zeroize more stuff during runtime (#282)

- add zeroize features to some dependencies
- zeroize protobuf messages when they are dropped
This commit is contained in:
Carson McManus 2023-07-05 10:25:03 -04:00 committed by GitHub
parent df47ff1823
commit 7c985f62ff
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 49 additions and 25 deletions

3
Cargo.lock generated
View file

@ -38,6 +38,7 @@ dependencies = [
"cfg-if", "cfg-if",
"cipher 0.4.4", "cipher 0.4.4",
"cpufeatures", "cpufeatures",
"zeroize",
] ]
[[package]] [[package]]
@ -79,6 +80,7 @@ dependencies = [
"base64ct", "base64ct",
"blake2", "blake2",
"password-hash", "password-hash",
"zeroize",
] ]
[[package]] [[package]]
@ -449,6 +451,7 @@ checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
dependencies = [ dependencies = [
"crypto-common", "crypto-common",
"inout", "inout",
"zeroize",
] ]
[[package]] [[package]]

View file

@ -51,7 +51,7 @@ lazy_static = "1.4.0"
uuid = { version = "0.8", features = ["v4"] } uuid = { version = "0.8", features = ["v4"] }
steamguard = { version = "^0.10.0", path = "./steamguard" } steamguard = { version = "^0.10.0", path = "./steamguard" }
dirs = "3.0.2" dirs = "3.0.2"
aes = "0.8.3" aes = { version = "0.8.3", features = ["zeroize"] }
thiserror = "1.0.26" thiserror = "1.0.26"
crossterm = { version = "0.23.2", features = ["event-stream"] } crossterm = { version = "0.23.2", features = ["event-stream"] }
qrcode = { version = "0.12.0", optional = true } qrcode = { version = "0.12.0", optional = true }
@ -61,10 +61,10 @@ zeroize = { version = "^1.6.0", features = ["std", "zeroize_derive"] }
serde_path_to_error = "0.1.11" serde_path_to_error = "0.1.11"
update-informer = { version = "1.0.0", optional = true, default-features = false, features = ["github"] } update-informer = { version = "1.0.0", optional = true, default-features = false, features = ["github"] }
phonenumber = "0.3" phonenumber = "0.3"
cbc = { version = "0.1.2", features = ["std"] } cbc = { version = "0.1.2", features = ["std", "zeroize"] }
inout = { version = "0.1.3", features = ["std"] } inout = { version = "0.1.3", features = ["std"] }
keyring = { version = "2.0.4", optional = true } keyring = { version = "2.0.4", optional = true }
argon2 = { version = "0.5.0", features = ["std"] } argon2 = { version = "0.5.0", features = ["std", "zeroize"] }
pbkdf2 = { version = "0.12.1", features = ["parallel"] } pbkdf2 = { version = "0.12.1", features = ["parallel"] }
sha1 = "0.10.5" sha1 = "0.10.5"
rayon = "1.7.0" rayon = "1.7.0"

View file

@ -1,6 +1,8 @@
use std::path::Path; use std::path::Path;
use std::path::PathBuf; use std::path::PathBuf;
use protobuf::descriptor::field_descriptor_proto::Type;
use protobuf::reflect::FieldDescriptor;
use protobuf::reflect::MessageDescriptor; use protobuf::reflect::MessageDescriptor;
use protobuf_codegen::Codegen; use protobuf_codegen::Codegen;
use protobuf_codegen::Customize; use protobuf_codegen::Customize;
@ -44,32 +46,29 @@ struct GenSerde;
impl CustomizeCallback for GenSerde { impl CustomizeCallback for GenSerde {
fn message(&self, _message: &MessageDescriptor) -> Customize { fn message(&self, _message: &MessageDescriptor) -> Customize {
// Customize::default().before("#[derive(::serde::Serialize, ::serde::Deserialize)]") Customize::default().before("#[derive(::zeroize::Zeroize, ::zeroize::ZeroizeOnDrop)]")
Customize::default() // Customize::default()
} }
fn enumeration(&self, _enum_type: &protobuf::reflect::EnumDescriptor) -> Customize { fn enumeration(&self, _enum_type: &protobuf::reflect::EnumDescriptor) -> Customize {
Customize::default().before("#[derive(::serde::Serialize, ::serde::Deserialize)]") Customize::default()
.before("#[derive(::serde::Serialize, ::serde::Deserialize, ::zeroize::Zeroize)]")
} }
// fn field(&self, field: &FieldDescriptor) -> Customize { fn field(&self, field: &FieldDescriptor) -> Customize {
// // if field.name() == "public_ip" { // if field.name() == "public_ip" {
// // eprintln!("type_name: {:?}", field.proto().type_name()); // eprintln!("type_name: {:?}", field.proto().type_name());
// // eprintln!("type_: {:?}", field.proto().type_()); // eprintln!("type_: {:?}", field.proto().type_());
// // eprintln!("{:?}", field.proto()); // eprintln!("{:?}", field.proto());
// // }
// if field.proto().type_() == Type::TYPE_ENUM {
// // `EnumOrUnknown` is not a part of rust-protobuf, so external serializer is needed.
// Customize::default().before(
// "#[serde(serialize_with = \"crate::protobufs::serialize_enum_or_unknown\", deserialize_with = \"crate::protobufs::deserialize_enum_or_unknown\")]")
// // } else if field.name() == "public_ip" {
// // Customize::default().before("#[serde(with = \"crate::protobufs::MessageFieldDef\")]")
// } else {
// Customize::default()
// }
// } // }
if field.proto().type_() == Type::TYPE_ENUM || field.proto().type_() == Type::TYPE_MESSAGE {
Customize::default().before("#[zeroize(skip)]")
} else {
Customize::default()
}
}
// fn special_field(&self, _message: &MessageDescriptor, _field: &str) -> Customize { fn special_field(&self, _message: &MessageDescriptor, _field: &str) -> Customize {
// Customize::default().before("#[serde(skip)]") Customize::default().before("#[zeroize(skip)]")
// } }
} }

View file

@ -1,5 +1,27 @@
use zeroize::Zeroize;
use self::steammessages_base::{cmsg_ipaddress::Ip, cmsg_proto_buf_header::Ip_addr};
include!(concat!(env!("OUT_DIR"), "/protobufs/mod.rs")); include!(concat!(env!("OUT_DIR"), "/protobufs/mod.rs"));
impl Zeroize for Ip {
fn zeroize(&mut self) {
match self {
Ip::V4(ip) => ip.zeroize(),
Ip::V6(ip) => ip.zeroize(),
}
}
}
impl Zeroize for Ip_addr {
fn zeroize(&mut self) {
match self {
Ip_addr::Ip(ip) => ip.zeroize(),
Ip_addr::IpV6(ip) => ip.zeroize(),
}
}
}
#[cfg(test)] #[cfg(test)]
mod parse_tests { mod parse_tests {
use protobuf::Message; use protobuf::Message;