feat(rust): added zeroize on LocalMessage

build-trust · Dec 23, 2024 · 098958d · 098958d
1 parent 59ff67a
commit 098958d
Show file tree

Hide file tree

Showing 21 changed files with 322 additions and 63 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/implementations/rust/ockam/ockam_api/src/echoer.rs b/implementations/rust/ockam/ockam_api/src/echoer.rs
@@ -13,7 +13,10 @@ impl Worker for Echoer {
     async fn handle_message(&mut self, ctx: &mut Context, msg: Routed<Any>) -> Result<()> {
         log::debug!(src = %msg.src_addr(), from = %msg.sender()?, to = %msg.return_route().next()?, "echoing back");
         let msg = msg.into_local_message();
-        ctx.send(msg.return_route, NeutralMessage::from(msg.payload))
-            .await
+        ctx.send(
+            msg.return_route,
+            NeutralMessage::from(msg.payload.discard_zeroize()),
+        )
+        .await
     }
 }
diff --git a/implementations/rust/ockam/ockam_api/src/proxy_vault/protocol.rs b/implementations/rust/ockam/ockam_api/src/proxy_vault/protocol.rs
@@ -4,10 +4,11 @@ use minicbor::{CborLen, Decode, Encode};
 use ockam::identity::{utils, TimestampInSeconds, Vault};
 use ockam_core::errcode::{Kind, Origin};
 use ockam_core::{
-    async_trait, cbor_encode_preallocate, route, Address, NeutralMessage, Route, Routed, Worker,
+    async_trait, cbor_encode_preallocate, route, Address, NeutralMessage, OnDrop, Route, Routed,
+    Worker,
 };
 use ockam_multiaddr::MultiAddr;
-use ockam_node::Context;
+use ockam_node::{Context, MessageSendReceiveOptions};
 use std::sync::Arc;
 use tokio::sync::Mutex as AsyncMutex;
 
@@ -245,11 +246,13 @@ impl SpecificClient {
         let response: NeutralMessage = self
             .client
             .context
-            .send_and_receive(
+            .send_and_receive_extended(
                 route![route, self.destination.clone()],
                 NeutralMessage::from(encoded),
+                MessageSendReceiveOptions::new().with_on_drop(OnDrop::Zeroize),
             )
-            .await?;
+            .await?
+            .into_body()?;
 
         Ok(minicbor::decode::<RS>(&response.into_vec())?)
     }
@@ -258,7 +261,7 @@ impl SpecificClient {
 mod vault_for_signing {
     use crate::proxy_vault::protocol::{ProxyError, SpecificClient};
     use minicbor::{CborLen, Decode, Encode};
-    use ockam_core::{async_trait, cbor_encode_preallocate};
+    use ockam_core::{async_trait, cbor_encode_preallocate, MaybeZeroizeOnDrop};
     use ockam_vault::{
         Signature, SigningKeyType, SigningSecretKeyHandle, VaultForSigning, VerifyingPublicKey,
     };
@@ -296,7 +299,7 @@ mod vault_for_signing {
 
     pub(super) async fn handle_request(
         vault: &dyn VaultForSigning,
-        request: Vec<u8>,
+        request: MaybeZeroizeOnDrop<Vec<u8>>,
     ) -> ockam_core::Result<Vec<u8>> {
         let request: Request = minicbor::decode(&request)?;
         let response = match request {
@@ -480,15 +483,15 @@ mod vault_for_signing {
 pub mod vault_for_secure_channels {
     use crate::proxy_vault::protocol::{ProxyError, SpecificClient};
     use minicbor::{CborLen, Decode, Encode};
-    use ockam_core::{async_trait, cbor_encode_preallocate};
+    use ockam_core::{async_trait, cbor_encode_preallocate, MaybeZeroizeOnDrop};
     use ockam_vault::{
         AeadSecretKeyHandle, HKDFNumberOfOutputs, HashOutput, HkdfOutput, SecretBufferHandle,
         VaultForSecureChannels, X25519PublicKey, X25519SecretKeyHandle,
     };
 
