Implement Zeroize on various types

bilelmoussaoui · bilelmoussaoui · commit 11554ef47459 · 2026-03-30T13:54:06.000+02:00
diff --git a/client/src/dbus/api/secret.rs b/client/src/dbus/api/secret.rs
@@ -7,14 +7,14 @@ use zeroize::{Zeroize, ZeroizeOnDrop};
 use super::Session;
 use crate::{Key, Secret, crypto, dbus::Error, secret::ContentType};
 
-#[derive(Debug, Serialize, Deserialize, Type)]
+#[derive(Debug, Serialize, Deserialize, Type, Zeroize, ZeroizeOnDrop)]
 #[zvariant(signature = "(oayays)")]
 /// Same as [`DBusSecret`] without tying the session path to a [`Session`] type.
 pub struct DBusSecretInner(
-    pub OwnedObjectPath,
+    #[zeroize(skip)] pub OwnedObjectPath,
     #[serde(with = "serde_bytes")] pub Vec<u8>,
     #[serde(with = "serde_bytes")] pub Vec<u8>,
-    pub ContentType,
+    #[zeroize(skip)] pub ContentType,
 );
 
 #[derive(Debug, Type, Zeroize, ZeroizeOnDrop)]
@@ -58,9 +58,9 @@ impl DBusSecret {
 
     pub async fn from_inner(cnx: &zbus::Connection, inner: DBusSecretInner) -> Result<Self, Error> {
         Ok(Self {
-            session: Arc::new(Session::new(cnx, inner.0).await?),
-            parameters: inner.1,
-            value: inner.2,
+            session: Arc::new(Session::new(cnx, inner.0.clone()).await?),
+            parameters: inner.1.clone(),
+            value: inner.2.clone(),
             content_type: inner.3,
         })
     }
diff --git a/client/src/file/api/encrypted_item.rs b/client/src/file/api/encrypted_item.rs
@@ -2,12 +2,14 @@ use std::collections::HashMap;
 
 use serde::{Deserialize, Serialize};
 use zbus::zvariant::Type;
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
 use super::{Error, UnlockedItem};
 use crate::{Key, Mac, crypto};
 
-#[derive(Deserialize, Serialize, Type, Debug, Clone)]
+#[derive(Deserialize, Serialize, Type, Debug, Clone, Zeroize, ZeroizeOnDrop)]
 pub(crate) struct EncryptedItem {
+    #[zeroize(skip)]
     pub(crate) hashed_attributes: HashMap<String, Mac>,
     #[serde(with = "serde_bytes")]
     pub(crate) blob: Vec<u8>,
diff --git a/client/src/file/api/legacy_keyring.rs b/client/src/file/api/legacy_keyring.rs
@@ -6,6 +6,7 @@ use std::{
 };
 
 use endi::{Endian, ReadBytes};
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
 use super::{Secret, UnlockedItem};
 use crate::{
@@ -19,7 +20,7 @@ const FILE_HEADER_LEN: usize = FILE_HEADER.len();
 pub const MAJOR_VERSION: u8 = 0;
 pub const MINOR_VERSION: u8 = 0;
 
-#[derive(Debug)]
+#[derive(Debug, Zeroize, ZeroizeOnDrop)]
 pub struct Keyring {
     salt: Vec<u8>,
     iteration_count: u32,
diff --git a/client/src/file/api/mod.rs b/client/src/file/api/mod.rs
@@ -44,6 +44,7 @@ mod legacy_keyring;
 
 pub(super) use encrypted_item::EncryptedItem;
 pub(super) use legacy_keyring::{Keyring as LegacyKeyring, MAJOR_VERSION as LEGACY_MAJOR_VERSION};
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
 use crate::{
     AsAttributes, Key, Secret, crypto,
@@ -67,14 +68,15 @@ pub(crate) static GVARIANT_ENCODING: LazyLock<Context> =
     LazyLock::new(|| Context::new_gvariant(Endian::Little, 0));
 
