Zeroize KeyObfuscator keys on Drop

tnull · tnull · commit 03ca9d99f703 · 2025-08-22T11:48:29.000+02:00
.. to make sure the values don't linger in memory.
diff --git a/src/util/key_obfuscator.rs b/src/util/key_obfuscator.rs
@@ -11,8 +11,8 @@ use crate::crypto::chacha20poly1305::ChaCha20Poly1305;
 ///
 /// It provides client-side deterministic encryption of given keys using ChaCha20-Poly1305.
 pub struct KeyObfuscator {
-	obfuscation_key: [u8; 32],
-	hashing_key: [u8; 32],
+	obfuscation_key: [u8; KEY_LENGTH],
+	hashing_key: [u8; KEY_LENGTH],
 }
 
 impl KeyObfuscator {
@@ -24,6 +24,7 @@ impl KeyObfuscator {
 	}
 }
 
+const KEY_LENGTH: usize = 32;
 const TAG_LENGTH: usize = 16;
 const NONCE_LENGTH: usize = 12;
 
@@ -137,20 +138,28 @@ impl KeyObfuscator {
 
 	/// Derives the obfuscation and hashing keys from the master key.
 	fn derive_obfuscation_and_hashing_keys(
-		obfuscation_master_key: &[u8; 32],
-	) -> ([u8; 32], [u8; 32]) {
+		obfuscation_master_key: &[u8; KEY_LENGTH],
+	) -> ([u8; KEY_LENGTH], [u8; KEY_LENGTH]) {
 		let prk = Self::hkdf(obfuscation_master_key, "pseudo_random_key".as_bytes());
 		let k1 = Self::hkdf(&prk, "obfuscation_key".as_bytes());
 		let k2 = Self::hkdf(&prk, &[&k1[..], "hashing_key".as_bytes()].concat());
 		(k1, k2)
 	}
-	fn hkdf(initial_key_material: &[u8], salt: &[u8]) -> [u8; 32] {
+	fn hkdf(initial_key_material: &[u8], salt: &[u8]) -> [u8; KEY_LENGTH] {
 		let mut engine = HmacEngine::<sha256::Hash>::new(salt);
 		engine.input(initial_key_material);
 		Hmac::from_engine(engine).to_byte_array()
 	}
 }
 
+impl Drop for KeyObfuscator {
+	fn drop(&mut self) {
+		// Zeroize the owned keys
+		self.obfuscation_key.copy_from_slice(&[0u8; KEY_LENGTH]);
+		self.hashing_key.copy_from_slice(&[0u8; KEY_LENGTH]);
+	}
+}
+
 #[cfg(test)]
 mod tests {
 	use crate::util::key_obfuscator::KeyObfuscator;
