// Another source of complexity in multiprocess scenarios is that while we

// assume that the actual i/o is atomic in 4k chunks, writing to the in-memory

// buffers is distinctly not atomic. One process reading from a memory mapping

// while another process is writing to that position in the file can see

// incomplete writes. Rather than doing page-level locking, we assume that this

// will be very rare and perform optimistic unlocked reads. If decryption fails

// and we are in a potentially-multiprocess scenario we retry the read several

// times before reporting an error.

struct IVTable {

    uint32_t iv1 = 0;

    std::array<uint8_t, 28> hmac1 = {};

    uint32_t iv2 = 0;

    std::array<uint8_t, 28> hmac2 = {};

    bool operator==(const IVTable& other) const

    bool operator!=(const IVTable& other) const

};

// We read this via memcpy and need it to be packed

static_assert(sizeof(IVTable) == 64);

namespace {

constexpr uint8_t aes_block_size = 16;

constexpr uint16_t encryption_page_size = 4096;

constexpr uint8_t metadata_size = sizeof(IVTable);

constexpr uint8_t pages_per_block = encryption_page_size / metadata_size;

static_assert(metadata_size == 64,

              "changing the size of the metadata breaks compatibility with existing Realm files");

using SizeType = File::SizeType;

template <typename To, typename From>

To checked_cast(From from)

{

    To to;

    if (REALM_UNLIKELY(int_cast_with_overflow_detect(from, to))) {

        throw MaximumFileSizeExceeded(util::format("File size %1 is larger than can be represented", from));

    }

    return to;

}

// Overflows when converting from file positions (always 64-bits) to size_t

// (sometimes 32-bits) should all be caught by set_file_size()

template <typename To, typename From>

constexpr To assert_cast(From from)

// Index of page which contains `data_pos`

constexpr size_t page_index(SizeType data_pos) noexcept

// Number of pages required to store `size` bytes

constexpr size_t page_count(SizeType size) noexcept

// Index of the metadata block which contains `data_pos`

constexpr size_t block_index(SizeType data_pos) noexcept

// Number of metadata blocks required to store `size` bytes

constexpr size_t block_count(SizeType data_size) noexcept

// map an offset in the data to the actual location in the file

SizeType data_pos_to_file_pos(SizeType data_pos)

// map a location in the file to the offset in the data

SizeType file_pos_to_data_pos(SizeType file_pos)

// get the location of the IVTable for the given data (not file) position

SizeType iv_table_pos(SizeType data_pos)

// get the file location of the IVTable block for the given data (not file) position

SizeType iv_table_block_pos(SizeType data_pos)

constexpr size_t iv_table_size(SizeType data_pos)

// not actually checked any more

size_t check_read(FileDesc fd, SizeType pos, void* dst)

// first block is iv data, second page is data

static_assert(c_min_encrypted_file_size == 2 * encryption_page_size,

              "chaging the block size breaks encrypted file portability");

template <class T, size_t N, std::size_t... I>

constexpr std::array<T, N> to_array_impl(const T* ptr, std::index_sequence<I...>)

template <class T, size_t N>

constexpr auto to_array(const T* ptr)

void memcpy_if_changed(void* dst, const void* src, size_t n)

#if REALM_SANITIZE_THREAD

    // Because our copying is page-level granularity, we have some benign races

    // where the byte ranges in each page that weren't modified get overwritten

    // with the same values as they already had. TSan correctly reports this as

    // a data race, so when using TSan do (much slower) byte-level checking for

    // modifications and only write the ones which changed. Unlike suppressing

    // the warning entirely, this will still produce tsan errors if we actually

    // change any bytes that another thread is reading.

    auto dst_2 = static_cast<char*>(dst);

    auto src_2 = static_cast<const char*>(src);

    for (size_t i = 0; i < n; ++i) {

        if (dst_2[i] != src_2[i])

            dst_2[i] = src_2[i];

    }

#else

} // anonymous namespace

AESCryptor::AESCryptor(const char* key)

    // A random iv is passed to CCCryptorReset. This iv is *not used* by Realm; we set it manually prior to

    // each call to BCryptEncrypt() and BCryptDecrypt(). We pass this random iv as an attempt to

    // suppress a false encryption security warning from the IBM Bluemix Security Analyzer (PR[#2911])

#elif defined(_WIN32)

    BCRYPT_ALG_HANDLE hAesAlg = NULL;

    int ret;

    ret = BCryptOpenAlgorithmProvider(&hAesAlg, BCRYPT_AES_ALGORITHM, NULL, 0);

