rust: remove SafeInputString

This was a custom C string wrapper with auto-zeroing, but it is much
easier to simply use zeroize and CStr (which were both introduced to
the codebase after SafeInputString). This also allows us to call bip39
unlock more easily with a Rust string in the future (see testing.rs
for example).

Author: benma

src/rust/bitbox02-rust/src/workflow/mnemonic.rs

@@ -272,8 +272,7 @@ async fn get_12th_18th_word(
             trinary_input_string::CanCancel::Yes,
             "",
         )
-        .await
-        .map(|s| s.as_string())?;
+        .await?;
 
         // Confirm word picked again, as a typo here would be extremely annoying.  Double checking
         // is also safer, as the user might not even realize they made a typo.
@@ -344,7 +343,7 @@ pub async fn get() -> Result<zeroize::Zeroizing<String>, CancelError> {
                     preset,
                 )
                 .await
-                .map(|s| s.as_string())
+                .into()
             };
 
         match user_entry {

src/rust/bitbox02-rust/src/workflow/password.rs

@@ -13,10 +13,11 @@
 // limitations under the License.
 
 use super::{confirm, status, trinary_input_string};
-use bitbox02::input::SafeInputString;
 
 pub use trinary_input_string::{CanCancel, Error};
 
+use alloc::string::String;
+
 async fn prompt_cancel() -> Result<(), confirm::UserAbort> {
     confirm::confirm(&confirm::Params {
         body: "Do you really\nwant to cancel?",
@@ -37,7 +38,7 @@ pub async fn enter(
     title: &str,
     special_chars: bool,
     can_cancel: CanCancel,
-) -> Result<SafeInputString, Error> {
+) -> Result<zeroize::Zeroizing<String>, Error> {
     let params = trinary_input_string::Params {
         title,
         hide: true,
@@ -78,7 +79,7 @@ impl core::convert::From<Error> for EnterTwiceError {
 /// ```no_run
 /// let pw = enter_twice().await.unwrap();
 /// // use pw.
-pub async fn enter_twice() -> Result<SafeInputString, EnterTwiceError> {
+pub async fn enter_twice() -> Result<zeroize::Zeroizing<String>, EnterTwiceError> {
     let password = enter("Set password", false, CanCancel::Yes).await?;
     let password_repeat = enter("Repeat password", false, CanCancel::Yes).await?;
     if password.as_str() != password_repeat.as_str() {

src/rust/bitbox02-rust/src/workflow/trinary_input_string.rs

@@ -16,10 +16,10 @@ pub use super::cancel::{cancel, set_result, Error};
 pub use bitbox02::ui::TrinaryInputStringParams as Params;
 
 use crate::bb02_async::option;
-use bitbox02::input::SafeInputString;
 use core::cell::RefCell;
 
 use alloc::boxed::Box;
+use alloc::string::String;
 
 #[derive(Copy, Clone)]
 pub enum CanCancel {
@@ -35,7 +35,7 @@ pub async fn enter(
     params: &Params<'_>,
     can_cancel: CanCancel,
     preset: &str,
-) -> Result<SafeInputString, Error> {
+) -> Result<zeroize::Zeroizing<String>, Error> {
     let result = RefCell::new(None);
     let mut component = bitbox02::ui::trinary_input_string_create(
         params,

src/rust/bitbox02-rust/src/workflow/unlock.rs

@@ -16,7 +16,6 @@ use crate::general::abort;
 use crate::workflow::confirm;
 use crate::workflow::password;
 use crate::workflow::status::status;
-use bitbox02::input::SafeInputString;
 use bitbox02::keystore;
 
 pub use password::CanCancel;
@@ -98,7 +97,7 @@ pub async fn unlock_keystore(
 /// feature is enabled, the user will be asked for the passphrase.
 pub async fn unlock_bip39() {
     // Empty passphrase by default.
-    let mut mnemonic_passphrase = SafeInputString::new();
+    let mut mnemonic_passphrase = zeroize::Zeroizing::new("".into());
 
     // If setting activated, get the passphrase from the user.
     if bitbox02::memory::is_mnemonic_passphrase_enabled() {

src/rust/bitbox02/src/input.rs

@@ -19,7 +19,6 @@ use alloc::vec::Vec;
 
 use core::convert::TryInto;
 
-use crate::input::SafeInputString;
 use bitbox02_sys::keystore_error_t;
 
 pub const BIP39_WORDLIST_LEN: u16 = bitbox02_sys::BIP39_WORDLIST_LEN as u16;
@@ -62,12 +61,12 @@ impl core::convert::From<keystore_error_t> for Error {
     }
 }
 
-pub fn unlock(password: &SafeInputString) -> Result<(), Error> {
+pub fn unlock(password: &str) -> Result<(), Error> {
     let mut remaining_attempts: u8 = 0;
     let mut securechip_result: i32 = 0;
     match unsafe {
         bitbox02_sys::keystore_unlock(
-            password.as_cstr(),
+            crate::util::str_to_cstr_vec(password).unwrap().as_ptr(),
             &mut remaining_attempts,
             &mut securechip_result,
         )
@@ -85,18 +84,24 @@ pub fn lock() {
     unsafe { bitbox02_sys::keystore_lock() }
 }
 
