Skip to content

Commit

Permalink
Improve zeroization of key buffer
Browse files Browse the repository at this point in the history
  • Loading branch information
AaronFeickert committed Sep 19, 2024
1 parent 7641717 commit 40b3b4a
Showing 1 changed file with 3 additions and 6 deletions.
9 changes: 3 additions & 6 deletions crates/bitwarden-crypto/src/keys/shareable_key.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ use std::pin::Pin;
use aes::cipher::typenum::U64;
use generic_array::GenericArray;
use hmac::Mac;
use zeroize::{Zeroize, Zeroizing};
use zeroize::Zeroizing;

use crate::{
keys::SymmetricCryptoKey,
Expand All @@ -20,18 +20,15 @@ pub fn derive_shareable_key(
info: Option<&str>,
) -> SymmetricCryptoKey {
// Because all inputs are fixed size, we can unwrap all errors here without issue
let mut res = PbkdfSha256Hmac::new_from_slice(format!("bitwarden-{}", name).as_bytes())
let res = Zeroizing::new(PbkdfSha256Hmac::new_from_slice(format!("bitwarden-{}", name).as_bytes())
.expect("hmac new_from_slice should not fail")
.chain_update(secret)
.finalize()
.into_bytes();
.into_bytes());

let mut key: Pin<Box<GenericArray<u8, U64>>> =
hkdf_expand(&res, info).expect("Input is a valid size");

// Zeroize the temporary buffer
res.zeroize();

SymmetricCryptoKey::try_from(key.as_mut_slice()).expect("Key is a valid size")
}

Expand Down

0 comments on commit 40b3b4a

Please sign in to comment.