Overwrite secrets and passwords after use

Author: replydev

Cargo.toml

@@ -22,4 +22,5 @@ data-encoding = "2.3.2"
 totp-lite = "1.0.3"
 crossterm = "0.20"
 tui = { version = "0.16.0", features = ["crossterm"], default-features = false }
-copypasta-ext = "0.3.7"
+copypasta-ext = "0.3.7"
+zeroize = "1.4.1"

src/argument_functions.rs

@@ -2,6 +2,7 @@ use crate::{cryptography, database_loader};
 use crate::cryptography::prompt_for_passwords;
 use crate::importers;
 use crate::otp::{otp_element::OTPElement, otp_helper};
+use zeroize::Zeroize;
 
 pub fn help() {
     println!("USAGE:");
@@ -45,14 +46,16 @@ pub fn import(args: Vec<String>) {
             }
         }
 
-        match database_loader::overwrite_database(elements, &cryptography::prompt_for_passwords("Choose a password: ", 8, true)) {
+        let mut pw = cryptography::prompt_for_passwords("Choose a password: ", 8, true);
+        match database_loader::overwrite_database(elements, &pw) {
             Ok(()) => {
                 println!("Successfully imported database");
             }
             Err(e) => {
                 eprintln!("An error occurred during database overwriting: {}", e);
             }
         }
+        pw.zeroize();
     } else {
         println!("Invalid arguments, type cotp --import [APPNAME] [PATH]");
         println!("cotp can import backup from:");
@@ -75,10 +78,12 @@ pub fn add(args: Vec<String>) {
             return;
         }
 
-        match database_loader::add_element(&prompt_for_passwords("Insert the secret: ", 0, false), &args[2], &args[3], &args[4], digits) {
+        let mut secret = prompt_for_passwords("Insert the secret: ", 0, false);
+        match database_loader::add_element(&secret, &args[2], &args[3], &args[4], digits) {
             Ok(()) => println!("Success"),
             Err(e) => eprintln!("An error occurred: {}", e)
         }
+        secret.zeroize();
     } else {
         println!("Invalid arguments, type cotp --add [ISSUER] [LABEL] [ALGORITHM] [DIGITS]");
     }
@@ -100,7 +105,7 @@ pub fn remove(args: Vec<String>) {
 pub fn edit(args: Vec<String>) {
     if args.len() == 7 {
         let id = args[2].parse::<usize>().unwrap();
-        let secret = &prompt_for_passwords("Insert the secret (type ENTER to skip modification): ", 0, false);
+        let mut secret = prompt_for_passwords("Insert the secret (type ENTER to skip modification): ", 0, false);
         let issuer = &args[3];
         let label = &args[4];
         let algorithm = &args[5];
@@ -112,6 +117,7 @@ pub fn edit(args: Vec<String>) {
             Ok(()) => println!("Success"),
             Err(e) => eprintln!("An error occurred: {}", e)
         }
+        secret.zeroize();
     } else {
         println!("Invalid arguments, type cotp --edit [ID] [ISSUER] [LABEL] [ALGORITHM] [DIGITS]\n\nReplace the attribute value with \".\" to skip the attribute modification");
     }
@@ -164,7 +170,7 @@ pub fn single(args: Vec<String>) {
 pub fn info(args: Vec<String>) {
     if args.len() == 3 {
         let id = args[2].parse::<usize>().unwrap();
-        match otp_helper::print_json_result(id) {
+        match otp_helper::print_element_info(id) {
             Ok(()) => {}
             Err(e) => eprintln!("An error occurred: {}", e),
         }
@@ -175,15 +181,17 @@ pub fn info(args: Vec<String>) {
 
 pub fn change_password(args: Vec<String>) {
     if args.len() == 2 {
-        let old_password = &cryptography::prompt_for_passwords("Old password: ", 8, false);
-        let decrypted_text = database_loader::read_decrypted_text(old_password);
+        let mut old_password = cryptography::prompt_for_passwords("Old password: ", 8, false);
+        let decrypted_text = database_loader::read_decrypted_text(&old_password);
+        old_password.zeroize();
         match decrypted_text {
             Ok(s) => {
-                let new_password = &cryptography::prompt_for_passwords("New password: ", 8, true);
-                match database_loader::overwrite_database_json(&s, new_password) {
+                let mut new_password = cryptography::prompt_for_passwords("New password: ", 8, true);
+                match database_loader::overwrite_database_json(&s, &new_password) {
                     Ok(()) => println!("Password changed"),
                     Err(e) => eprintln!("An error has occurred: {}", e),
                 }
+                new_password.zeroize();
             }
             Err(e) => {
                 eprintln!("An error has occurred: {}", e);

