From 6ea7f82265fdf5e71050a76d85f7684e5b427b8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jon=20H=C3=A4ggblad?= <jon.haggblad@gmail.com>
Date: Tue, 12 Nov 2024 16:12:43 +0100
Subject: [PATCH] Add zeroize

---
 nym-vpn-core/Cargo.lock                                |  1 +
 nym-vpn-core/crates/nym-vpnd/Cargo.toml                |  1 +
 .../src/command_interface/connection_handler.rs        |  3 ++-
 .../crates/nym-vpnd/src/command_interface/listener.rs  |  3 ++-
 .../crates/nym-vpnd/src/service/vpn_service.rs         | 10 +++++++---
 5 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/nym-vpn-core/Cargo.lock b/nym-vpn-core/Cargo.lock
index 51afe35081..2a95ec6c6b 100644
--- a/nym-vpn-core/Cargo.lock
+++ b/nym-vpn-core/Cargo.lock
@@ -4809,6 +4809,7 @@ dependencies = [
  "winapi",
  "windows-service",
  "windows-sys 0.52.0",
+ "zeroize",
 ]
 
 [[package]]
diff --git a/nym-vpn-core/crates/nym-vpnd/Cargo.toml b/nym-vpn-core/crates/nym-vpnd/Cargo.toml
index 1e51d92c4a..c96f80919d 100644
--- a/nym-vpn-core/crates/nym-vpnd/Cargo.toml
+++ b/nym-vpn-core/crates/nym-vpnd/Cargo.toml
@@ -41,6 +41,7 @@ tracing-appender.workspace = true
 tracing-subscriber = { workspace = true, features = ["env-filter"] }
 tracing.workspace = true
 url.workspace = true
+zeroize.workspace = true
 
 # Nym monorepo
 nym-bandwidth-controller.workspace = true
diff --git a/nym-vpn-core/crates/nym-vpnd/src/command_interface/connection_handler.rs b/nym-vpn-core/crates/nym-vpnd/src/command_interface/connection_handler.rs
index a729d94044..5f9d78f1f2 100644
--- a/nym-vpn-core/crates/nym-vpnd/src/command_interface/connection_handler.rs
+++ b/nym-vpn-core/crates/nym-vpnd/src/command_interface/connection_handler.rs
@@ -10,6 +10,7 @@ use nym_vpn_api_client::{
     types::GatewayMinPerformance,
 };
 use nym_vpn_lib::gateway_directory::{EntryPoint, ExitPoint, GatewayClient, GatewayType};
+use zeroize::Zeroizing;
 
 use crate::{
     service::{
@@ -134,7 +135,7 @@ impl CommandInterfaceConnectionHandler {
 
     pub(crate) async fn handle_store_account(
         &self,
-        account: String,
+        account: Zeroizing<String>,
     ) -> Result<Result<(), AccountError>, VpnCommandSendError> {
         self.send_and_wait(VpnServiceCommand::StoreAccount, account)
             .await
diff --git a/nym-vpn-core/crates/nym-vpnd/src/command_interface/listener.rs b/nym-vpn-core/crates/nym-vpnd/src/command_interface/listener.rs
index 8a3ec45455..60cc4b4671 100644
--- a/nym-vpn-core/crates/nym-vpnd/src/command_interface/listener.rs
+++ b/nym-vpn-core/crates/nym-vpnd/src/command_interface/listener.rs
@@ -32,6 +32,7 @@ use nym_vpn_proto::{
     ResetDeviceIdentityResponse, SetNetworkRequest, SetNetworkResponse, StatusRequest,
     StatusResponse, StoreAccountRequest, StoreAccountResponse,
 };
+use zeroize::Zeroizing;
 
 use super::{
     connection_handler::CommandInterfaceConnectionHandler,
@@ -423,7 +424,7 @@ impl NymVpnd for CommandInterface {
         &self,
         request: tonic::Request<StoreAccountRequest>,
     ) -> Result<tonic::Response<StoreAccountResponse>, tonic::Status> {
-        let account = request.into_inner().mnemonic;
+        let account = Zeroizing::new(request.into_inner().mnemonic);
 
         let result = CommandInterfaceConnectionHandler::new(self.vpn_command_tx.clone())
             .handle_store_account(account)
diff --git a/nym-vpn-core/crates/nym-vpnd/src/service/vpn_service.rs b/nym-vpn-core/crates/nym-vpnd/src/service/vpn_service.rs
index c95d6477f2..cd86020bdc 100644
--- a/nym-vpn-core/crates/nym-vpnd/src/service/vpn_service.rs
+++ b/nym-vpn-core/crates/nym-vpnd/src/service/vpn_service.rs
@@ -38,6 +38,7 @@ use nym_vpn_lib::{
     },
     MixnetClientConfig, NodeIdentity, Recipient,
 };
+use zeroize::Zeroizing;
 
 use crate::config::GlobalConfigFile;
 
@@ -105,7 +106,7 @@ pub enum VpnServiceCommand {
     ),
     Disconnect(oneshot::Sender<Result<(), VpnServiceDisconnectError>>, ()),
     Status(oneshot::Sender<VpnServiceStatus>, ()),
-    StoreAccount(oneshot::Sender<Result<(), AccountError>>, String),
+    StoreAccount(oneshot::Sender<Result<(), AccountError>>, Zeroizing<String>),
     IsAccountStored(oneshot::Sender<Result<bool, AccountError>>, ()),
     RemoveAccount(oneshot::Sender<Result<(), AccountError>>, ()),
     GetAccountIdentity(oneshot::Sender<Result<String, AccountError>>, ()),
@@ -890,11 +891,14 @@ where
         self.network_env.feature_flags.clone()
     }
 
-    async fn handle_store_account(&mut self, account: String) -> Result<(), AccountError> {
+    async fn handle_store_account(
+        &mut self,
+        account: Zeroizing<String>,
+    ) -> Result<(), AccountError> {
         self.storage
             .lock()
             .await
-            .store_mnemonic(Mnemonic::parse(&account)?)
+            .store_mnemonic(Mnemonic::parse::<&str>(account.as_ref())?)
             .await
             .map_err(|err| AccountError::FailedToStoreAccount {
                 source: Box::new(err),