[bssl] Make hkdf return Zeroizing type
This cl modifies the output of hkdf to be of Zeroizing type,
ensuring that the key is zeroized when it is dropped.
Test: atest rialto_test & m pvmfw_bin
Bug: 279425980
Change-Id: I903c0b0129cd388b9831d87ddf6d29978350c252
diff --git a/libs/bssl/src/hkdf.rs b/libs/bssl/src/hkdf.rs
index 5dc6876..85bd1ff 100644
--- a/libs/bssl/src/hkdf.rs
+++ b/libs/bssl/src/hkdf.rs
@@ -18,6 +18,7 @@
use crate::util::check_int_result;
use bssl_avf_error::{ApiName, Result};
use bssl_ffi::HKDF;
+use zeroize::Zeroizing;
/// Computes HKDF (as specified by [RFC 5869]) of initial keying material `secret` with
/// `salt` and `info` using the given `digester`.
@@ -28,8 +29,8 @@
salt: &[u8],
info: &[u8],
digester: Digester,
-) -> Result<[u8; N]> {
- let mut key = [0u8; N];
+) -> Result<Zeroizing<[u8; N]>> {
+ let mut key = Zeroizing::new([0u8; N]);
// SAFETY: Only reads from/writes to the provided slices and the digester was non-null.
let ret = unsafe {
HKDF(
diff --git a/libs/bssl/tests/hkdf_test.rs b/libs/bssl/tests/hkdf_test.rs
index 1cda042..2e10314 100644
--- a/libs/bssl/tests/hkdf_test.rs
+++ b/libs/bssl/tests/hkdf_test.rs
@@ -33,7 +33,7 @@
0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4,
0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65,
];
- assert_eq!(OKM, hkdf::<L>(&IKM, &SALT, &INFO, Digester::sha256())?);
+ assert_eq!(OKM, hkdf::<L>(&IKM, &SALT, &INFO, Digester::sha256())?.as_slice());
Ok(())
}
@@ -72,7 +72,7 @@
0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87, 0xc1, 0x4c, 0x01,
0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87,
];
- assert_eq!(OKM, hkdf::<L>(&IKM, &SALT, &INFO, Digester::sha256())?);
+ assert_eq!(OKM, hkdf::<L>(&IKM, &SALT, &INFO, Digester::sha256())?.as_slice());
Ok(())
}
@@ -90,6 +90,6 @@
0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73,
0x8d, 0x2d, 0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8,
];
- assert_eq!(OKM, hkdf::<L>(&IKM, &SALT, &INFO, Digester::sha256())?);
+ assert_eq!(OKM, hkdf::<L>(&IKM, &SALT, &INFO, Digester::sha256())?.as_slice());
Ok(())
}
diff --git a/pvmfw/src/instance.rs b/pvmfw/src/instance.rs
index 75bc3d3..22839cb 100644
--- a/pvmfw/src/instance.rs
+++ b/pvmfw/src/instance.rs
@@ -135,7 +135,8 @@
let payload = &blk[..payload_size];
let mut entry = [0; size_of::<EntryBody>()];
- let aead = AeadCtx::new_aes_256_gcm_randnonce(&key).map_err(Error::FailedOpen)?;
+ let aead =
+ AeadCtx::new_aes_256_gcm_randnonce(key.as_slice()).map_err(Error::FailedOpen)?;
let decrypted = aead.open(&mut entry, payload).map_err(Error::FailedOpen)?;
let body = EntryBody::read_from(decrypted).unwrap();
@@ -153,7 +154,8 @@
let salt = rand::random_array().map_err(Error::FailedSaltGeneration)?;
let body = EntryBody::new(dice_inputs, &salt);
- let aead = AeadCtx::new_aes_256_gcm_randnonce(&key).map_err(Error::FailedSeal)?;
+ let aead =
+ AeadCtx::new_aes_256_gcm_randnonce(key.as_slice()).map_err(Error::FailedSeal)?;
// We currently only support single-blk entries.
let plaintext = body.as_bytes();
assert!(plaintext.len() + aead.aead().unwrap().max_overhead() < blk.len());