     pub(super) async fn handle_request(
         vault: &dyn VaultForSecureChannels,
-        request: Vec<u8>,
+        request: MaybeZeroizeOnDrop<Vec<u8>>,
     ) -> ockam_core::Result<Vec<u8>> {
         let request: Request = minicbor::decode(&request)?;
         let response = match request {
@@ -1084,12 +1087,12 @@ pub mod vault_for_secure_channels {
 pub mod vault_for_verify_signatures {
     use crate::proxy_vault::protocol::{ProxyError, SpecificClient};
     use minicbor::{CborLen, Decode, Encode};
-    use ockam_core::{async_trait, cbor_encode_preallocate};
+    use ockam_core::{async_trait, cbor_encode_preallocate, MaybeZeroizeOnDrop};
     use ockam_vault::{Sha256Output, Signature, VaultForVerifyingSignatures, VerifyingPublicKey};
 
     pub(super) async fn handle_request(
         vault: &dyn VaultForVerifyingSignatures,
-        request: Vec<u8>,
+        request: MaybeZeroizeOnDrop<Vec<u8>>,
     ) -> ockam_core::Result<Vec<u8>> {
         let request: Request = minicbor::decode(&request)?;
         let response = match request {
@@ -1179,12 +1182,12 @@ pub mod vault_for_verify_signatures {
 pub mod vault_for_encryption_at_rest {
     use crate::proxy_vault::protocol::{ProxyError, SpecificClient};
     use minicbor::{CborLen, Decode, Encode};
-    use ockam_core::{async_trait, cbor_encode_preallocate};
+    use ockam_core::{async_trait, cbor_encode_preallocate, MaybeZeroizeOnDrop};
     use ockam_vault::{AeadSecretKeyHandle, VaultForEncryptionAtRest};
 
     pub(super) async fn handle_request(
         vault: &dyn VaultForEncryptionAtRest,
-        request: Vec<u8>,
+        request: MaybeZeroizeOnDrop<Vec<u8>>,
     ) -> ockam_core::Result<Vec<u8>> {
         let request: Request = minicbor::decode(&request)?;
         let response = match request {

diff --git a/implementations/rust/ockam/ockam_api/tests/common/session.rs b/implementations/rust/ockam/ockam_api/tests/common/session.rs
@@ -53,7 +53,7 @@ impl Worker for MockEchoer {
 
         ctx.send(
             msg.return_route().clone(),
-            NeutralMessage::from(msg.into_payload()),
+            NeutralMessage::from(msg.into_payload().discard_zeroize()),
         )
         .await?;
         info!("Echo message back");

diff --git a/implementations/rust/ockam/ockam_core/Cargo.toml b/implementations/rust/ockam/ockam_core/Cargo.toml
@@ -98,6 +98,7 @@ tracing-opentelemetry = { version = "0.27.0", optional = true }
 tracing-subscriber = { version = "0.3", features = ["fmt", "env-filter"], optional = true }
 # Wasn't tested on no_std
 utcnow = { version = "0.2.5", default-features = false, features = ["fallback"], optional = true }
+zeroize = { version = "1.8", default-features = false }
 
 [dev-dependencies]
 cddl-cat = { version = "0.6.2" }

diff --git a/implementations/rust/ockam/ockam_core/src/cbor/cow_bytes.rs b/implementations/rust/ockam/ockam_core/src/cbor/cow_bytes.rs
@@ -4,6 +4,7 @@ use crate::compat::vec::Vec;
 use core::ops::Deref;
 use minicbor::{CborLen, Decode, Encode};
 use serde::{Deserialize, Serialize};
+use zeroize::Zeroize;
 
 /// A new type around `Cow<'_, [u8]>` that borrows from input.
 ///
@@ -79,3 +80,17 @@ impl<'a> Deref for CowBytes<'a> {
         &self.0
     }
 }
+
+impl Default for CowBytes<'_> {
+    fn default() -> Self {
+        CowBytes(Cow::Borrowed(&[]))
+    }
+}
+
+impl Zeroize for CowBytes<'_> {
+    fn zeroize(&mut self) {
+        if !self.is_borrowed() {
+            self.0.to_mut().zeroize();
+        }
+    }
+}
diff --git a/implementations/rust/ockam/ockam_core/src/lib.rs b/implementations/rust/ockam/ockam_core/src/lib.rs
@@ -86,6 +86,7 @@ mod processor;
 mod routing;
 mod uint;
 mod worker;
+mod zeroize;
 
 pub use access_control::*;
 pub use cbor::*;
@@ -96,6 +97,7 @@ pub use processor::*;
 pub use routing::*;
 pub use uint::*;
 pub use worker::*;
+pub use zeroize::*;
 
