diff --git a/Cargo.toml b/Cargo.toml index cd8f7200..b246e70a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,6 +29,7 @@ hex = "0.4" rand = "0.7" regex = "1.0" log = "0.4" +zeroize = { version = "1.1", features = ["zeroize_derive"] } # for "io_blocking" feature ws = { version = "0.9", optional = true } diff --git a/src/core/events.rs b/src/core/events.rs index b9c1c756..1c96c30e 100644 --- a/src/core/events.rs +++ b/src/core/events.rs @@ -10,6 +10,7 @@ use super::api::{APIAction, IOAction, Mood}; use super::timing::TimingLogEvent; use super::util::maybe_utf8; use crate::core::util::random_bytes; +use zeroize::Zeroize; pub use super::wordlist::Wordlist; @@ -23,7 +24,8 @@ impl<'a> From<&'a str> for AppID { } } -#[derive(PartialEq, Eq, Clone)] +#[derive(PartialEq, Eq, Clone, Zeroize)] +#[zeroize(drop)] pub struct Key(pub Vec); impl Deref for Key { type Target = Vec; diff --git a/src/core/receive.rs b/src/core/receive.rs index 212b2877..f17898ec 100644 --- a/src/core/receive.rs +++ b/src/core/receive.rs @@ -1,6 +1,8 @@ use super::events::{Events, Key, Phase, TheirSide}; use super::key; use log::trace; +use zeroize::Zeroize; + // we process these use super::events::ReceiveEvent; // we emit these @@ -104,8 +106,10 @@ impl ReceiveMachine { phase: &Phase, body: &[u8], ) -> Option> { - let data_key = key::derive_phase_key(&side, &key, &phase); - key::decrypt_data(&data_key, body) + let mut data_key = key::derive_phase_key(&side, &key, &phase); + let data = key::decrypt_data(&data_key, body); + data_key.zeroize(); + data } } diff --git a/src/core/send.rs b/src/core/send.rs index 3882db9d..59331238 100644 --- a/src/core/send.rs +++ b/src/core/send.rs @@ -1,6 +1,7 @@ use super::events::{Events, Key, MySide, Phase}; use super::key; use log::trace; +use zeroize::Zeroize; // we process these use super::events::SendEvent; // we emit these @@ -42,10 +43,11 @@ impl SendMachine { match event { GotVerifiedKey(ref key) => { for (phase, plaintext) in self.queue.drain(..) { - let data_key = + let mut data_key = key::derive_phase_key(&self.side, &key, &phase); let (_nonce, encrypted) = key::encrypt_data(&data_key, &plaintext); + data_key.zeroize(); actions.push(M_AddMessage(phase, encrypted)); } S1HaveVerifiedKey(key.clone()) @@ -61,10 +63,11 @@ impl SendMachine { S1HaveVerifiedKey(ref key) => match event { GotVerifiedKey(_) => panic!(), Send(phase, plaintext) => { - let data_key = + let mut data_key = key::derive_phase_key(&self.side, &key, &phase); let (_nonce, encrypted) = key::encrypt_data(&data_key, &plaintext); + data_key.zeroize(); actions.push(M_AddMessage(phase, encrypted)); S1HaveVerifiedKey(key.clone()) }