Merge remote-tracking branch 'benma/safestring'

Author: benma

src/rust/bitbox02-rust/src/workflow/mnemonic.rs

@@ -272,8 +272,7 @@ async fn get_12th_18th_word(
             trinary_input_string::CanCancel::Yes,
             "",
         )
-        .await
-        .map(|s| s.as_string())?;
+        .await?;
 
         // Confirm word picked again, as a typo here would be extremely annoying.  Double checking
         // is also safer, as the user might not even realize they made a typo.
@@ -344,7 +343,7 @@ pub async fn get() -> Result<zeroize::Zeroizing<String>, CancelError> {
                     preset,
                 )
                 .await
-                .map(|s| s.as_string())
+                .into()
             };
 
         match user_entry {

src/rust/bitbox02-rust/src/workflow/password.rs

@@ -13,10 +13,11 @@
 // limitations under the License.
 
 use super::{confirm, status, trinary_input_string};
-use bitbox02::input::SafeInputString;
 
 pub use trinary_input_string::{CanCancel, Error};
 
+use alloc::string::String;
+
 async fn prompt_cancel() -> Result<(), confirm::UserAbort> {
     confirm::confirm(&confirm::Params {
         body: "Do you really\nwant to cancel?",
@@ -37,7 +38,7 @@ pub async fn enter(
     title: &str,
     special_chars: bool,
     can_cancel: CanCancel,
-) -> Result<SafeInputString, Error> {
+) -> Result<zeroize::Zeroizing<String>, Error> {
     let params = trinary_input_string::Params {
         title,
         hide: true,
@@ -78,7 +79,7 @@ impl core::convert::From<Error> for EnterTwiceError {
 /// ```no_run
 /// let pw = enter_twice().await.unwrap();
 /// // use pw.
-pub async fn enter_twice() -> Result<SafeInputString, EnterTwiceError> {
+pub async fn enter_twice() -> Result<zeroize::Zeroizing<String>, EnterTwiceError> {
     let password = enter("Set password", false, CanCancel::Yes).await?;
     let password_repeat = enter("Repeat password", false, CanCancel::Yes).await?;
     if password.as_str() != password_repeat.as_str() {

src/rust/bitbox02-rust/src/workflow/trinary_input_string.rs

@@ -16,10 +16,10 @@ pub use super::cancel::{cancel, set_result, Error};
 pub use bitbox02::ui::TrinaryInputStringParams as Params;
 
 use crate::bb02_async::option;
-use bitbox02::input::SafeInputString;
 use core::cell::RefCell;
 
 use alloc::boxed::Box;
+use alloc::string::String;
 
 #[derive(Copy, Clone)]
 pub enum CanCancel {
@@ -35,7 +35,7 @@ pub async fn enter(
     params: &Params<'_>,
     can_cancel: CanCancel,
     preset: &str,
-) -> Result<SafeInputString, Error> {
+) -> Result<zeroize::Zeroizing<String>, Error> {
     let result = RefCell::new(None);
     let mut component = bitbox02::ui::trinary_input_string_create(
         params,

src/rust/bitbox02-rust/src/workflow/unlock.rs

@@ -16,7 +16,6 @@ use crate::general::abort;
 use crate::workflow::confirm;
 use crate::workflow::password;
 use crate::workflow::status::status;
-use bitbox02::input::SafeInputString;
 use bitbox02::keystore;
 
 pub use password::CanCancel;
@@ -98,7 +97,7 @@ pub async fn unlock_keystore(
 /// feature is enabled, the user will be asked for the passphrase.
 pub async fn unlock_bip39() {
     // Empty passphrase by default.
-    let mut mnemonic_passphrase = SafeInputString::new();
+    let mut mnemonic_passphrase = zeroize::Zeroizing::new("".into());
 
     // If setting activated, get the passphrase from the user.
     if bitbox02::memory::is_mnemonic_passphrase_enabled() {

src/rust/bitbox02/src/input.rs

@@ -19,7 +19,6 @@ use alloc::vec::Vec;
 
 use core::convert::TryInto;
 
-use crate::input::SafeInputString;
 use bitbox02_sys::keystore_error_t;
 
 pub const BIP39_WORDLIST_LEN: u16 = bitbox02_sys::BIP39_WORDLIST_LEN as u16;
@@ -62,12 +61,12 @@ impl core::convert::From<keystore_error_t> for Error {
     }
 }
 
-pub fn unlock(password: &SafeInputString) -> Result<(), Error> {
+pub fn unlock(password: &str) -> Result<(), Error> {
     let mut remaining_attempts: u8 = 0;
     let mut securechip_result: i32 = 0;
     match unsafe {
         bitbox02_sys::keystore_unlock(
-            password.as_cstr(),
+            crate::util::str_to_cstr_vec(password).unwrap().as_ptr(),
             &mut remaining_attempts,
             &mut securechip_result,
         )
@@ -85,18 +84,24 @@ pub fn lock() {
     unsafe { bitbox02_sys::keystore_lock() }
 }
 
-pub fn unlock_bip39(mnemonic_passphrase: &SafeInputString) -> Result<(), Error> {
-    if unsafe { bitbox02_sys::keystore_unlock_bip39(mnemonic_passphrase.as_cstr()) } {
+pub fn unlock_bip39(mnemonic_passphrase: &str) -> Result<(), Error> {
+    if unsafe {
+        bitbox02_sys::keystore_unlock_bip39(
+            crate::util::str_to_cstr_vec(mnemonic_passphrase)
+                .unwrap()
+                .as_ptr(),
+        )
+    } {
         Ok(())
     } else {
         Err(Error::CannotUnlockBIP39)
     }
 }
 
