[bssl] Make hkdf return Zeroizing type
This cl modifies the output of hkdf to be of Zeroizing type,
ensuring that the key is zeroized when it is dropped.
Test: atest rialto_test & m pvmfw_bin
Bug: 279425980
Change-Id: I903c0b0129cd388b9831d87ddf6d29978350c252
diff --git a/libs/bssl/src/hkdf.rs b/libs/bssl/src/hkdf.rs
index 5dc6876..85bd1ff 100644
--- a/libs/bssl/src/hkdf.rs
+++ b/libs/bssl/src/hkdf.rs
@@ -18,6 +18,7 @@
use crate::util::check_int_result;
use bssl_avf_error::{ApiName, Result};
use bssl_ffi::HKDF;
+use zeroize::Zeroizing;
/// Computes HKDF (as specified by [RFC 5869]) of initial keying material `secret` with
/// `salt` and `info` using the given `digester`.
@@ -28,8 +29,8 @@
salt: &[u8],
info: &[u8],
digester: Digester,
-) -> Result<[u8; N]> {
- let mut key = [0u8; N];
+) -> Result<Zeroizing<[u8; N]>> {
+ let mut key = Zeroizing::new([0u8; N]);
// SAFETY: Only reads from/writes to the provided slices and the digester was non-null.
let ret = unsafe {
HKDF(