Add a new Key type to represent any key material

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "wireguard-uapi"
-version = "3.0.1"
+version = "4.0.0"
 edition = "2018"
 authors = ["Brandon Cheng <[email protected]>"]
 license = "MIT"
@@ -27,6 +27,7 @@ derive_builder = "0.10.2"
 thiserror = "1.0"
 hex = { version = "0.4.3", optional = true }
 take-until = { version = " 0.1.0", optional = true }
+zeroize = { version = "1.8.1", features = ["derive"], optional = true }
 
 [target.'cfg(target_os = "linux")'.dependencies]
 neli = "0.6.3"

examples/wg.rs

@@ -55,7 +55,7 @@ fn print_peer(peer: &Peer) {
     println!(
         "{}: {}",
         "peer".yellow(),
-        base64::encode(peer.public_key).yellow()
+        base64::encode(&peer.public_key).yellow()
     );
     if let Some(endpoint) = peer.endpoint {
         println!("  {}: {}", "endpoint".black().bold(), endpoint);

examples/xplatform.rs

@@ -40,7 +40,7 @@ fn print_peer(peer: &Peer) {
     println!(
         "{}: {}",
         "peer".yellow(),
-        base64::encode(peer.public_key).yellow()
+        base64::encode(&peer.public_key).yellow()
     );
     if let Some(endpoint) = peer.endpoint {
         println!("  {}: {}", "endpoint".black().bold(), endpoint);

src/get.rs

@@ -3,14 +3,16 @@ use std::net::{IpAddr, SocketAddr};
 use std::str::FromStr;
 use std::time::Duration;
 
+use crate::key::Key;
+
 #[derive(Builder, Debug, PartialEq, Eq)]
 pub struct Device {
     pub ifindex: u32,
     pub ifname: String,
     #[builder(default)]
-    pub private_key: Option<[u8; 32]>,
+    pub private_key: Option<Key>,
     #[builder(default)]
-    pub public_key: Option<[u8; 32]>,
+    pub public_key: Option<Key>,
     pub listen_port: u16,
     pub fwmark: u32,
     #[builder(default)]
@@ -22,8 +24,8 @@ pub struct Peer {
     // The public_key and allowed_ips fields are public to
     // make peer coalescing easier.
     #[builder(field(public))]
-    pub public_key: [u8; 32],
-    pub preshared_key: [u8; 32],
+    pub public_key: Key,
+    pub preshared_key: Key,
     #[builder(default)]
     pub endpoint: Option<SocketAddr>,
     pub persistent_keepalive_interval: u16,

src/key.rs

@@ -0,0 +1,35 @@
+use std::ops::{Deref, DerefMut};
+
+/// Key material, public, private or preshared.
+#[derive(Clone, Debug, Default, PartialEq, Eq)]
+#[cfg_attr(feature = "zeroize", derive(zeroize::Zeroize, zeroize::ZeroizeOnDrop))]
+pub struct Key([u8; 32]);
+
+impl Deref for Key {
+    type Target = [u8; 32];
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
+impl DerefMut for Key {
+    fn deref_mut(&mut self) -> &mut Self::Target {
+        &mut self.0
+    }
+}
+
+impl AsRef<[u8]> for Key {
+    fn as_ref(&self) -> &[u8] {
+        &self.0
+    }
+}
+
+impl From<[u8; 32]> for Key {
+    fn from(#[allow(unused_mut)] mut value: [u8; 32]) -> Self {
+        let ret = Self(value);
+        #[cfg(feature = "zeroize")]
+        zeroize::Zeroize::zeroize(&mut value);
+        ret
+    }
+}

src/lib.rs

@@ -4,6 +4,7 @@ pub mod linux;
 pub use linux::{err, set, DeviceInterface, RouteSocket, WgSocket};
 
 pub mod get;
+pub mod key;
 
 #[cfg(feature = "xplatform")]
 pub mod xplatform;

src/linux/socket/parse.rs

@@ -1,5 +1,6 @@
 use crate::err::{ParseAttributeError, ParseDeviceError, ParseIpAddrError, ParseSockAddrError};
 use crate::get::{AllowedIp, AllowedIpBuilder, Device, DeviceBuilder, Peer, PeerBuilder};
+use crate::key::Key;
 use crate::linux::attr::{
     NlaNested, WgAllowedIpAttribute, WgDeviceAttribute, WgPeerAttribute, NLA_TYPE_MASK,
 };
@@ -87,7 +88,7 @@ pub fn extend_device(
         let matching_last_peer = device
             .peers
             .last_mut()
-            .filter(|last_peer| Some(last_peer.public_key) == next_peer.public_key);
+            .filter(|last_peer| Some(&last_peer.public_key) == next_peer.public_key.as_ref());
 
         match matching_last_peer {
             Some(matching_last_peer) => matching_last_peer
@@ -269,15 +270,15 @@ pub fn parse_nla_nul_string(payload: &[u8]) -> Result<String, ParseAttributeErro
     Ok(String::from_utf8(payload)?)
 }
 
