all: best-effort at zeroization of secrets

Author: conradoplg

Cargo.lock

@@ -74,6 +74,7 @@ zcash_keys = "0.6.0"
 zcash_primitives = "0.21.0"
 zcash_proofs = "0.21.0"
 zcash_protocol = "0.4.3"
+zeroize = "1.8.1"
 
 [patch.crates-io]
 # TODO: remove this when https://github.com/zcash/orchard/issues/430 is fully

Cargo.toml

@@ -22,6 +22,7 @@ xeddsa = { workspace = true }
 reqwest = { workspace = true, features = ["json", "rustls-tls-native-roots"] }
 tokio = { workspace = true, features = ["full"] }
 snow = { workspace = true }
+zeroize = { workspace = true, features = ["serde", "zeroize_derive"] }
 
 [features]
 default = []

dkg/Cargo.toml

@@ -3,6 +3,7 @@ use std::rc::Rc;
 use clap::Parser;
 use frost_core::{Ciphersuite, Identifier};
 use frostd::PublicKey;
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
 #[derive(Parser, Debug, Default)]
 #[command(author, version, about, long_about = None)]
@@ -11,7 +12,7 @@ pub struct Args {
     pub ciphersuite: String,
 }
 
-#[derive(Clone)]
+#[derive(Clone, Zeroize)]
 pub struct ProcessedArgs<C: Ciphersuite> {
     /// CLI mode. If enabled, it will prompt for inputs from stdin
     /// and print values to stdout, ignoring other flags.
@@ -39,6 +40,7 @@ pub struct ProcessedArgs<C: Ciphersuite> {
     // using `fn()` would preclude using closures and using generics would
     // require a lot of code change for something simple.
     #[allow(clippy::type_complexity)]
+    #[zeroize(skip)]
     pub comm_participant_pubkey_getter: Option<Rc<dyn Fn(&PublicKey) -> Option<PublicKey>>>,
 
     /// The threshold to use for the shares
@@ -52,9 +54,12 @@ pub struct ProcessedArgs<C: Ciphersuite> {
     pub participants: Vec<PublicKey>,
 
     /// Identifier to use for the participant. Only needed for CLI mode.
+    #[zeroize(skip)]
     pub identifier: Option<Identifier<C>>,
 }
 
+impl<C> ZeroizeOnDrop for ProcessedArgs<C> where C: Ciphersuite {}
+
 impl<C> ProcessedArgs<C>
 where
     C: Ciphersuite,

dkg/src/args.rs

@@ -8,6 +8,7 @@ use reddsa::frost::redpallas::keys::EvenY;
 use std::collections::HashMap;
 use std::error::Error;
 use std::io::{BufRead, Write};
+use zeroize::Zeroizing;
 
 use crate::args::ProcessedArgs;
 use crate::comms::cli::CLIComms;
@@ -103,6 +104,7 @@ pub async fn cli_for_processed_args<C: Ciphersuite + 'static + MaybeIntoEvenY>(
 
     let (round2_secret_package, round2_packages) =
         frost::keys::dkg::part2(round1_secret_package, &received_round1_packages)?;
+    let round2_secret_package = Zeroizing::new(round2_secret_package);
 
     let received_round2_packages = comms
         .get_round2_packages(input, logger, round2_packages)

dkg/src/cli.rs

@@ -33,3 +33,4 @@ stable-eyre = { workspace = true }
 itertools = { workspace = true }
 xeddsa = { workspace = true }
 thiserror = { workspace = true }
+zeroize = { workspace = true, features = ["serde", "zeroize_derive"] }

frost-client/Cargo.toml

@@ -10,6 +10,7 @@ use eyre::{eyre, OptionExt};
 use frost_core::{Ciphersuite, Identifier};
 use frostd::PublicKey;
 use serde::{Deserialize, Serialize};
+use zeroize::{Zeroize, ZeroizeOnDrop, Zeroizing};
 
 use crate::{ciphersuite_helper::ciphersuite_helper, contact::Contact, write_atomic};
 
@@ -30,6 +31,14 @@ pub struct Config {
     pub group: BTreeMap<String, Group>,
 }
 
+impl Zeroize for Config {
+    fn zeroize(&mut self) {
+        self.group.iter_mut().for_each(|(_, g)| g.zeroize());
+    }
+}
+
+impl ZeroizeOnDrop for Config {}
+
 impl Config {
     pub fn contact_by_pubkey(&self, pubkey: &PublicKey) -> Result<Contact, Box<dyn Error>> {
         if Some(pubkey) == self.communication_key.as_ref().map(|c| &c.pubkey) {
@@ -49,7 +58,7 @@ impl Config {
 }
 
