From e97b5b962e8fde8a5bc6a6201d9dd29c49278627 Mon Sep 17 00:00:00 2001
From: Hatter Jiang <jht5945@gmail.com>
Date: Sun, 1 Oct 2023 15:19:58 +0800
Subject: [PATCH] feat: zeroize

---
 src/cmd_decrypt.rs | 4 +++-
 src/cmd_encrypt.rs | 4 +++-
 src/util.rs        | 6 +++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/cmd_decrypt.rs b/src/cmd_decrypt.rs
index c01bef0..c461e54 100644
--- a/src/cmd_decrypt.rs
+++ b/src/cmd_decrypt.rs
@@ -13,6 +13,7 @@ use x509_parser::prelude::FromDer;
 use x509_parser::x509::SubjectPublicKeyInfo;
 use yubikey::piv::{AlgorithmId, decrypt_data, RetiredSlotId, SlotId};
 use yubikey::YubiKey;
+use zeroize::Zeroize;
 
 use crate::{file, util};
 use crate::card::get_card;
@@ -149,7 +150,8 @@ fn decrypt_file(file_in: &mut File, file_out: &mut File, key: &[u8], nonce: &[u8
             opt_result!(file_out.write_all(&decrypted), "Write file failed: {}");
         }
     }
-    util::zeroize(key);
+    let mut key = key;
+    key.zeroize();
     Ok(total_len)
 }
 
diff --git a/src/cmd_encrypt.rs b/src/cmd_encrypt.rs
index 34c43d2..dce9a1e 100644
--- a/src/cmd_encrypt.rs
+++ b/src/cmd_encrypt.rs
@@ -8,6 +8,7 @@ use clap::Args;
 use flate2::Compression;
 use rsa::Pkcs1v15Encrypt;
 use rust_util::{debugging, failure, information, opt_result, simple_error, success, util_msg, warning, XResult};
+use zeroize::Zeroize;
 
 use crate::{util, util_ecdh};
 use crate::compress::GzStreamEncoder;
@@ -220,7 +221,8 @@ fn encrypt_file(file_in: &mut File, file_out: &mut File, key: &[u8], nonce: &[u8
             opt_result!(file_out.write_all(&encrypted), "Write file failed: {}");
         }
     }
-    util::zeroize(key);
+    let mut key = key;
+    key.zeroize();
     Ok(total_len)
 }
 
diff --git a/src/util.rs b/src/util.rs
index afa8501..c9116e4 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -45,7 +45,11 @@ pub fn require_file_not_exists(path: impl AsRef<Path>) -> XResult<()> {
 pub fn make_key256_and_nonce() -> (Vec<u8>, Vec<u8>) {
     let key: [u8; 32] = random();
     let nonce: [u8; 12] = random();
-    (key.into(), nonce.into())
+    let result = (key.into(), nonce.into());
+    let (mut key, mut nonce) = (key, nonce);
+    key.zeroize();
+    nonce.zeroize();
+    result
 }
 
 pub fn simple_kdf(input: &[u8]) -> Vec<u8> {