-pub fn unlock_bip39(mnemonic_passphrase: &SafeInputString) -> Result<(), Error> {
-    if unsafe { bitbox02_sys::keystore_unlock_bip39(mnemonic_passphrase.as_cstr()) } {
+pub fn unlock_bip39(mnemonic_passphrase: &str) -> Result<(), Error> {
+    if unsafe {
+        bitbox02_sys::keystore_unlock_bip39(
+            crate::util::str_to_cstr_vec(mnemonic_passphrase)
+                .unwrap()
+                .as_ptr(),
+        )
+    } {
         Ok(())
     } else {
         Err(Error::CannotUnlockBIP39)
     }
 }
 
-pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8]) -> Result<(), Error> {
+pub fn create_and_store_seed(password: &str, host_entropy: &[u8]) -> Result<(), Error> {
     match unsafe {
         bitbox02_sys::keystore_create_and_store_seed(
-            password.as_cstr(),
+            crate::util::str_to_cstr_vec(password).unwrap().as_ptr(),
             host_entropy.as_ptr(),
             host_entropy.len() as _,
         )
@@ -304,9 +309,13 @@ pub fn bip39_mnemonic_to_seed(mnemonic: &str) -> Result<zeroize::Zeroizing<Vec<u
     }
 }
 
-pub fn encrypt_and_store_seed(seed: &[u8], password: &SafeInputString) -> Result<(), Error> {
+pub fn encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error> {
     match unsafe {
-        bitbox02_sys::keystore_encrypt_and_store_seed(seed.as_ptr(), seed.len(), password.as_cstr())
+        bitbox02_sys::keystore_encrypt_and_store_seed(
+            seed.as_ptr(),
+            seed.len(),
+            crate::util::str_to_cstr_vec(password).unwrap().as_ptr(),
+        )
     } {
         keystore_error_t::KEYSTORE_OK => Ok(()),
         err => Err(err.into()),

src/rust/bitbox02/src/keystore.rs

@@ -34,7 +34,6 @@ use alloc::string::String;
 pub mod testing;
 
 pub mod bip32;
-pub mod input;
 pub mod keystore;
 pub mod memory;
 pub mod random;

src/rust/bitbox02/src/lib.rs

@@ -56,10 +56,7 @@ pub fn mock_unlocked_using_mnemonic(mnemonic: &str, passphrase: &str) {
     unsafe {
         bitbox02_sys::keystore_mock_unlocked(seed.as_ptr(), seed.len() as _, core::ptr::null())
     }
-    keystore::unlock_bip39(&crate::input::SafeInputString::from_buf(
-        passphrase.as_bytes(),
-    ))
-    .unwrap();
+    keystore::unlock_bip39(passphrase).unwrap();
 }
 
 pub const TEST_MNEMONIC: &str = "purity concert above invest pigeon category peace tuition hazard vivid latin since legal speak nation session onion library travel spell region blast estate stay";

src/rust/bitbox02/src/testing.rs

@@ -21,8 +21,8 @@ pub use super::types::{
 use util::c_types::{c_char, c_void};
 
 extern crate alloc;
-use crate::input::SafeInputString;
 use alloc::boxed::Box;
+use alloc::string::String;
 use alloc::vec::Vec;
 
 use core::marker::PhantomData;
@@ -71,21 +71,21 @@ pub fn trinary_input_string_create<'a, F>(
 ) -> Component<'a>
 where
     // Callback must outlive component.
-    F: FnMut(SafeInputString) + 'a,
+    F: FnMut(zeroize::Zeroizing<String>) + 'a,
 {
     unsafe extern "C" fn c_confirm_callback<F2>(password: *const c_char, param: *mut c_void)
     where
-        F2: FnMut(SafeInputString),
+        F2: FnMut(zeroize::Zeroizing<String>),
     {
-        let mut password_out = SafeInputString::new();
-        let cap = password_out.cap();
-        password_out
-            .as_mut()
-            .copy_from_slice(core::slice::from_raw_parts(password, cap));
+        let pw: zeroize::Zeroizing<String> = zeroize::Zeroizing::new(
+            crate::util::str_from_null_terminated_ptr(password)
+                .unwrap()
+                .into(),
+        );
         // The callback is dropped afterwards. This is safe because
         // this C callback is guaranteed to be called only once.
         let mut callback = Box::from_raw(param as *mut F2);
-        callback(password_out);
+        callback(pw);
     }
 
     unsafe extern "C" fn c_cancel_callback(param: *mut c_void) {

src/rust/bitbox02/src/ui/ui.rs

@@ -19,12 +19,12 @@ pub use super::types::{
     TrinaryChoiceCb, TrinaryInputStringParams,
 };
 
-use crate::input::SafeInputString;
-
 use core::marker::PhantomData;
 
 extern crate alloc;
 
+use alloc::string::String;
+
 pub struct Component<'a> {
     is_pushed: bool,
     _p: PhantomData<&'a ()>,
@@ -53,14 +53,11 @@ pub fn trinary_input_string_create<'a, F>(
     _cancel_callback: Option<ContinueCancelCb<'a>>,
 ) -> Component<'a>
 where
-    F: FnMut(SafeInputString) + 'a,
+    F: FnMut(zeroize::Zeroizing<String>) + 'a,
 {
     let data = crate::testing::DATA.0.borrow();
     let input_string = data.ui_trinary_input_string_create.as_ref().unwrap()(params);
-    let input_buf = input_string.as_bytes();
-    let mut input = SafeInputString::new();
-    input.as_mut()[..input_buf.len()].copy_from_slice(input_buf);
-    confirm_callback(input);
+    confirm_callback(zeroize::Zeroizing::new(input_string));
     Component {
         is_pushed: false,
         _p: PhantomData,