 /// The communication key pair for the user.
-#[derive(Clone, Debug, Serialize, Deserialize)]
+#[derive(Clone, Debug, Serialize, Deserialize, ZeroizeOnDrop)]
 pub struct CommunicationKey {
     /// The private key.
     #[serde(
@@ -62,7 +71,7 @@ pub struct CommunicationKey {
 }
 
 /// A FROST group the user belongs to.
-#[derive(Clone, Debug, Serialize, Deserialize)]
+#[derive(Clone, Debug, Serialize, Deserialize, Zeroize)]
 pub struct Group {
     /// A human-readable description of the group to make it easier to select
     /// groups
@@ -84,9 +93,12 @@ pub struct Group {
     /// The default server the participants are using, if any.
     pub server_url: Option<String>,
     /// The group participants, keyed by hex-encoded identifier
+    #[zeroize(skip)]
     pub participant: BTreeMap<String, Participant>,
 }
 
+impl ZeroizeOnDrop for Group {}
+
 impl Group {
     /// Returns a human-readable summary of the contact; used when it is
     /// printed to the terminal.
@@ -169,7 +181,7 @@ impl Config {
                 ..Default::default()
             });
         }
-        let bytes = std::fs::read(&path)?;
+        let bytes = Zeroizing::new(std::fs::read(&path)?);
         let s = str::from_utf8(&bytes)?;
         let mut config: Config = toml::from_str(s)?;
         config.path = Some(path);
@@ -178,7 +190,7 @@ impl Config {
 
     /// Write the config to path it was loaded from.
     pub fn write(&self) -> Result<(), Box<dyn Error>> {
-        let s = toml::to_string_pretty(self)?;
+        let s = Zeroizing::new(toml::to_string_pretty(self)?);
         let bytes = s.as_bytes();
         Ok(write_atomic::write_file(
             self.path

frost-client/src/config.rs

@@ -75,15 +75,15 @@ pub(crate) fn import(args: &Command) -> Result<(), Box<dyn Error>> {
     if config.contact.values().any(|c| c.pubkey == contact.pubkey) {
         return Err(eyre!(
             "pubkey {} already registered for {}",
-            hex::encode(&contact.pubkey),
+            hex::encode(&contact.pubkey.0),
             &contact.name,
         )
         .into());
     }
     if config.communication_key.as_ref().map(|c| &c.pubkey) == Some(&contact.pubkey) {
         return Err(eyre!(
             "pubkey {} already registered for yourself",
-            hex::encode(&contact.pubkey)
+            hex::encode(&contact.pubkey.0)
         )
         .into());
     }
@@ -114,7 +114,8 @@ pub(crate) fn export(args: &Command) -> Result<(), Box<dyn Error>> {
         pubkey: config
             .communication_key
             .ok_or(eyre!("pubkey not generated yet"))?
-            .pubkey,
+            .pubkey
+            .clone(),
     };
 
     eprintln!("Exporting this information:");

frost-client/src/contact.rs

@@ -10,6 +10,7 @@ use dkg::cli::MaybeIntoEvenY;
 use frost_core::Ciphersuite;
 use frost_ed25519::Ed25519Sha512;
 use reqwest::Url;
+use zeroize::Zeroizing;
 
 use crate::{
     args::Command,
@@ -57,7 +58,8 @@ pub(crate) async fn dkg_for_ciphersuite<C: Ciphersuite + MaybeIntoEvenY + 'stati
         .communication_key
         .clone()
         .ok_or_eyre("user not initialized")?
-        .pubkey;
+        .pubkey
+        .clone();
 
     let mut participants = participants
         .iter()
@@ -83,7 +85,8 @@ pub(crate) async fn dkg_for_ciphersuite<C: Ciphersuite + MaybeIntoEvenY + 'stati
                 .communication_key
                 .clone()
                 .ok_or_eyre("user not initialized")?
-                .privkey,
+                .privkey
+                .clone(),
         ),
         comm_pubkey: Some(comm_pubkey),
         comm_participant_pubkey_getter: Some(Rc::new(move |participant_pubkey| {
@@ -101,6 +104,7 @@ pub(crate) async fn dkg_for_ciphersuite<C: Ciphersuite + MaybeIntoEvenY + 'stati
     // Generate key shares
     let (key_package, public_key_package, pubkey_map) =
         dkg::cli::cli_for_processed_args::<C>(dkg_config, &mut input, &mut output).await?;
+    let key_package = Zeroizing::new(key_package);
 
