]>
Dogcows Code - chaz/p5-File-KDBX/blob - lib/File/KDBX/Safe.pm
1 package File
::KDBX
::Safe
;
2 # ABSTRACT: Keep strings encrypted while in memory
7 use Crypt
::PRNG
qw(random_bytes);
8 use Devel
::GlobalDestruction
;
9 use Encode
qw(encode decode);
10 use File
::KDBX
::Constants
qw(:random_stream);
11 use File
::KDBX
::Error
;
12 use File
::KDBX
::Util
qw(erase erase_scoped);
13 use Ref
::Util
qw(is_arrayref is_coderef is_hashref is_scalarref);
14 use Scalar
::Util
qw(refaddr);
17 our $VERSION = '0.906'; # VERSION
22 my %args = @_ % 2 == 0 ? @_ : (strings
=> shift, @_);
24 if (!$args{cipher
} && $args{key
}) {
25 require File
::KDBX
::Cipher
;
26 $args{cipher
} = File
::KDBX
::Cipher-
>new(stream_id
=> STREAM_ID_CHACHA20
, key
=> $args{key
});
29 my $self = bless \
%args, $class;
30 $self->cipher->finish;
33 my $strings = delete $args{strings
};
36 $self->add($strings) if $strings;
41 sub DESTROY
{ local ($., $@, $!, $^E, $?); !in_global_destruction
and $_[0]->unlock }
53 sub lock { shift-
>add(@_) }
57 my @strings = map { is_arrayref
($_) ? @$_ : $_ } @_;
59 @strings or throw
'Must provide strings to lock';
61 my $cipher = $self->cipher;
63 for my $string (@strings) {
64 my $item = {str
=> $string, off
=> $self->{counter
}};
65 if (is_scalarref
($string)) {
66 next if !defined $$string;
67 $item->{enc
} = 'UTF-8' if utf8
::is_utf8
($$string);
68 if (my $encoding = $item->{enc
}) {
69 my $encoded = encode
($encoding, $$string);
70 $item->{val
} = $cipher->crypt(\
$encoded);
74 $item->{val
} = $cipher->crypt($string);
78 elsif (is_hashref
($string)) {
79 next if !defined $string->{value
};
80 $item->{enc
} = 'UTF-8' if utf8
::is_utf8
($string->{value
});
81 if (my $encoding = $item->{enc
}) {
82 my $encoded = encode
($encoding, $string->{value
});
83 $item->{val
} = $cipher->crypt(\
$encoded);
87 $item->{val
} = $cipher->crypt(\
$string->{value
});
89 erase \
$string->{value
};
92 throw
'Safe strings must be a hashref or stringref', type
=> ref $string;
94 push @{$self->{items
}}, $item;
95 $self->{index}{refaddr
($string)} = $item;
96 $self->{counter
} += length($item->{val
});
103 sub lock_protected
{ shift-
>add_protected(@_) }
107 my $filter = is_coderef
($_[0]) ? shift : undef;
108 my @strings = map { is_arrayref
($_) ? @$_ : $_ } @_;
110 @strings or throw
'Must provide strings to lock';
112 for my $string (@strings) {
113 my $item = {str
=> $string, off
=> $self->{counter
}};
114 $item->{filter
} = $filter if defined $filter;
115 if (is_scalarref
($string)) {
116 next if !defined $$string;
117 $item->{val
} = $$string;
120 elsif (is_hashref
($string)) {
121 next if !defined $string->{value
};
122 $item->{val
} = $string->{value
};
123 erase \
$string->{value
};
126 throw
'Safe strings must be a hashref or stringref', type
=> ref $string;
128 push @{$self->{items
}}, $item;
129 $self->{index}{refaddr
($string)} = $item;
130 $self->{counter
} += length($item->{val
});
140 my $cipher = $self->cipher;
142 $self->{counter
} = 0;
144 for my $item (@{$self->{items
}}) {
145 my $string = $item->{str
};
146 my $cleanup = erase_scoped \
$item->{val
};
148 if (is_scalarref
($string)) {
149 $$string = $cipher->crypt(\
$item->{val
});
150 if (my $encoding = $item->{enc
}) {
151 my $decoded = decode
($encoding, $string->{value
});
157 elsif (is_hashref
($string)) {
158 $string->{value
} = $cipher->crypt(\
$item->{val
});
159 if (my $encoding = $item->{enc
}) {
160 my $decoded = decode
($encoding, $string->{value
});
161 erase \
$string->{value
};
162 $string->{value
} = $decoded;
164 $str_ref = \
$string->{value
};
169 if (my $filter = $item->{filter
}) {
170 my $filtered = $filter->($$str_ref);
172 $$str_ref = $filtered;
