implement zeroizing of secrets after use

Author: multisme

Cargo.lock

@@ -38,6 +38,7 @@ thiserror.workspace = true
 tokio = { workspace = true, features = ["fs"] }
 tracing.workspace = true
 vodozemac.workspace = true
+zeroize.workspace = true
 
 [dev-dependencies]
 assert_matches.workspace = true

crates/matrix-sdk-sqlite/Cargo.toml

@@ -30,6 +30,7 @@ use std::{
 };
 
 use deadpool_sqlite::PoolConfig;
+use zeroize::Zeroize;
 
 #[cfg(feature = "crypto-store")]
 pub use self::crypto_store::SqliteCryptoStore;
@@ -42,9 +43,11 @@ pub use self::state_store::{SqliteStateStore, DATABASE_NAME as STATE_STORE_DATAB
 #[cfg(test)]
 matrix_sdk_test::init_tracing_for_tests!();
 
-#[derive(Clone, Debug, Eq, PartialEq)]
+#[derive(Clone, Debug, Eq, PartialEq, Zeroize)]
 pub enum Secret {
+    #[zeroize]
     Key([u8; 32]),
+    #[zeroize]
     PassPhrase(String),
 }
 

crates/matrix-sdk-sqlite/src/lib.rs

@@ -28,6 +28,7 @@ use ruma::{serde::Raw, time::SystemTime, OwnedEventId, OwnedRoomId};
 use rusqlite::{limits::Limit, OptionalExtension, Params, Row, Statement, Transaction};
 use serde::{de::DeserializeOwned, Serialize};
 use tracing::{error, warn};
+use zeroize::Zeroize;
 
 use crate::{
     error::{Error, Result},
@@ -457,31 +458,31 @@ pub(crate) trait SqliteKeyValueStoreAsyncConnExt: SqliteAsyncConnExt {
     /// Get the [`StoreCipher`] of the database or create it.
     async fn get_or_create_store_cipher(
         &self,
-        secret: Secret,
+        mut secret: Secret,
     ) -> Result<StoreCipher, OpenStoreError> {
         let encrypted_cipher = self.get_kv("cipher").await.map_err(OpenStoreError::LoadCipher)?;
 
         let cipher = if let Some(encrypted) = encrypted_cipher {
             match secret {
-                Secret::PassPhrase(passphrase) => StoreCipher::import(passphrase, &encrypted)?,
-                Secret::Key(key) => StoreCipher::import_with_key(key, &encrypted)?,
+                Secret::PassPhrase(ref passphrase) => StoreCipher::import(&passphrase, &encrypted)?,
+                Secret::Key(key) => StoreCipher::import_with_key(&key, &encrypted)?,
             }
         } else {
             let cipher = StoreCipher::new()?;
             let export = match secret {
-                Secret::PassPhrase(passphrase) => {
+                Secret::PassPhrase(ref passphrase) => {
                     if cfg!(not(test)) {
                         cipher.export(passphrase)
                     } else {
                         cipher._insecure_export_fast_for_testing(passphrase)
                     }
                 }
-                Secret::Key(key) => cipher.export_with_key(key),
+                Secret::Key(key) => cipher.export_with_key(&key),
             };
             self.set_kv("cipher", export?).await.map_err(OpenStoreError::SaveCipher)?;
             cipher
         };
-
+        secret.zeroize();
         Ok(cipher)
     }
 }