src/cryptography.rs

@@ -96,11 +96,10 @@ fn header_vec_to_header_array(byte_vec: Vec<u8>) -> [u8; 24] {
 
 pub fn prompt_for_passwords(message: &str, minimum_password_length: usize, verify: bool) -> String {
     let mut password;
-    let mut verify_password;
     loop {
         password = rpassword::prompt_password_stdout(message).unwrap();
         if verify {
-            verify_password = rpassword::prompt_password_stdout("Retype the same password: ").unwrap();
+            let verify_password = rpassword::prompt_password_stdout("Retype the same password: ").unwrap();
             if password != verify_password {
                 println!("Passwords do not match");
                 continue;

src/database_loader.rs

@@ -10,6 +10,7 @@ use utils::{check_elements, get_db_path};
 use crate::cryptography;
 use crate::otp::otp_element::OTPElement;
 use crate::utils;
+use zeroize::Zeroize;
 
 pub fn read_decrypted_text(password: &str) -> Result<String, String> {
     let encrypted_contents = read_to_string(&get_db_path()).unwrap();
@@ -48,18 +49,20 @@ pub fn add_element(secret: &String, issuer: &String, label: &String, algorithm:
         Ok(()) => {}
         Err(error) => return Err(error.to_string())
     }
-    let pw = &cryptography::prompt_for_passwords("Password: ", 8, false);
+    let mut pw = cryptography::prompt_for_passwords("Password: ", 8, false);
     let otp_element = OTPElement::new(upper_secret.to_string(), issuer.to_string(), label.to_string(), digits, String::from("TOTP"), String::from(algorithm).to_uppercase(), String::from("Default"), 0, 0, 30, vec![]);
     let mut elements;
-    match read_from_file(pw) {
+    match read_from_file(&pw) {
         Ok(result) => elements = result,
         Err(e) => return Err(e)
     }
     elements.push(otp_element);
-    match overwrite_database(elements, pw) {
+    let result = match overwrite_database(elements, &pw) {
         Ok(()) => Ok(()),
         Err(e) => Err(format!("{}", e))
-    }
+    };
+    pw.zeroize();
+    result
 }
 
 pub fn remove_element_from_db(mut id: usize) -> Result<(), String> {
@@ -70,24 +73,26 @@ pub fn remove_element_from_db(mut id: usize) -> Result<(), String> {
     id -= 1;
 
     let mut elements: Vec<OTPElement>;
-    let pw = &cryptography::prompt_for_passwords("Password: ", 8, false);
-    match read_from_file(pw) {
+    let mut pw = cryptography::prompt_for_passwords("Password: ", 8, false);
+    match read_from_file(&pw) {
         Ok(result) => elements = result,
         Err(e) => {
             return Err(e);
         }
     }
 
-    match check_elements(id, &elements) {
+    let result = match check_elements(id, &elements) {
         Ok(()) => {
             elements.remove(id);
-            match overwrite_database(elements, pw) {
+            match overwrite_database(elements, &pw) {
                 Ok(()) => Ok(()),
                 Err(e) => Err(format!("{}", e)),
             }
         }
         Err(e) => Err(e)
-    }
+    };
+    pw.zeroize();
+    result
 }
 
 pub fn edit_element(mut id: usize, secret: &str, issuer: &str, label: &str, algorithm: &str, digits: u64) -> Result<(), String> {
@@ -97,13 +102,13 @@ pub fn edit_element(mut id: usize, secret: &str, issuer: &str, label: &str, algo
     id -= 1;
 
     let mut elements: Vec<OTPElement>;
-    let pw = &cryptography::prompt_for_passwords("Password: ", 8, false);
-    match read_from_file(pw) {
+    let mut pw = cryptography::prompt_for_passwords("Password: ", 8, false);
+    match read_from_file(&pw) {
         Ok(result) => elements = result,
         Err(_e) => return Err(String::from("Cannot decrypt existing database"))
     }
 
