From b68a70211df3efefd15bb1efa277ee25503db9f9 Mon Sep 17 00:00:00 2001 From: Dakota Brink <779390+codabrink@users.noreply.github.com> Date: Thu, 7 Nov 2024 14:26:55 -0500 Subject: [PATCH] Zeroize some sensitive data (#1230) * Zeroize some sensitive data * cargo update --------- Co-authored-by: Mojtaba Chenani --- Cargo.lock | 22 +++++++------- xmtp_api_grpc/Cargo.toml | 11 +++++-- xmtp_api_grpc/src/auth_token.rs | 2 ++ xmtp_mls/Cargo.toml | 29 ++++++++++--------- xmtp_mls/src/groups/message_history.rs | 2 +- .../encrypted_store/sqlcipher_connection.rs | 2 +- 6 files changed, 39 insertions(+), 29 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9887f3196..68e3c710f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -149,9 +149,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.92" +version = "1.0.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74f37166d7d48a0284b99dd824694c26119c700b53bf0d1540cdb147dbdaaf13" +checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" [[package]] name = "arrayref" @@ -635,9 +635,9 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5" [[package]] name = "cc" -version = "1.1.34" +version = "1.1.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67b9470d453346108f93a59222a9a1a5724db32d0a4727b7ab7ace4b4d822dc9" +checksum = "baee610e9452a8f6f0a1b6194ec09ff9e2d85dea54432acdae41aa0761c95d70" dependencies = [ "jobserver", "libc", @@ -3078,9 +3078,9 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" [[package]] name = "libc" -version = "0.2.161" +version = "0.2.162" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1" +checksum = "18d287de67fe55fd7e1581fe933d965a5a9477b38e949cfa9f8574ef01506398" [[package]] name = "libgit2-sys" @@ -4729,9 +4729,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.38" +version = "0.38.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa260229e6538e52293eeb577aabd09945a09d6d9cc0fc550ed7529056c2e32a" +checksum = "375116bee2be9ed569afe2154ea6a99dfdffd257f533f187498c2a8f5feaf4ee" dependencies = [ "bitflags 2.6.0", "errno", @@ -5647,9 +5647,9 @@ dependencies = [ [[package]] name = "tokio" -version = "1.41.0" +version = "1.41.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "145f3413504347a2be84393cc8a7d2fb4d863b375909ea59f2158261aa258bbb" +checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" dependencies = [ "backtrace", "bytes", @@ -6896,6 +6896,7 @@ dependencies = [ "uuid 1.11.0", "xmtp_proto", "xmtp_v2", + "zeroize", ] [[package]] @@ -7061,6 +7062,7 @@ dependencies = [ "xmtp_cryptography", "xmtp_id", "xmtp_proto", + "zeroize", ] [[package]] diff --git a/xmtp_api_grpc/Cargo.toml b/xmtp_api_grpc/Cargo.toml index 2129b424e..b45b56940 100644 --- a/xmtp_api_grpc/Cargo.toml +++ b/xmtp_api_grpc/Cargo.toml @@ -1,21 +1,26 @@ [package] edition = "2021" +license.workspace = true name = "xmtp_api_grpc" version.workspace = true -license.workspace = true [dependencies] async-stream.workspace = true +async-trait = "0.1" base64.workspace = true futures.workspace = true hex.workspace = true prost = { workspace = true, features = ["prost-derive"] } tokio = { workspace = true, features = ["macros", "time"] } -tonic = { workspace = true, features = ["tls", "tls-native-roots", "tls-webpki-roots"] } +tonic = { workspace = true, features = [ + "tls", + "tls-native-roots", + "tls-webpki-roots", +] } tracing.workspace = true xmtp_proto = { path = "../xmtp_proto", features = ["proto_full"] } xmtp_v2 = { path = "../xmtp_v2" } -async-trait = "0.1" +zeroize.workspace = true [dev-dependencies] uuid = { workspace = true, features = ["v4"] } diff --git a/xmtp_api_grpc/src/auth_token.rs b/xmtp_api_grpc/src/auth_token.rs index b2eb43f6b..c9b0d2c36 100644 --- a/xmtp_api_grpc/src/auth_token.rs +++ b/xmtp_api_grpc/src/auth_token.rs @@ -19,7 +19,9 @@ fn create_auth_data(wallet_address: String) -> AuthData { } } +#[derive(zeroize::ZeroizeOnDrop)] pub struct Authenticator { + #[zeroize(skip)] identity_key: PublicKey, wallet_address: String, private_key_bytes: Vec, diff --git a/xmtp_mls/Cargo.toml b/xmtp_mls/Cargo.toml index 2bacc0cbb..b04b4dc05 100644 --- a/xmtp_mls/Cargo.toml +++ b/xmtp_mls/Cargo.toml @@ -1,8 +1,8 @@ [package] edition = "2021" +license.workspace = true name = "xmtp_mls" version.workspace = true -license.workspace = true [package.metadata.docs.rs] all-features = true @@ -39,17 +39,19 @@ test-utils = [ update-schema = ["toml"] [dependencies] -openmls_rust_crypto = { workspace = true } -openmls_traits = { workspace = true } aes-gcm = { version = "0.10.3", features = ["std"] } async-stream.workspace = true async-trait.workspace = true bincode.workspace = true +diesel_migrations.workspace = true futures.workspace = true hex.workspace = true +openmls_rust_crypto = { workspace = true } +openmls_traits = { workspace = true } parking_lot.workspace = true prost = { workspace = true, features = ["prost-derive"] } rand = { workspace = true } +reqwest = { version = "0.12.4", features = ["stream"] } serde = { workspace = true } serde_json.workspace = true thiserror = { workspace = true } @@ -60,8 +62,7 @@ tokio-stream = { version = "0.1", default-features = false, features = [ tracing.workspace = true trait-variant.workspace = true wasm-timer.workspace = true -reqwest = { version = "0.12.4", features = ["stream"] } -diesel_migrations.workspace = true +zeroize.workspace = true # XMTP/Local xmtp_cryptography = { workspace = true } @@ -91,16 +92,17 @@ tracing-subscriber = { workspace = true, features = [ [target.'cfg(not(target_arch = "wasm32"))'.dependencies] -openmls.workspace = true -openssl-sys.workspace = true -openssl.workspace = true chrono = { workspace = true, features = ["clock"] } diesel = { workspace = true, features = [ "r2d2", "returning_clauses_for_sqlite_3_35", "sqlite", ] } +dyn-clone.workspace = true libsqlite3-sys = { workspace = true } +openmls.workspace = true +openssl-sys.workspace = true +openssl.workspace = true tokio = { workspace = true, features = [ "macros", "tracing", @@ -108,10 +110,8 @@ tokio = { workspace = true, features = [ "rt-multi-thread", ] } xmtp_api_grpc = { path = "../xmtp_api_grpc", optional = true } -dyn-clone.workspace = true [target.'cfg(target_arch = "wasm32")'.dependencies] -openmls = { workspace = true, features = ["js"] } chrono = { workspace = true, features = ["wasmbind"] } diesel = { workspace = true, features = [ "r2d2", @@ -120,23 +120,24 @@ diesel = { workspace = true, features = [ diesel-wasm-sqlite = { workspace = true } getrandom = { workspace = true, features = ["js"] } gloo-timers = { workspace = true, features = ["futures"] } +openmls = { workspace = true, features = ["js"] } tokio = { workspace = true, features = ["macros", "rt", "time"] } wasm-bindgen-futures.workspace = true web-sys.workspace = true [dev-dependencies] -openmls_basic_credential.workspace = true anyhow.workspace = true mockall = "0.13.0" +openmls_basic_credential.workspace = true xmtp_id = { path = "../xmtp_id", features = ["test-utils"] } -xmtp_proto = { workspace = true, features = ["test-utils" ]} +xmtp_proto = { workspace = true, features = ["test-utils"] } [target.'cfg(not(target_arch = "wasm32"))'.dev-dependencies] -openmls = { workspace = true } ctor.workspace = true ethers = { workspace = true, features = ["openssl"] } mockito = "1.4.0" +openmls = { workspace = true } tempfile = "3.5.0" tracing-subscriber = { workspace = true, features = [ "env-filter", @@ -147,13 +148,13 @@ xmtp_api_grpc = { path = "../xmtp_api_grpc", features = ["test-utils"] } xmtp_api_http = { path = "../xmtp_api_http", features = ["test-utils"] } [target.'cfg(target_arch = "wasm32")'.dev-dependencies] -openmls = { workspace = true, features = ["js"] } console_error_panic_hook = { version = "0.1" } diesel-wasm-sqlite = { workspace = true, features = [ "unsafe-debug-query", "r2d2", ] } ethers = { workspace = true, features = ["rustls"] } +openmls = { workspace = true, features = ["js"] } tracing-subscriber = { workspace = true, features = ["env-filter"] } tracing-wasm = { version = "0.2" } wasm-bindgen-test.workspace = true diff --git a/xmtp_mls/src/groups/message_history.rs b/xmtp_mls/src/groups/message_history.rs index 4856ef94a..5043c0c80 100644 --- a/xmtp_mls/src/groups/message_history.rs +++ b/xmtp_mls/src/groups/message_history.rs @@ -693,7 +693,7 @@ impl From for MessageHistoryReply { } } -#[derive(Copy, Clone, Debug, PartialEq)] +#[derive(Copy, Clone, Debug, PartialEq, zeroize::ZeroizeOnDrop)] pub(crate) enum HistoryKeyType { Chacha20Poly1305([u8; ENC_KEY_SIZE]), } diff --git a/xmtp_mls/src/storage/encrypted_store/sqlcipher_connection.rs b/xmtp_mls/src/storage/encrypted_store/sqlcipher_connection.rs index c6e889106..d9e891151 100644 --- a/xmtp_mls/src/storage/encrypted_store/sqlcipher_connection.rs +++ b/xmtp_mls/src/storage/encrypted_store/sqlcipher_connection.rs @@ -35,7 +35,7 @@ struct CipherProviderVersion { } /// Specialized Connection for r2d2 connection pool. -#[derive(Clone, Debug)] +#[derive(Clone, Debug, zeroize::ZeroizeOnDrop)] pub struct EncryptedConnection { key: EncryptionKey, /// We don't store the salt for Ephemeral Dbs