 #[cfg(all(not(feature = "std"), feature = "alloc"))]
 #[doc(hidden)]

diff --git a/implementations/rust/ockam/ockam_core/src/message.rs b/implementations/rust/ockam/ockam_core/src/message.rs
@@ -1,3 +1,4 @@
+use crate::zeroize::MaybeZeroizeOnDrop;
 use crate::{
     compat::{
         string::{String, ToString},
@@ -244,7 +245,7 @@ impl<M: Message> Routed<M> {
     /// Consume the message wrapper and return the original message.
     #[inline]
     pub fn into_body(self) -> Result<M> {
-        M::decode(&self.into_payload())
+        M::decode(self.payload())
     }
 
     /// Consume the message wrapper and return the underlying local message.
@@ -267,7 +268,7 @@ impl<M: Message> Routed<M> {
 
     /// Consume the message wrapper and return the underlying transport message's binary payload.
     #[inline]
-    pub fn into_payload(self) -> Vec<u8> {
+    pub fn into_payload(self) -> MaybeZeroizeOnDrop<Vec<u8>> {
         self.local_msg.into_payload()
     }
 }

diff --git a/implementations/rust/ockam/ockam_core/src/routing/message/local_message.rs b/implementations/rust/ockam/ockam_core/src/routing/message/local_message.rs
@@ -1,7 +1,8 @@
 #[cfg(feature = "std")]
 use crate::OpenTelemetryContext;
-use crate::{compat::vec::Vec, route, Address, Message, Route, TransportMessage};
+use crate::{compat::vec::Vec, route, Address, Message, OnDrop, Route, TransportMessage};
 
+use crate::zeroize::MaybeZeroizeOnDrop;
 use crate::{LocalInfo, Result};
 use cfg_if::cfg_if;
 use serde::{Deserialize, Serialize};
@@ -46,7 +47,7 @@ pub struct LocalMessage {
     /// Return message route. This field must be populated by routers handling this message along the way.
     pub return_route: Route,
     /// The message payload.
-    pub payload: Vec<u8>,
+    pub payload: MaybeZeroizeOnDrop<Vec<u8>>,
     /// Local information added by workers to give additional context to the message
     /// independently of its payload. For example this can be used to store the identifier that
     /// was used to encrypt the payload
@@ -142,7 +143,7 @@ impl LocalMessage {
     }
 
     /// Return the message payload
-    pub fn into_payload(self) -> Vec<u8> {
+    pub fn into_payload(self) -> MaybeZeroizeOnDrop<Vec<u8>> {
         self.payload
     }
 
@@ -153,12 +154,12 @@ impl LocalMessage {
 
     /// Return a mutable reference to the message payload
     pub fn payload_mut(&mut self) -> &mut Vec<u8> {
-        &mut self.payload
+        self.payload.as_mut()
     }
 
     /// Set the message payload
     pub fn set_payload(mut self, payload: Vec<u8>) -> Self {
-        self.payload = payload;
+        self.payload = MaybeZeroizeOnDrop::new(payload, OnDrop::NoZeroize);
         self
     }
 
@@ -213,7 +214,7 @@ impl LocalMessage {
             1,
             self.onward_route,
             self.return_route,
-            self.payload,
+            self.payload.discard_zeroize(),
             None,
         );
 
@@ -285,7 +286,7 @@ impl LocalMessage {
         LocalMessage {
             onward_route,
             return_route,
-            payload,
+            payload: MaybeZeroizeOnDrop::new(payload, OnDrop::NoZeroize),
             local_info,
             #[cfg(feature = "std")]
             tracing_context: OpenTelemetryContext::current(),
@@ -316,7 +317,18 @@ impl LocalMessage {
 
     /// Specify the payload for the message
     pub fn with_payload(self, payload: Vec<u8>) -> Self {
-        Self { payload, ..self }
+        Self {
+            payload: MaybeZeroizeOnDrop::new(payload, OnDrop::NoZeroize),
+            ..self
+        }
+    }
+
+    /// Specify the payload for the message with zeroization
+    pub fn with_payload_on_drop(self, payload: Vec<u8>, on_drop: OnDrop) -> Self {
+        Self {
+            payload: MaybeZeroizeOnDrop::new(payload, on_drop),
+            ..self
+        }
     }
 
     /// Specify the local information for the message