-    match check_elements(id, &elements) {
+    let result = match check_elements(id, &elements) {
         Ok(()) => {
             if secret != "" {
                 elements[id].set_secret(secret.to_string());
@@ -120,20 +125,24 @@ pub fn edit_element(mut id: usize, secret: &str, issuer: &str, label: &str, algo
             if digits != 0 {
                 elements[id].set_digits(digits);
             }
-            match overwrite_database(elements, pw) {
+            match overwrite_database(elements, &pw) {
                 Ok(()) => Ok(()),
                 Err(e) => Err(format!("{}", e)),
             }
         }
         Err(e) => Err(e)
-    }
+    };
+    pw.zeroize();
+    result
 }
 
 pub fn export_database() -> Result<PathBuf, String> {
     let exported_path = utils::get_home_folder().join("exported.cotp");
     let mut file = File::create(&exported_path).expect("Cannot create file");
     let encrypted_contents = read_to_string(&get_db_path()).unwrap();
-    let contents = cryptography::decrypt_string(&encrypted_contents, &cryptography::prompt_for_passwords("Password: ", 8, false));
+    let mut pw = cryptography::prompt_for_passwords("Password: ", 8, false);
+    let contents = cryptography::decrypt_string(&encrypted_contents, &pw);
+    pw.zeroize();
     return match contents {
         Ok(contents) => {
             if contents == "[]" {

src/main.rs

@@ -9,6 +9,7 @@ use interface::event::{Event, EventHandler};
 use interface::handler::handle_key_events;
 use otp::otp_helper;
 use interface::ui::Tui;
+use zeroize::Zeroize;
 
 mod database_loader;
 mod utils;
@@ -37,11 +38,13 @@ fn init() -> Result<bool, String> {
     match utils::create_db_if_needed() {
         Ok(value) => {
             if value {
-                let pw = &cryptography::prompt_for_passwords("Choose a password: ", 8, true);
-                return match database_loader::overwrite_database_json("[]", pw) {
+                let mut pw = cryptography::prompt_for_passwords("Choose a password: ", 8, true);
+                let result = match database_loader::overwrite_database_json("[]", &pw) {
                     Ok(()) => Ok(true),
                     Err(_e) => Err(String::from("An error occurred during database overwriting")),
                 };
+                pw.zeroize();
+                return result;
             }
             Ok(false)
         }

src/otp/otp_helper.rs

@@ -5,6 +5,7 @@ use crate::{cryptography, database_loader};
 use crate::otp::otp_element::OTPElement;
 use crate::otp::otp_maker::make_totp;
 use crate::utils::check_elements;
+use zeroize::Zeroize;
 
 #[derive(Serialize, Deserialize)]
 struct JsonResult {
@@ -26,10 +27,13 @@ impl JsonResult {
 }
 
 pub fn read_codes() -> Result<Vec<OTPElement>, String> {
-    match database_loader::read_from_file(&cryptography::prompt_for_passwords("Password: ", 8, false)) {
+    let mut pw = cryptography::prompt_for_passwords("Password: ", 8, false);
+    let result = match database_loader::read_from_file(&pw) {
         Ok(result) => Ok(result),
         Err(e) => Err(e),
-    }
+    };
+    pw.zeroize();
+    result
 }
 
 pub fn list_codes(elements: &Vec<OTPElement>) {
@@ -51,11 +55,12 @@ pub fn get_good_otp_code(element: &OTPElement) -> String {
 
 pub fn get_json_results() -> Result<String, String> {
     let elements: Vec<OTPElement>;
-
-    match database_loader::read_from_file(&cryptography::prompt_for_passwords("Password: ", 8, false)) {
+    let mut pw = cryptography::prompt_for_passwords("Password: ", 8, false);
+    match database_loader::read_from_file(&pw) {
         Ok(result) => elements = result,
         Err(e) => return Err(e)
     }
+    pw.zeroize();
     let mut results: Vec<JsonResult> = Vec::new();
 
     if elements.len() == 0 {
@@ -72,18 +77,19 @@ pub fn get_json_results() -> Result<String, String> {
     Ok(json_string.to_string())
 }
 
-pub fn print_json_result(mut index: usize) -> Result<(), String> {
+pub fn print_element_info(mut index: usize) -> Result<(), String> {
     if index == 0 {
         return Err(String::from("Invalid element"));
     }
     index -= 1;
 
     let elements: Vec<OTPElement>;
-
-    match database_loader::read_from_file(&cryptography::prompt_for_passwords("Password: ", 8, false)) {
+    let mut pw = cryptography::prompt_for_passwords("Password: ", 8, false);
+    match database_loader::read_from_file(&pw) {
         Ok(result) => elements = result,
         Err(e) => return Err(e),
     }
+    pw.zeroize();
 
     match check_elements(index, &elements) {
         Ok(()) => {}