Skip to content

Commit

Permalink
Improve zeroization of key buffer
Browse files Browse the repository at this point in the history
  • Loading branch information
AaronFeickert committed Sep 20, 2024
1 parent 88537a8 commit 6b5cb25
Showing 1 changed file with 8 additions and 9 deletions.
17 changes: 8 additions & 9 deletions crates/bitwarden-crypto/src/keys/shareable_key.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ use std::pin::Pin;
use aes::cipher::typenum::U64;
use generic_array::GenericArray;
use hmac::Mac;
use zeroize::{Zeroize, Zeroizing};
use zeroize::Zeroizing;

use crate::{
keys::SymmetricCryptoKey,
Expand All @@ -20,18 +20,17 @@ pub fn derive_shareable_key(
info: Option<&str>,
) -> SymmetricCryptoKey {
// Because all inputs are fixed size, we can unwrap all errors here without issue
let mut res = PbkdfSha256Hmac::new_from_slice(format!("bitwarden-{}", name).as_bytes())
.expect("hmac new_from_slice should not fail")
.chain_update(secret)
.finalize()
.into_bytes();
let res = Zeroizing::new(
PbkdfSha256Hmac::new_from_slice(format!("bitwarden-{}", name).as_bytes())
.expect("hmac new_from_slice should not fail")
.chain_update(secret)
.finalize()
.into_bytes(),
);

let mut key: Pin<Box<GenericArray<u8, U64>>> =
hkdf_expand(&res, info).expect("Input is a valid size");

// Zeroize the temporary buffer
res.zeroize();

SymmetricCryptoKey::try_from(key.as_mut_slice()).expect("Key is a valid size")
}

Expand Down

0 comments on commit 6b5cb25

Please sign in to comment.