-pub fn create_and_store_seed(password: &SafeInputString, host_entropy: &[u8]) -> Result<(), Error> {
+pub fn create_and_store_seed(password: &str, host_entropy: &[u8]) -> Result<(), Error> {
     match unsafe {
         bitbox02_sys::keystore_create_and_store_seed(
-            password.as_cstr(),
+            crate::util::str_to_cstr_vec(password).unwrap().as_ptr(),
             host_entropy.as_ptr(),
             host_entropy.len() as _,
         )
@@ -304,9 +309,13 @@ pub fn bip39_mnemonic_to_seed(mnemonic: &str) -> Result<zeroize::Zeroizing<Vec<u
     }
 }
 
-pub fn encrypt_and_store_seed(seed: &[u8], password: &SafeInputString) -> Result<(), Error> {
+pub fn encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error> {
     match unsafe {
-        bitbox02_sys::keystore_encrypt_and_store_seed(seed.as_ptr(), seed.len(), password.as_cstr())
+        bitbox02_sys::keystore_encrypt_and_store_seed(
+            seed.as_ptr(),
+            seed.len(),
+            crate::util::str_to_cstr_vec(password).unwrap().as_ptr(),
+        )
     } {
         keystore_error_t::KEYSTORE_OK => Ok(()),
         err => Err(err.into()),

src/rust/bitbox02/src/keystore.rs

@@ -34,7 +34,6 @@ use alloc::string::String;
 pub mod testing;
 
 pub mod bip32;
-pub mod input;
 pub mod keystore;
 pub mod memory;
 pub mod random;

src/rust/bitbox02/src/lib.rs

@@ -56,10 +56,7 @@ pub fn mock_unlocked_using_mnemonic(mnemonic: &str, passphrase: &str) {
     unsafe {
         bitbox02_sys::keystore_mock_unlocked(seed.as_ptr(), seed.len() as _, core::ptr::null())
     }
-    keystore::unlock_bip39(&crate::input::SafeInputString::from_buf(
-        passphrase.as_bytes(),
-    ))
-    .unwrap();
+    keystore::unlock_bip39(passphrase).unwrap();
 }
 
 pub const TEST_MNEMONIC: &str = "purity concert above invest pigeon category peace tuition hazard vivid latin since legal speak nation session onion library travel spell region blast estate stay";

src/rust/bitbox02/src/testing.rs

@@ -21,8 +21,8 @@ pub use super::types::{
 use util::c_types::{c_char, c_void};
 
 extern crate alloc;
-use crate::input::SafeInputString;
 use alloc::boxed::Box;
+use alloc::string::String;
 use alloc::vec::Vec;
 
 use core::marker::PhantomData;
@@ -71,21 +71,21 @@ pub fn trinary_input_string_create<'a, F>(
 ) -> Component<'a>
 where
     // Callback must outlive component.
-    F: FnMut(SafeInputString) + 'a,
+    F: FnMut(zeroize::Zeroizing<String>) + 'a,
 {
     unsafe extern "C" fn c_confirm_callback<F2>(password: *const c_char, param: *mut c_void)
     where
-        F2: FnMut(SafeInputString),
+        F2: FnMut(zeroize::Zeroizing<String>),
     {
-        let mut password_out = SafeInputString::new();
-        let cap = password_out.cap();
-        password_out
-            .as_mut()
-            .copy_from_slice(core::slice::from_raw_parts(password, cap));
+        let pw: zeroize::Zeroizing<String> = zeroize::Zeroizing::new(
+            crate::util::str_from_null_terminated_ptr(password)
+                .unwrap()
+                .into(),
+        );
         // The callback is dropped afterwards. This is safe because
         // this C callback is guaranteed to be called only once.
         let mut callback = Box::from_raw(param as *mut F2);
-        callback(password_out);
+        callback(pw);
     }
 
     unsafe extern "C" fn c_cancel_callback(param: *mut c_void) {

src/rust/bitbox02/src/ui/ui.rs

@@ -19,12 +19,12 @@ pub use super::types::{
     TrinaryChoiceCb, TrinaryInputStringParams,
 };
 
-use crate::input::SafeInputString;
-
 use core::marker::PhantomData;
 
 extern crate alloc;
 
+use alloc::string::String;
+
 pub struct Component<'a> {
     is_pushed: bool,
     _p: PhantomData<&'a ()>,
@@ -53,14 +53,11 @@ pub fn trinary_input_string_create<'a, F>(
     _cancel_callback: Option<ContinueCancelCb<'a>>,
 ) -> Component<'a>
 where
-    F: FnMut(SafeInputString) + 'a,
+    F: FnMut(zeroize::Zeroizing<String>) + 'a,
 {
     let data = crate::testing::DATA.0.borrow();
     let input_string = data.ui_trinary_input_string_create.as_ref().unwrap()(params);
-    let input_buf = input_string.as_bytes();
-    let mut input = SafeInputString::new();
-    input.as_mut()[..input_buf.len()].copy_from_slice(input_buf);
-    confirm_callback(input);
+    confirm_callback(zeroize::Zeroizing::new(input_string));
     Component {
         is_pushed: false,
         _p: PhantomData,