Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve zeroization of key buffer #1069

Merged
merged 1 commit into from
Sep 23, 2024
Merged

Conversation

AaronFeickert
Copy link
Contributor

@AaronFeickert AaronFeickert commented Sep 19, 2024

🎟️ Tracking

None.

📔 Objective

Currently, the temporary buffer used for deriving shareable keys is manually zeroized. While documentation indicates that preceding expect calls cannot fail, this still seems brittle to future changes.

This PR places the buffer into a Zeroizing wrapper. It is still the case that zeroization may not occur on a panic, but this was already the case with the existing implementation, which would never zeroize in such a case.

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
    team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
    issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@CLAassistant
Copy link

CLAassistant commented Sep 19, 2024

CLA assistant check
All committers have signed the CLA.

@AaronFeickert AaronFeickert force-pushed the zeroizing branch 2 times, most recently from 66f20bd to 40b3b4a Compare September 19, 2024 15:27
Copy link

codecov bot commented Sep 20, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 58.11%. Comparing base (eeda462) to head (a779aed).
Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1069      +/-   ##
==========================================
- Coverage   58.12%   58.11%   -0.01%     
==========================================
  Files         197      197              
  Lines       13532    13531       -1     
==========================================
- Hits         7865     7864       -1     
  Misses       5667     5667              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Member

@Hinton Hinton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @AaronFeickert,

This change looks reasonable, I think the only disadvantage is that it's slightly less obvious that res is mutated.

Since we wrote this code we've also implement our own Allocator which zeros on dealloc which should act as an additional guard against sensitive memory being leaked.

Can you please run cargo +nightly fmt to make the formatted happy?

@AaronFeickert
Copy link
Contributor Author

@Hinton sorry about that! I had run the formatter locally, but must have forgotten to push it. It's now passing formatting and has been rebased.

Copy link
Member

@Hinton Hinton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the improvement.

@Hinton Hinton merged commit 7ff270d into bitwarden:main Sep 23, 2024
93 of 98 checks passed
@AaronFeickert AaronFeickert deleted the zeroizing branch September 23, 2024 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants