From 6b5cb251f86c58788810f7ae0fd39c73a21df65e Mon Sep 17 00:00:00 2001 From: Aaron Feickert <66188213+AaronFeickert@users.noreply.github.com> Date: Wed, 18 Sep 2024 22:09:45 -0500 Subject: [PATCH] Improve zeroization of key buffer --- .../bitwarden-crypto/src/keys/shareable_key.rs | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/crates/bitwarden-crypto/src/keys/shareable_key.rs b/crates/bitwarden-crypto/src/keys/shareable_key.rs index 556432aeab..c6a44405cf 100644 --- a/crates/bitwarden-crypto/src/keys/shareable_key.rs +++ b/crates/bitwarden-crypto/src/keys/shareable_key.rs @@ -3,7 +3,7 @@ use std::pin::Pin; use aes::cipher::typenum::U64; use generic_array::GenericArray; use hmac::Mac; -use zeroize::{Zeroize, Zeroizing}; +use zeroize::Zeroizing; use crate::{ keys::SymmetricCryptoKey, @@ -20,18 +20,17 @@ pub fn derive_shareable_key( info: Option<&str>, ) -> SymmetricCryptoKey { // Because all inputs are fixed size, we can unwrap all errors here without issue - let mut res = PbkdfSha256Hmac::new_from_slice(format!("bitwarden-{}", name).as_bytes()) - .expect("hmac new_from_slice should not fail") - .chain_update(secret) - .finalize() - .into_bytes(); + let res = Zeroizing::new( + PbkdfSha256Hmac::new_from_slice(format!("bitwarden-{}", name).as_bytes()) + .expect("hmac new_from_slice should not fail") + .chain_update(secret) + .finalize() + .into_bytes(), + ); let mut key: Pin>> = hkdf_expand(&res, info).expect("Input is a valid size"); - // Zeroize the temporary buffer - res.zeroize(); - SymmetricCryptoKey::try_from(key.as_mut_slice()).expect("Key is a valid size") }