     // Reverse pubkey_map
     let pubkey_map = pubkey_map

frost-client/src/dkg.rs

@@ -72,7 +72,8 @@ pub(crate) fn trusted_dealer_for_ciphersuite<C: Ciphersuite + MaybeIntoEvenY + '
         let pubkey = config
             .communication_key
             .ok_or_eyre("config not initialized")?
-            .pubkey;
+            .pubkey
+            .clone();
         let participant = Participant {
             identifier: identifier.serialize(),
             pubkey: pubkey.clone(),

frost-client/src/trusted_dealer.rs

@@ -28,6 +28,7 @@ xeddsa = { workspace = true }
 futures-util = { workspace = true }
 futures = { workspace = true }
 thiserror = { workspace = true }
+zeroize = { workspace = true, features = ["serde", "zeroize_derive"] }
 # ring is enabled due to the following issue:
 # - we enable rustls for reqwest because it's required to workaround an issue
 #   when adding root certificates (see test_http), and that imports rustls

frostd/Cargo.toml

@@ -2,6 +2,7 @@ use frost_core::{Ciphersuite, SigningPackage};
 use frost_rerandomized::Randomizer;
 use serde::{Deserialize, Serialize};
 pub use uuid::Uuid;
+use zeroize::Zeroize;
 
 #[derive(Debug, Serialize, Deserialize)]
 pub struct Error {
@@ -72,7 +73,7 @@ pub struct GetSessionInfoOutput {
     pub coordinator_pubkey: PublicKey,
 }
 
-#[derive(Clone, Serialize, Deserialize, PartialEq, Eq, Hash)]
+#[derive(Clone, Serialize, Deserialize, PartialEq, Eq, Hash, Zeroize)]
 #[serde(transparent)]
 pub struct PublicKey(
     #[serde(

frostd/src/types.rs

@@ -24,6 +24,7 @@ frostd = { workspace = true }
 rpassword = { workspace = true }
 snow = { workspace = true }
 xeddsa = { workspace = true }
+zeroize = { workspace = true, features = ["serde", "zeroize_derive"] }
 
 [features]
 default = []

participant/Cargo.toml

@@ -12,6 +12,7 @@ use frost_core::{
     Ciphersuite,
 };
 use frostd::PublicKey;
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
 use crate::input::read_from_file_or_stdin;
 
@@ -46,7 +47,7 @@ pub struct Args {
     pub session_id: String,
 }
 
-#[derive(Clone)]
+#[derive(Clone, Zeroize)]
 pub struct ProcessedArgs<C: Ciphersuite> {
     /// CLI mode. If enabled, it will prompt for inputs from stdin
     /// and print values to stdout, ignoring other flags.
@@ -83,9 +84,12 @@ pub struct ProcessedArgs<C: Ciphersuite> {
     // using `fn()` would preclude using closures and using generics would
     // require a lot of code change for something simple.
     #[allow(clippy::type_complexity)]
+    #[zeroize(skip)]
     pub comm_coordinator_pubkey_getter: Option<Rc<dyn Fn(&PublicKey) -> Option<PublicKey>>>,
 }
 
+impl<C> ZeroizeOnDrop for ProcessedArgs<C> where C: Ciphersuite {}
+
 impl<C: Ciphersuite + 'static> ProcessedArgs<C> {
     /// Create a ProcessedArgs from a Args.
     ///

participant/src/args.rs

@@ -15,6 +15,7 @@ use frost_rerandomized::RandomizedCiphersuite;
 use rand::thread_rng;
 use reddsa::frost::redpallas::PallasBlake2b512;
 use std::io::{BufRead, Write};
+use zeroize::Zeroizing;
 
 pub async fn cli<C: RandomizedCiphersuite + 'static>(
     args: &Args,
@@ -40,10 +41,11 @@ pub async fn cli_for_processed_args<C: RandomizedCiphersuite + 'static>(
 
     // Round 1
 
-    let key_package = pargs.key_package;
+    let key_package = &pargs.key_package;
 
     let mut rng = thread_rng();
-    let (nonces, commitments) = generate_nonces_and_commitments(&key_package, &mut rng);
+    let (nonces, commitments) = generate_nonces_and_commitments(key_package, &mut rng);
+    let nonces = Zeroizing::new(nonces);
 
     if pargs.cli {
         print_values(commitments, logger)?;
@@ -73,7 +75,7 @@ pub async fn cli_for_processed_args<C: RandomizedCiphersuite + 'static>(
         .confirm_message(input, logger, &round_2_config)
         .await?;
 
-    let signature = generate_signature(round_2_config, &key_package, &nonces)?;
+    let signature = generate_signature(round_2_config, key_package, &nonces)?;
 
     comms
         .send_signature_share(*key_package.identifier(), signature)