hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: update zeroize

Browse Source
This commit is contained in:
Hatter Jiang
2025-05-10 00:17:32 +08:00
parent 58f665823d
commit 4431bff9e6
1 changed files with 12 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/pbeutil.rs
View File

@@ -4,6 +4,7 @@ use crate::util::{base64_decode, base64_encode, base64_encode_url_safe_no_pad};
use aes_gcm_stream::{Aes256GcmStreamDecryptor, Aes256GcmStreamEncryptor}; use aes_gcm_stream::{Aes256GcmStreamDecryptor, Aes256GcmStreamEncryptor};
use rand::random; use rand::random;
use rust_util::XResult; use rust_util::XResult;
use secrecy::Zeroize;
const PBE_ENC_PREFIX: &str = "pbe_enc:"; const PBE_ENC_PREFIX: &str = "pbe_enc:";
@@ -17,42 +18,35 @@ pub fn simple_pbe_decrypt_with_prompt_to_string(pin_opt: &mut Option<String>, ci
} }
pub fn simple_pbe_encrypt_with_prompt(iteration: u32, plaintext: &[u8], password_opt: &mut Option<String>, password_double_check: bool) -> XResult<String> { pub fn simple_pbe_encrypt_with_prompt(iteration: u32, plaintext: &[u8], password_opt: &mut Option<String>, password_double_check: bool) -> XResult<String> {
let pin = match password_opt { let mut pin = match password_opt {
None => { None => {
let pin1 = opt_value_result!(pinutil::get_pin(None), "Simple PBE password required"); let pin1 = opt_value_result!(pinutil::get_pin(None), "Simple PBE password required");
if password_double_check { if password_double_check {
let pin2 = opt_value_result!(pinutil::get_pin(None), "Simple PBE password required"); let mut pin2 = opt_value_result!(pinutil::get_pin(None), "Simple PBE password required");
if pin1 != pin2 { if pin1 != pin2 {
return simple_error!("Two PINs mismatch"); return simple_error!("Two PINs mismatch");
} }
pin2.zeroize();
} }
*password_opt = Some(pin1.clone()); *password_opt = Some(pin1.clone());
pin1 pin1
} }
Some(pin) => pin.clone(), Some(pin) => pin.clone(),
}; };
simple_pbe_encrypt(&pin, iteration, plaintext) let encrypt_result = simple_pbe_encrypt(&pin, iteration, plaintext);
pin.zeroize();
encrypt_result
} }
pub fn simple_pbe_decrypt_with_prompt(pin_opt: &mut Option<String>, ciphertext: &str) -> XResult<Vec<u8>> { pub fn simple_pbe_decrypt_with_prompt(pin_opt: &mut Option<String>, ciphertext: &str) -> XResult<Vec<u8>> {
let pin = opt_value_result!(pinutil::get_pin(pin_opt.clone().as_deref()), "Simple PBE password required"); let mut pin = opt_value_result!(pinutil::get_pin(pin_opt.clone().as_deref()), "Simple PBE password required");
pin_opt.zeroize();
*pin_opt = Some(pin.clone()); *pin_opt = Some(pin.clone());
simple_pbe_decrypt(&pin, ciphertext) let decrypt_result = simple_pbe_decrypt(&pin, ciphertext);
pin.zeroize();
decrypt_result
} }
// pub fn simple_pbe_encrypt_from_string(
// password: &str,
// iteration: u32,
// plaintext: &str,
// ) -> XResult<String> {
// simple_pbe_encrypt(password, iteration, plaintext.as_bytes())
// }
// pub fn simple_pbe_decrypt_to_string(password: &str, ciphertext: &str) -> XResult<String> {
// let plaintext = simple_pbe_decrypt(password, ciphertext)?;
// Ok(String::from_utf8(plaintext)?)
// }
pub fn simple_pbe_encrypt(password: &str, iteration: u32, plaintext: &[u8]) -> XResult<String> { pub fn simple_pbe_encrypt(password: &str, iteration: u32, plaintext: &[u8]) -> XResult<String> {
let pbe_salt: [u8; 16] = random(); let pbe_salt: [u8; 16] = random();
let key = simple_pbe_kdf(password, &pbe_salt, iteration)?; let key = simple_pbe_kdf(password, &pbe_salt, iteration)?;