Fix sensitive leak after enabling opt-z (#360)

## 🎟️ Tracking

<!-- Paste the link to the Jira or GitHub issue or otherwise describe /
point to where this change is coming from. -->

## 📔 Objective

Discovered in #356, the recent PR #353 has made some [sensitive memory
leak tests
fail](https://github.com/bitwarden/sdk-internal/actions/runs/16499844362/job/46655074711?pr=356).
I've had to do two things to fix this:
- In the `argon2` implementation, we used to hash into a fixed size
array, and then box it. I've rewritten this code to store the value into
the box directly, avoiding stack copies. This fixes the `Master Key
Argon2 / Key` test case.
- I've set the opt level for the crypto crate specifically to level 3,
overriding the z level from the workspace. This is to ensure the
compiler is able to inline functions as needed to avoid stack copies of
values. This increases the WASM bundle size by around 0.1MB, but seems
worth it in this case, as the code in bitwarden-crypto is more
performance and security sensitive than the rest of the application.
This fixes the `Master Key Argon2 / Hash bytes` test case.

## ⏰ Reminders before review

- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or
informed the documentation
  team

## 🦮 Reviewer guidelines

<!-- Suggested interactions but feel free to use (or not) as you desire!
-->

- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
  issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes

Author: dani-garcia

Cargo.toml

@@ -109,6 +109,12 @@ codegen-units = 1
 lto = true
 opt-level = "z"
 
+# Enable optimization for the bitwarden-crypto crate. This will increase the binary size slightly (~0.1MB),
+# but it will more aggressively inline functions. This will help us avoid extra stack copies of keys and
+# other sensitive values being left behind without cleanup.
+[profile.release.package.bitwarden-crypto]
+opt-level = 3
+
 # Stripping the binary reduces the size by ~30%, but the stacktraces won't be usable anymore.
 # This is fine as long as we don't have any unhandled panics, but let's keep it disabled for now
 # strip = true

crates/bitwarden-crypto/src/keys/kdf.rs

@@ -34,14 +34,18 @@ impl KdfDerivedKeyMaterial {
         salt: &[u8],
         kdf: &Kdf,
     ) -> Result<Self, CryptoError> {
-        let mut hash = match kdf {
+        match kdf {
             Kdf::PBKDF2 { iterations } => {
                 let iterations = iterations.get();
                 if iterations < PBKDF2_MIN_ITERATIONS {
                     return Err(CryptoError::InsufficientKdfParameters);
                 }
 
-                crate::util::pbkdf2(secret, salt, iterations)
+                let mut hash = crate::util::pbkdf2(secret, salt, iterations);
+
+                let key_material = Box::pin(hash.into());
+                hash.zeroize();
+                Ok(KdfDerivedKeyMaterial(key_material))
             }
             Kdf::Argon2id {
                 iterations,
@@ -59,15 +63,14 @@ impl KdfDerivedKeyMaterial {
                     return Err(CryptoError::InsufficientKdfParameters);
                 }
 
-                use argon2::*;
+                let salt_sha = sha2::Sha256::new().chain_update(salt).finalize();
 
+                let mut hash = Box::pin(GenericArray::<u8, U32>::default());
+
+                use argon2::*;
                 let params = Params::new(memory, iterations, parallelism, Some(32))?;
                 let argon = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
-
-                let salt_sha = sha2::Sha256::new().chain_update(salt).finalize();
-
-                let mut hash = [0u8; 32];
-                argon.hash_password_into(secret, &salt_sha, &mut hash)?;
+                argon.hash_password_into(secret, &salt_sha, hash.as_mut_slice())?;
 
                 // Argon2 is using some stack memory that is not zeroed. Eventually some function
                 // will overwrite the stack, but we use this trick to force the used
@@ -78,12 +81,9 @@ impl KdfDerivedKeyMaterial {
                 }
                 clear_stack();
 
-                hash
+                Ok(KdfDerivedKeyMaterial(hash))
             }
-        };
-        let key_material = Box::pin(GenericArray::clone_from_slice(&hash));
-        hash.zeroize();
-        Ok(KdfDerivedKeyMaterial(key_material))
+        }
     }
 
     /// Derives a users master key from their password, email and KDF.