feat: zeroize

src/cmd_decrypt.rs

@@ -13,6 +13,7 @@ use x509_parser::prelude::FromDer;
 use x509_parser::x509::SubjectPublicKeyInfo;
 use yubikey::piv::{AlgorithmId, decrypt_data, RetiredSlotId, SlotId};
 use yubikey::YubiKey;
+use zeroize::Zeroize;
 
 use crate::{file, util};
 use crate::card::get_card;
@@ -149,7 +150,8 @@ fn decrypt_file(file_in: &mut File, file_out: &mut File, key: &[u8], nonce: &[u8
             opt_result!(file_out.write_all(&decrypted), "Write file failed: {}");
         }
     }
-    util::zeroize(key);
+    let mut key = key;
+    key.zeroize();
     Ok(total_len)
 }
 

src/cmd_encrypt.rs

@@ -8,6 +8,7 @@ use clap::Args;
 use flate2::Compression;
 use rsa::Pkcs1v15Encrypt;
 use rust_util::{debugging, failure, information, opt_result, simple_error, success, util_msg, warning, XResult};
+use zeroize::Zeroize;
 
 use crate::{util, util_ecdh};
 use crate::compress::GzStreamEncoder;
@@ -220,7 +221,8 @@ fn encrypt_file(file_in: &mut File, file_out: &mut File, key: &[u8], nonce: &[u8
             opt_result!(file_out.write_all(&encrypted), "Write file failed: {}");
         }
     }
-    util::zeroize(key);
+    let mut key = key;
+    key.zeroize();
     Ok(total_len)
 }
 

src/util.rs

@@ -45,7 +45,11 @@ pub fn require_file_not_exists(path: impl AsRef<Path>) -> XResult<()> {
 pub fn make_key256_and_nonce() -> (Vec<u8>, Vec<u8>) {
     let key: [u8; 32] = random();
     let nonce: [u8; 12] = random();
-    (key.into(), nonce.into())
+    let result = (key.into(), nonce.into());
+    let (mut key, mut nonce) = (key, nonce);
+    key.zeroize();
+    nonce.zeroize();
+    result
 }
 
 pub fn simple_kdf(input: &[u8]) -> Vec<u8> {