zeroize: how to signal "safeness" to crate's users?

[fjarri]

Person A creates a crate with a type that has some secret data inside, say, SecretKey { inner: SecretDataType }. They implement Zeroize and Drop (or #[zeroize(drop)]) for SecretDataType, and stop at that - the secret data is now safe (to the extend Rust can guarantee it), the drop() of SecretKey will call the zeroizing drop() of SecretDataType, so there's no need to define anything for SecretKey itself.

Person B uses A's crate and wants to use Secret<SecretKey>. But they cannot, because SecretKey does not implement Zeroize - so they have to wrap it in a newtype and implement an empty Zeroize for it. And they still cannot assert in code that SecretKey keeps its secret - they have to rely on the docs.

So what are the responsibilities of A here? Should they define an (empty) Zeroize for SecretKey? Should they export a Secret<Box<SecretKey>>? What's the convention?

I wonder if it would be more convenient to have a marker trait ZeroizedOnDrop, that A could implement for SecretKey, and Secret could require?

[tony-iqlusion]

It's a good question, and one I've encountered quite a bit. See also RustCrypto/AEADs#65.

The biggest problem is types which want to maintain some kind of invariant which having a Zeroize impl would violate, and therefore only want be responsible for clearing internal fields via a Drop impl.

Indeed it would seem a marker trait like ZeroizedOnDrop would be helpful for this. I can potentially add one before the next release.

[tony-iqlusion]

Another interesting thing: this could be used with the custom derive support in lieu of the current (and somewhat awkward):

#[derive(Zeroize)]
#[zeroize(drop)]

Instead it could just be:

#[derive(ZeroizedOnDrop)]

As these crates are post-1.0, we'd still need to retain support for #[zeroize(drop)] (which could also derive ZeroizedOnDrop), but it could be deprecated.

And of course, Zeroizing would impl it.

[fjarri]

Oh, didn't realize you have two github accounts :)

As you may have guessed, I was asking this in relation to RustCrypto/traits#671. Currently, if I want to wrap SecretKey in Secret<Box<...>>, i have to do something like

struct SecretKeyInner(BackendSecretKey<CurveType>);

impl Zeroize for SecretKeyInner {
    fn zeroize(&mut self) {
        // BackendSecretKey is zeroized on drop, nothing to do
    }
}

impl Zeroize for Box<SecretKeyInner> {
    fn zeroize(&mut self) {
        // BackendSecretKey is zeroized on drop, nothing to do
    }
}

pub struct SecretKey(Secret<Box<BackendSecretKey<CurveType>>>);

because Secret<T> requires T: Zeroize, and there is no blanket impl for Box<T> where T: Zeroize.

[tony-iqlusion]

re: a ZeroizedOnDrop trait, it used to exist: #168

I'm still looking through the commit history for why it was removed.

Edit: aah yes, it was removed with the goal of always adding drop handlers by default. But that also ended up having its own issues: #188

[tony-iqlusion]

Moved to RustCrypto/utils#652