Add zeroize

nymtech · Nov 12, 2024 · 6ea7f82 · 6ea7f82
1 parent a9f9fbb
commit 6ea7f82
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 5 deletions.
diff --git a/nym-vpn-core/Cargo.lock b/nym-vpn-core/Cargo.lock
diff --git a/nym-vpn-core/crates/nym-vpnd/Cargo.toml b/nym-vpn-core/crates/nym-vpnd/Cargo.toml
@@ -41,6 +41,7 @@ tracing-appender.workspace = true
 tracing-subscriber = { workspace = true, features = ["env-filter"] }
 tracing.workspace = true
 url.workspace = true
+zeroize.workspace = true
 
 # Nym monorepo
 nym-bandwidth-controller.workspace = true

diff --git a/nym-vpn-core/crates/nym-vpnd/src/command_interface/connection_handler.rs b/nym-vpn-core/crates/nym-vpnd/src/command_interface/connection_handler.rs
@@ -10,6 +10,7 @@ use nym_vpn_api_client::{
     types::GatewayMinPerformance,
 };
 use nym_vpn_lib::gateway_directory::{EntryPoint, ExitPoint, GatewayClient, GatewayType};
+use zeroize::Zeroizing;
 
 use crate::{
     service::{
@@ -134,7 +135,7 @@ impl CommandInterfaceConnectionHandler {
 
     pub(crate) async fn handle_store_account(
         &self,
-        account: String,
+        account: Zeroizing<String>,
     ) -> Result<Result<(), AccountError>, VpnCommandSendError> {
         self.send_and_wait(VpnServiceCommand::StoreAccount, account)
             .await

diff --git a/nym-vpn-core/crates/nym-vpnd/src/command_interface/listener.rs b/nym-vpn-core/crates/nym-vpnd/src/command_interface/listener.rs
@@ -32,6 +32,7 @@ use nym_vpn_proto::{
     ResetDeviceIdentityResponse, SetNetworkRequest, SetNetworkResponse, StatusRequest,
     StatusResponse, StoreAccountRequest, StoreAccountResponse,
 };
+use zeroize::Zeroizing;
 
 use super::{
     connection_handler::CommandInterfaceConnectionHandler,
@@ -423,7 +424,7 @@ impl NymVpnd for CommandInterface {
         &self,
         request: tonic::Request<StoreAccountRequest>,
     ) -> Result<tonic::Response<StoreAccountResponse>, tonic::Status> {
-        let account = request.into_inner().mnemonic;
+        let account = Zeroizing::new(request.into_inner().mnemonic);
 
         let result = CommandInterfaceConnectionHandler::new(self.vpn_command_tx.clone())
             .handle_store_account(account)

diff --git a/nym-vpn-core/crates/nym-vpnd/src/service/vpn_service.rs b/nym-vpn-core/crates/nym-vpnd/src/service/vpn_service.rs
@@ -38,6 +38,7 @@ use nym_vpn_lib::{
     },
     MixnetClientConfig, NodeIdentity, Recipient,
 };
+use zeroize::Zeroizing;
 
 use crate::config::GlobalConfigFile;
 
@@ -105,7 +106,7 @@ pub enum VpnServiceCommand {
     ),
     Disconnect(oneshot::Sender<Result<(), VpnServiceDisconnectError>>, ()),
     Status(oneshot::Sender<VpnServiceStatus>, ()),
-    StoreAccount(oneshot::Sender<Result<(), AccountError>>, String),
+    StoreAccount(oneshot::Sender<Result<(), AccountError>>, Zeroizing<String>),
     IsAccountStored(oneshot::Sender<Result<bool, AccountError>>, ()),
     RemoveAccount(oneshot::Sender<Result<(), AccountError>>, ()),
     GetAccountIdentity(oneshot::Sender<Result<String, AccountError>>, ()),
@@ -890,11 +891,14 @@ where
         self.network_env.feature_flags.clone()
     }
 
-    async fn handle_store_account(&mut self, account: String) -> Result<(), AccountError> {
+    async fn handle_store_account(
+        &mut self,
+        account: Zeroizing<String>,
+    ) -> Result<(), AccountError> {
         self.storage
             .lock()
             .await
-            .store_mnemonic(Mnemonic::parse(&account)?)
+            .store_mnemonic(Mnemonic::parse::<&str>(account.as_ref())?)
             .await
             .map_err(|err| AccountError::FailedToStoreAccount {
                 source: Box::new(err),