فهرست منبع

feat: zeroize cryptographic secrets on drop

implement zeroize on Drop for Secret, Wallet, and MultiMintWallet
this erases sensitive memory addresses before deallocation
vnprc 10 ماه پیش
والد
کامیت
951ff054fb
5فایلهای تغییر یافته به همراه23 افزوده شده و 0 حذف شده
  1. 1 0
      crates/cashu/Cargo.toml
  2. 7 0
      crates/cashu/src/secret.rs
  3. 1 0
      crates/cdk/Cargo.toml
  4. 7 0
      crates/cdk/src/wallet/mod.rs
  5. 7 0
      crates/cdk/src/wallet/multi_mint_wallet.rs

+ 1 - 0
crates/cashu/Cargo.toml

@@ -36,6 +36,7 @@ serde_with.workspace = true
 regex = { workspace = true, optional = true }
 strum = { workspace = true, optional = true }
 strum_macros = { workspace = true, optional = true }
+zeroize = "1"
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 instant = { workspace = true, features = ["wasm-bindgen", "inaccurate"] }

+ 7 - 0
crates/cashu/src/secret.rs

@@ -6,6 +6,7 @@ use std::str::FromStr;
 use bitcoin::secp256k1::rand::{self, RngCore};
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
+use zeroize::Zeroize;
 
 use crate::util::hex;
 
@@ -121,6 +122,12 @@ impl TryFrom<Secret> for crate::nuts::nut10::Secret {
     }
 }
 
+impl Drop for Secret {
+    fn drop(&mut self) {
+        self.0.zeroize();
+    }
+}
+
 impl TryFrom<&Secret> for crate::nuts::nut10::Secret {
     type Error = Error;
 

+ 1 - 0
crates/cdk/Cargo.toml

@@ -47,6 +47,7 @@ jsonwebtoken = { workspace = true, optional = true }
 sync_wrapper = "0.1.2"
 bech32 = "0.9.1"
 arc-swap = "1.7.1"
+zeroize = "1"
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 tokio = { workspace = true, features = [

+ 7 - 0
crates/cdk/src/wallet/mod.rs

@@ -11,6 +11,7 @@ use subscription::{ActiveSubscription, SubscriptionManager};
 #[cfg(feature = "auth")]
 use tokio::sync::RwLock;
 use tracing::instrument;
+use zeroize::Zeroize;
 
 use crate::amount::SplitTarget;
 use crate::dhke::construct_proofs;
@@ -657,3 +658,9 @@ impl Wallet {
         Ok(())
     }
 }
+
+impl Drop for Wallet {
+    fn drop(&mut self) {
+        self.seed.zeroize();
+    }
+}

+ 7 - 0
crates/cdk/src/wallet/multi_mint_wallet.rs

@@ -13,6 +13,7 @@ use cdk_common::database::WalletDatabase;
 use cdk_common::wallet::{Transaction, TransactionDirection, WalletKey};
 use tokio::sync::RwLock;
 use tracing::instrument;
+use zeroize::Zeroize;
 
 use super::receive::ReceiveOptions;
 use super::send::{PreparedSend, SendOptions};
@@ -368,3 +369,9 @@ impl MultiMintWallet {
         wallet.verify_token_dleq(token).await
     }
 }
+
+impl Drop for MultiMintWallet {
+    fn drop(&mut self) {
+        self.seed.zeroize();
+    }
+}