rust: add zeroizing str to cstr util function

benma · benma · commit b2c49059f636 · 2025-11-06T09:48:27.000+01:00
Not using CString as it did not look to me like it was actually
preallocating for the null terminator, and reallocation would leave
unzeroed copies.
diff --git a/src/rust/bitbox02/src/keystore.rs b/src/rust/bitbox02/src/keystore.rs
@@ -75,7 +75,7 @@ pub fn _unlock(password: &str) -> Result<zeroize::Zeroizing<Vec<u8>>, Error> {
     let mut seed_len: usize = 0;
     match unsafe {
         bitbox02_sys::keystore_unlock(
-            crate::util::str_to_cstr_vec(password)
+            crate::util::str_to_cstr_vec_zeroizing(password)
                 .unwrap()
                 .as_ptr()
                 .cast(),
diff --git a/src/rust/bitbox02/src/util.rs b/src/rust/bitbox02/src/util.rs
@@ -42,7 +42,7 @@ pub fn truncate_str(s: &str, len: usize) -> &str {
 }
 
 /// Converts a Rust string to a null terminated C string by appending a null
-/// terminator.  Returns `Err(())` if the input already contians a null byte.
+/// terminator.  Returns `Err(())` if the input already contains a null byte.
 pub fn str_to_cstr_vec(input: &str) -> Result<Vec<core::ffi::c_char>, ()> {
     let cstr = alloc::ffi::CString::new(input)
         .or(Err(()))?
@@ -53,6 +53,23 @@ pub fn str_to_cstr_vec(input: &str) -> Result<Vec<core::ffi::c_char>, ()> {
     Ok(cstr.into_iter().map(|c| c as _).collect())
 }
 
+/// Converts a Rust string to a null terminated C string by appending a null
+/// terminator.  Returns `Err(())` if the input already contains a null byte.
+pub fn str_to_cstr_vec_zeroizing(
+    input: &str,
+) -> Result<zeroize::Zeroizing<Vec<core::ffi::c_char>>, ()> {
+    let bytes = input.as_bytes();
+    if bytes.contains(&0) {
+        return Err(());
+    }
+    let mut result: zeroize::Zeroizing<Vec<core::ffi::c_char>> =
+        zeroize::Zeroizing::new(vec![0; bytes.len() + 1]);
+    for (i, b) in bytes.iter().enumerate() {
+        result[i] = *b as _;
+    }
+    Ok(result)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -134,4 +151,18 @@ mod tests {
         );
         assert_eq!(str_to_cstr_vec("te\0st"), Err(()));
     }
+
+    #[test]
+    fn test_str_to_cstr_vec_zeroizing() {
+        assert_eq!(str_to_cstr_vec_zeroizing("").unwrap().as_slice(), &[0]);
+        assert_eq!(
+            str_to_cstr_vec_zeroizing("test").unwrap(),
+            b"test\0"
+                .iter()
+                .map(|c| *c as _)
+                .collect::<Vec<core::ffi::c_char>>()
+                .into(),
+        );
+        assert_eq!(str_to_cstr_vec_zeroizing("te\0st"), Err(()));
+    }
 }