    REALM_ASSERT_RELEASE_EX(ret == 0 && "BCryptOpenAlgorithmProvider()", ret);

    ret = BCryptSetProperty(hAesAlg, BCRYPT_CHAINING_MODE, (PBYTE)BCRYPT_CHAIN_MODE_CBC,

                            sizeof(BCRYPT_CHAIN_MODE_CBC), 0);

    REALM_ASSERT_RELEASE_EX(ret == 0 && "BCryptSetProperty()", ret);

    ret = BCryptGenerateSymmetricKey(hAesAlg, &m_aes_key_handle, nullptr, 0, (PBYTE)key, 32, 0);

    REALM_ASSERT_RELEASE_EX(ret == 0 && "BCryptGenerateSymmetricKey()", ret);

#else

        handle_error();

AESCryptor::~AESCryptor() noexcept

#elif defined(_WIN32)

#else

void AESCryptor::handle_error()

void AESCryptor::set_data_size(SizeType new_data_size)

IVTable& AESCryptor::get_iv_table(FileDesc fd, SizeType data_pos, IVLookupMode mode) noexcept

// We always read an entire block of IVTables at a time rather than just the

// one we need as it's likely to take about the same amount of time up front

// and greatly reduce the total number of read calls we have to make

void AESCryptor::read_iv_block(FileDesc fd, SizeType data_pos)

void AESCryptor::calculate_hmac(Hmac& hmac) const

bool AESCryptor::constant_time_equals(const Hmac& a, const Hmac& b) const

    // Constant-time memcmp to avoid timing attacks

bool AESCryptor::refresh_iv(FileDesc fd, size_t page_ndx)

void AESCryptor::invalidate_ivs() noexcept

AESCryptor::ReadResult AESCryptor::read(FileDesc fd, SizeType pos, char* dst, WriteObserver* observer)

    // We're in a single-process scenario (or other processes are only reading),

    // so we can trust our in-memory caches and never need to retry

    // There's another process which might be trying to write to the file while

    // we're reading from it, which means that we might see invalid data due to

    // data races. When this happens we need to retry the read, and only throw

    // an error if the data either hasn't changed after the timeout has expired

    // or if we're in a reader starvation scenario where the writer is producing

    // new data faster than we can consume it.

                // Consistent and valid states that may or may not actually have data

                // Inconsistent states which may change if we retry

        // Check if we've timed out, but always retry at least once in case

        // we got suspended while another process was writing or something

            // std::cerr << std::endl << "*Timeout: " << str << std::endl;

        // don't wait on the first retry as we want to optimize the case where the first read

        // from the iv table cache didn't validate and we are fetching the iv block from disk for the first time

            // don't retry right away if there are potentially other external writers

AESCryptor::ReadResult AESCryptor::attempt_read(FileDesc fd, SizeType pos, char* dst, IVLookupMode iv_mode,

                                                uint32_t& iv_out, Hmac& hmac)

        // Either the DB is corrupted or we were interrupted between writing the

        // new IV and writing the data

            // Un-bump the IV since the write with the bumped IV never actually

            // happened

            // If the file has been shrunk and then re-expanded, we may have

            // old hmacs that don't go with this data. ftruncate() is

            // required to fill any added space with zeroes, so assume that's

            // what happened if the buffer is all zeroes

    // We may expect some address ranges of the destination buffer of

    // AESCryptor::read() to stay unmodified, i.e. being overwritten with

    // the same bytes as already present, and may have read-access to these

    // from other threads while decryption is taking place.

    //

    // However, some implementations of AES_cbc_encrypt(), in particular

    // OpenSSL, will put garbled bytes as an intermediate step during the

    // operation which will lead to incorrect data being read by other

    // readers concurrently accessing that page. Incorrect data leads to

    // crashes.

    //

    // We therefore decrypt to a temporary buffer first and then copy the

    // completely decrypted data after.

void AESCryptor::try_read_block(FileDesc fd, SizeType pos, char* dst) noexcept

void AESCryptor::write(FileDesc fd, SizeType pos, const char* src, WriteMarker* marker) noexcept

        // 0 is reserved for never-been-used, so bump if we just wrapped around

        // In the extremely unlikely case that both the old and new versions have

        // the same hash we won't know which IV to use, so bump the IV until

        // they're different.