184 my $item = $self->{index}{refaddr
($string)} // return;
186 my $cipher = $self->cipher->dup(offset
=> $item->{off
});
188 my $value = $cipher->crypt(\
$item->{val
});
189 if (my $encoding = $item->{enc
}) {
190 my $decoded = decode
($encoding, $value);
200 $self->{cipher
} //= do {
201 require File
::KDBX
::Cipher
;
202 File
::KDBX
::Cipher-
>new(stream_id
=> STREAM_ID_CHACHA20
, key
=> random_bytes
(64));
216 File::KDBX::Safe - Keep strings encrypted while in memory
224 use File::KDBX::Safe;
226 $safe = File::KDBX::Safe->new;
228 my $msg = 'Secret text';
230 # $msg is now undef, the original message no longer in RAM
232 my $obj = { value => 'Also secret' };
234 # $obj is now { value => undef }
236 say $safe->peek($msg); # Secret text
239 say $msg; # Secret text
240 say $obj->{value}; # Also secret
244 This module provides memory protection functionality. It keeps strings encrypted in memory and decrypts them
245 as-needed. Encryption and decryption is done using a L<File::KDBX::Cipher::Stream>.
247 A safe can protect one or more (possibly many) strings. When a string is added to a safe, it gets added to an
248 internal list so it will be decrypted when the entire safe is unlocked.
254 $cipher = $safe->cipher;
256 Get the L<File::KDBX::Cipher::Stream> protecting a safe.
262 $safe = File::KDBX::Safe->new(%attributes);
263 $safe = File::KDBX::Safe->new(\@strings, %attributes);
265 Create a new safe for storing secret strings encrypted in memory.
267 If a cipher is passed, its stream will be reset.
271 $safe = $safe->clear;
273 Clear a safe, removing all store contents permanently. Returns itself to allow method chaining.
279 $safe = $safe->lock(@strings);
280 $safe = $safe->lock(\@strings);
282 Add one or more strings to the memory protection stream. Returns itself to allow method chaining.
284 =head2 lock_protected
288 $safe = $safe->lock_protected(@strings);
289 $safe = $safe->lock_protected(\@strings);
291 Add strings that are already encrypted. Returns itself to allow method chaining.
293 B<WARNING:> The cipher must be the same as was used to originally encrypt the strings. You must add
294 already-encrypted strings in the order in which they were original encrypted or they will not decrypt
295 correctly. You almost certainly do not want to add both unprotected and protected strings to a safe.
299 $safe = $safe->unlock;
301 Decrypt all the strings. Each stored string is set to its original value, potentially overwriting any value
302 that might have been set after locking the string (so you probably should avoid modification to strings while
303 locked). The safe is implicitly cleared. Returns itself to allow method chaining.
305 This happens automatically when the safe is garbage-collected.
309 $string_value = $safe->peek($string);
313 Peek into the safe at a particular string without decrypting the whole safe. A copy of the string is returned,
314 and in order to ensure integrity of the memory protection you should erase the copy when you're done.
316 Returns C<undef> if the given C<$string> is not in memory protection.
320 Please report any bugs or feature requests on the bugtracker website
321 L<https://github.com/chazmcgarvey/File-KDBX/issues>
323 When submitting a bug or request, please include a test-file or a
324 patch to an existing test-file that illustrates the bug or desired
329 Charles McGarvey <ccm@cpan.org>
331 =head1 COPYRIGHT AND LICENSE
333 This software is copyright (c) 2022 by Charles McGarvey.
335 This is free software; you can redistribute it and/or modify it under
336 the same terms as the Perl 5 programming language system itself.
This page took 0.049909 seconds and 4 git commands to generate.