Improving some security aspects.

Author: charlesschaefer

src-tauri/src/crypto.rs

@@ -5,6 +5,7 @@ use aes_gcm::{
 
 use ring::{digest, pbkdf2};
 use rand::RngCore;
+use zeroize::Zeroize;
 use std::num::NonZeroU32;
 
 const CREDENTIAL_LEN: usize = digest::SHA256_OUTPUT_LEN;

src-tauri/src/storage.rs

@@ -1,8 +1,10 @@
 use bincode;
 use serde::{Deserialize, Serialize};
 use tauri::Manager;
+use zeroize::Zeroize;
 use std::collections::HashMap;
 use std::fs::{self, File};
+use std::os::unix::fs::PermissionsExt;
 use std::io::{Read, Write};
 use std::path::PathBuf;
 use totp_rs::{Algorithm, Secret, TOTP};
@@ -241,6 +243,11 @@ impl Storage {
         }
         let path = self.storage_path(app);
         let mut file = File::open(path).map_err(|_| ())?;
+        
+        // @TODO: Set permissions for windows and macOS too
+        self.set_permissions(&file);
+
+
         let mut buf = Vec::new();
         file.read_to_end(&mut buf).map_err(|_| ())?;
 
@@ -348,6 +355,13 @@ impl Storage {
         self.signing_key = key;
         self.salt = Some(salt);
     }
+
+    fn set_permissions(&self, file: &File) {
+        let metadata = file.metadata().unwrap();
+        let mut permissions = metadata.permissions();
+        permissions.set_mode(0o644); // Read/write for owner, read for group and others
+        file.set_permissions(permissions).unwrap();
+    }
 }
 
 impl ServicesTokens for Storage {
@@ -363,6 +377,14 @@ impl ServicesTokens for Storage {
     }
 }
 
+impl Drop for Storage {
+    fn drop(&mut self) {
+        self.signing_key.zeroize();
+        self.salt.zeroize();
+        self.key_access_pass.zeroize();
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;