From 24d02a72e36621fbb34b9725e487348f62f4de41 Mon Sep 17 00:00:00 2001
From: multi prise <korokoko.toi@gmail.com>
Date: Thu, 7 Aug 2025 15:07:13 +0200
Subject: [PATCH] implement zeroizing of secrets after use

---
 Cargo.lock                            |  1 +
 crates/matrix-sdk-sqlite/Cargo.toml   |  1 +
 crates/matrix-sdk-sqlite/src/lib.rs   |  5 ++++-
 crates/matrix-sdk-sqlite/src/utils.rs | 13 +++++++------
 4 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 1d4755348..8f0061137 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3519,6 +3519,7 @@ dependencies = [
  "tokio",
  "tracing",
  "vodozemac",
+ "zeroize",
 ]
 
 [[package]]
diff --git a/crates/matrix-sdk-sqlite/Cargo.toml b/crates/matrix-sdk-sqlite/Cargo.toml
index 9d7cb8541..83b7e945e 100644
--- a/crates/matrix-sdk-sqlite/Cargo.toml
+++ b/crates/matrix-sdk-sqlite/Cargo.toml
@@ -42,6 +42,7 @@ thiserror.workspace = true
 tokio = { workspace = true, features = ["fs"] }
 tracing.workspace = true
 vodozemac.workspace = true
+zeroize.workspace = true
 
 [dev-dependencies]
 assert_matches.workspace = true
diff --git a/crates/matrix-sdk-sqlite/src/lib.rs b/crates/matrix-sdk-sqlite/src/lib.rs
index ac404703f..112c8af72 100644
--- a/crates/matrix-sdk-sqlite/src/lib.rs
+++ b/crates/matrix-sdk-sqlite/src/lib.rs
@@ -32,6 +32,7 @@ use std::{
 };
 
 use deadpool_sqlite::PoolConfig;
+use zeroize::Zeroize;
 
 #[cfg(feature = "crypto-store")]
 pub use self::crypto_store::SqliteCryptoStore;
@@ -46,9 +47,11 @@ pub use self::state_store::{SqliteStateStore, DATABASE_NAME as STATE_STORE_DATAB
 #[cfg(test)]
 matrix_sdk_test_utils::init_tracing_for_tests!();
 
-#[derive(Clone, Debug, Eq, PartialEq)]
+#[derive(Clone, Debug, Eq, PartialEq, Zeroize)]
 pub enum Secret {
+    #[zeroize]
     Key([u8; 32]),
+    #[zeroize]
     PassPhrase(String),
 }
 
diff --git a/crates/matrix-sdk-sqlite/src/utils.rs b/crates/matrix-sdk-sqlite/src/utils.rs
index b5b2af2fd..d04fe3a34 100644
--- a/crates/matrix-sdk-sqlite/src/utils.rs
+++ b/crates/matrix-sdk-sqlite/src/utils.rs
@@ -28,6 +28,7 @@ use ruma::{serde::Raw, time::SystemTime, OwnedEventId, OwnedRoomId};
 use rusqlite::{limits::Limit, OptionalExtension, Params, Row, Statement, Transaction};
 use serde::{de::DeserializeOwned, Serialize};
 use tracing::{error, warn};
+use zeroize::Zeroize;
 
 use crate::{
     error::{Error, Result},
@@ -457,31 +458,31 @@ pub(crate) trait SqliteKeyValueStoreAsyncConnExt: SqliteAsyncConnExt {
     /// Get the [`StoreCipher`] of the database or create it.
     async fn get_or_create_store_cipher(
         &self,
-        secret: Secret,
+        mut secret: Secret,
     ) -> Result<StoreCipher, OpenStoreError> {
         let encrypted_cipher = self.get_kv("cipher").await.map_err(OpenStoreError::LoadCipher)?;
 
         let cipher = if let Some(encrypted) = encrypted_cipher {
             match secret {
-                Secret::PassPhrase(passphrase) => StoreCipher::import(passphrase, &encrypted)?,
-                Secret::Key(key) => StoreCipher::import_with_key(key, &encrypted)?,
+                Secret::PassPhrase(ref passphrase) => StoreCipher::import(&passphrase, &encrypted)?,
+                Secret::Key(key) => StoreCipher::import_with_key(&key, &encrypted)?,
             }
         } else {
             let cipher = StoreCipher::new()?;
             let export = match secret {
-                Secret::PassPhrase(passphrase) => {
+                Secret::PassPhrase(ref passphrase) => {
                     if cfg!(not(test)) {
                         cipher.export(passphrase)
                     } else {
                         cipher._insecure_export_fast_for_testing(passphrase)
                     }
                 }
-                Secret::Key(key) => cipher.export_with_key(key),
+                Secret::Key(key) => cipher.export_with_key(&key),
             };
             self.set_kv("cipher", export?).await.map_err(OpenStoreError::SaveCipher)?;
             cipher
         };
-
+        secret.zeroize();
         Ok(cipher)
     }
 }