 /// Logical contents of a keyring file
-#[derive(Deserialize, Serialize, Type, Debug)]
+#[derive(Deserialize, Serialize, Type, Debug, Zeroize, ZeroizeOnDrop)]
 pub struct Keyring {
     salt_size: u32,
     #[serde(with = "serde_bytes")]
     salt: Vec<u8>,
     iteration_count: u32,
     modified_time: u64,
     usage_count: u32,
+    #[zeroize(skip)]
     pub(in crate::file) items: Vec<EncryptedItem>,
 }
 
diff --git a/client/src/mac.rs b/client/src/mac.rs
@@ -2,11 +2,12 @@ use serde::{Deserialize, Serialize};
 #[cfg(feature = "native_crypto")]
 use subtle::ConstantTimeEq;
 use zbus::zvariant::Type;
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
 // There is no constructor to avoid performing sanity checks, e.g. length.
 /// A message authentication code. It provides constant-time comparison when
 /// compared against another mac or against a slice of bytes.
-#[derive(Deserialize, Serialize, Type, Clone)]
+#[derive(Deserialize, Serialize, Type, Clone, Zeroize, ZeroizeOnDrop)]
 pub struct Mac(#[serde(with = "serde_bytes")] Vec<u8>);
 
 impl std::fmt::Debug for Mac {
diff --git a/server/src/collection/mod.rs b/server/src/collection/mod.rs
@@ -225,22 +225,22 @@ impl Collection {
         let keyring = self.keyring.read().await;
         let keyring = keyring.as_ref().unwrap().as_unlocked();
 
-        let DBusSecretInner(session_path, iv, secret_bytes, content_type) = secret;
+        let DBusSecretInner(ref session_path, ref iv, ref secret_bytes, ref content_type) = secret;
         let label = properties.label();
         // Safe to unwrap as an item always has attributes
         let mut attributes = properties.attributes().unwrap().to_owned();
 
-        let Some(session) = self.service.session(&session_path).await else {
+        let Some(session) = self.service.session(session_path).await else {
             tracing::error!("The session `{}` does not exist.", session_path);
             return Err(ServiceError::NoSession(format!(
                 "The session `{session_path}` does not exist."
             )));
         };
 
         let secret = match session.aes_key() {
-            Some(key) => oo7::crypto::decrypt(secret_bytes, &key, &iv)
+            Some(key) => oo7::crypto::decrypt(secret_bytes, &key, iv)
                 .map_err(|err| custom_service_error(&format!("Failed to decrypt secret {err}.")))?,
-            None => zeroize::Zeroizing::new(secret_bytes),
+            None => zeroize::Zeroizing::new(secret_bytes.clone()),
         };
 
         // Ensure content-type attribute is stored
diff --git a/server/src/item/mod.rs b/server/src/item/mod.rs
@@ -139,9 +139,9 @@ impl Item {
     }
 
     pub async fn set_secret(&self, secret: DBusSecretInner) -> Result<(), ServiceError> {
-        let DBusSecretInner(session, iv, secret, content_type) = secret;
+        let DBusSecretInner(ref session, ref iv, ref secret, ref content_type) = secret;
 
-        let Some(session) = self.service.session(&session).await else {
+        let Some(session) = self.service.session(session).await else {
             tracing::error!("The session `{}` does not exist.", session);
             return Err(ServiceError::NoSession(format!(
                 "The session `{session}` does not exist."
@@ -162,7 +162,7 @@ impl Item {
 
             match session.aes_key() {
                 Some(key) => {
-                    let decrypted = oo7::crypto::decrypt(secret, &key, &iv).map_err(|err| {
+                    let decrypted = oo7::crypto::decrypt(secret, &key, iv).map_err(|err| {
                         custom_service_error(&format!("Failed to decrypt secret {err}."))
                     })?;
                     inner.as_mut_unlocked().set_secret(decrypted);