    // FIXME: doesn't this need a barrier? The IV table is very likely to

    // make it to disk first due to being issued first and being earlier in

    // the file, but not guaranteed

void AESCryptor::crypt(EncryptionMode mode, SizeType pos, char* dst, const char* src, const char* stored_iv) noexcept

#elif defined(_WIN32)

    ULONG cbData;

    int i;

    if (mode == mode_Encrypt) {

        i = BCryptEncrypt(m_aes_key_handle, (PUCHAR)src, encryption_page_size, nullptr, (PUCHAR)iv, sizeof(iv),

                          (PUCHAR)dst, encryption_page_size, &cbData, 0);

        REALM_ASSERT_RELEASE_EX(i == 0 && "BCryptEncrypt()", i);

        REALM_ASSERT_RELEASE_EX(cbData == encryption_page_size && "BCryptEncrypt()", cbData);

    }

    else if (mode == mode_Decrypt) {

        i = BCryptDecrypt(m_aes_key_handle, (PUCHAR)src, encryption_page_size, nullptr, (PUCHAR)iv, sizeof(iv),

                          (PUCHAR)dst, encryption_page_size, &cbData, 0);

        REALM_ASSERT_RELEASE_EX(i == 0 && "BCryptDecrypt()", i);

        REALM_ASSERT_RELEASE_EX(cbData == encryption_page_size && "BCryptDecrypt()", cbData);

    }

    else {

        REALM_UNREACHABLE();

    }

#else

        handle_error();

    // Use zero padding - we always write a whole page

        handle_error();

    // Finalize the encryption. Should not output further data.

        handle_error();

EncryptedFile::EncryptedFile(const char* key, FileDesc fd)

std::unique_ptr<EncryptedFileMapping> EncryptedFile::add_mapping(SizeType file_offset, void* addr, size_t size,

                                                                 File::AccessMode access)

EncryptedFileMapping::EncryptedFileMapping(EncryptedFile& file, SizeType file_offset, void* addr, size_t size,

                                           File::AccessMode access, util::WriteObserver* observer,

                                           util::WriteMarker* marker)

#ifdef REALM_DEBUG

#endif

EncryptedFileMapping::~EncryptedFileMapping()

// offset within page, not within file

uint16_t EncryptedFileMapping::get_offset_of_address(const void* addr) const noexcept

size_t EncryptedFileMapping::get_local_index_of_address(const void* addr, size_t offset) const noexcept

bool EncryptedFileMapping::contains_page(size_t block_in_file) const noexcept

char* EncryptedFileMapping::page_addr(size_t local_ndx) const noexcept

SizeType EncryptedFileMapping::page_pos(size_t local_ndx) const noexcept

// If we have multiple mappings for the same part of the file, one of them may

// already contain the page we're about to read and if so we can skip reading

// it and instead just memcpy it.

bool EncryptedFileMapping::copy_up_to_date_page(size_t local_ndx) noexcept

    // Precondition: this method must never be called for a page which

    // is already up to date.

// Whenever we advance our reader view of the file we mark all previously

// up-to-date pages as being possibly stale. On the next access of the page we

// then check if the IV for that page has changed to determine if the page has

// actually changed or if we can just mark it as being up-to-date again.

bool EncryptedFileMapping::check_possibly_stale_page(size_t local_ndx) noexcept

    // Update the page state in all mappings and not just the current one because

    // refresh_iv() only returns true once per page per write. Deferring this

    // until copy_up_to_date_page() almost works, but this mapping could be

    // removed before the other mapping copies the page.

REALM_NORETURN

REALM_COLD

void EncryptedFileMapping::throw_decryption_error(size_t local_ndx, std::string_view msg)

void EncryptedFileMapping::refresh_page(size_t local_ndx, bool to_modify)

void EncryptedFile::mark_data_as_possibly_stale()

void EncryptedFileMapping::mark_pages_for_iv_check()

void EncryptedFileMapping::write_and_update_all(size_t local_ndx, uint16_t offset, uint16_t size) noexcept

    // Go through all other mappings of this file and copy changes into those mappings

        // If the target page is possibly stale then we need to copy the entire

        // page and not just the bytes we just touched as other parts of the

        // page may be out of date

void EncryptedFileMapping::validate_page(size_t local_ndx) noexcept

        REALM_TERMINATE("");

#else

    static_cast<void>(local_ndx);

#endif

void EncryptedFileMapping::validate() noexcept

void EncryptedFileMapping::do_flush(bool skip_validate) noexcept