-pub fn parse_device_key(buf: &[u8]) -> Result<[u8; 32], ParseAttributeError> {
+pub fn parse_device_key(buf: &[u8]) -> Result<Key, ParseAttributeError> {
     Some(buf.len()).filter(|&len| len == 32).ok_or({
         ParseAttributeError::StaticLengthError {
             expected: 32,
             found: buf.len(),
         }
     })?;
 
-    let mut key = [0u8; 32];
+    let mut key = Key::default();
     key.copy_from_slice(buf);
     Ok(key)
 }
@@ -376,7 +377,7 @@ mod tests {
                     public_key: parse_device_key(&base64::decode(
                         "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg",
                     )?)?,
-                    preshared_key: [0u8; 32],
+                    preshared_key: Key::default(),
                     endpoint: Some("192.95.5.67:1234".parse()?),
                     persistent_keepalive_interval: 0,
                     last_handshake_time: Duration::new(0, 0),
@@ -400,7 +401,7 @@ mod tests {
                     public_key: parse_device_key(&base64::decode(
                         "TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=",
                     )?)?,
-                    preshared_key: [0u8; 32],
+                    preshared_key: Key::default(),
                     endpoint: Some("[2607:5300:60:6b0::c05f:543]:2468".parse()?),
                     persistent_keepalive_interval: 0,
                     last_handshake_time: Duration::new(0, 0),
@@ -789,7 +790,7 @@ mod tests {
                     public_key: parse_device_key(&base64::decode(
                         "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="
                     )?)?,
-                    preshared_key: [0u8; 32],
+                    preshared_key: Key::default(),
                     endpoint: Some("192.95.5.67:1234".parse()?),
                     persistent_keepalive_interval: 0,
                     last_handshake_time: Duration::new(0, 0),

src/xplatform/parser/parse.rs

@@ -1,12 +1,14 @@
 use super::state::{ParsePeerState, ParseState};
 use crate::get;
 use crate::get::{DeviceBuilderError, ParseAllowedIpError, PeerBuilderError};
+use crate::key::Key;
 use crate::xplatform::protocol::{GetKey, ParseKeyError};
 use std::net::AddrParseError;
 use std::num::ParseIntError;
 use std::{str::FromStr, time::Duration};
 use take_until::TakeUntilExt;
 use thiserror::Error;
+use zeroize::Zeroize;
 
 #[derive(Error, Debug)]
 pub enum ParseGetResponseError {
@@ -146,9 +148,9 @@ fn process_line(
     match state {
         ParseState::Initial(mut device_builder) => match key {
             GetKey::PrivateKey => {
-                let private_key: [u8; 32] = hex::decode(raw_val)
+                let private_key: Key = hex::decode(raw_val)
                     .ok()
-                    .and_then(|buf| parse_device_key(&buf))
+                    .and_then(parse_device_key)
                     .ok_or(ParseErr::InvalidPrivateKey)?;
                 device_builder.private_key(Some(private_key));
                 Ok(ParseState::InterfaceLevelKeys(device_builder))
@@ -184,10 +186,10 @@ fn process_line(
                 let mut peer_builder = get::PeerBuilder::default();
                 let public_key = hex::decode(raw_val)
                     .ok()
-                    .and_then(|buf| parse_device_key(&buf))
+                    .and_then(parse_device_key)
                     .ok_or_else(|| ParseErr::InvalidPublicKey(raw_val.to_string()))?;
                 peer_builder.public_key(public_key);
-                peer_builder.preshared_key([0u8; 32]);
+                peer_builder.preshared_key(Key::default());
                 peer_builder.persistent_keepalive_interval(0);
                 peer_builder.tx_bytes(0);
                 peer_builder.rx_bytes(0);
@@ -239,10 +241,10 @@ fn process_line(
                 state.peer_builder = get::PeerBuilder::default();
                 let public_key = hex::decode(raw_val)
                     .ok()
-                    .and_then(|buf| parse_device_key(&buf))
+                    .and_then(parse_device_key)
                     .ok_or_else(|| ParseErr::InvalidPublicKey(raw_val.to_string()))?;
                 state.peer_builder.public_key(public_key);
-                state.peer_builder.preshared_key([0u8; 32]);
+                state.peer_builder.preshared_key(Key::default());
                 state.peer_builder.persistent_keepalive_interval(0);
                 state.peer_builder.tx_bytes(0);
                 state.peer_builder.rx_bytes(0);
@@ -254,7 +256,7 @@ fn process_line(
             GetKey::PresharedKey => {
                 let preshared_key = hex::decode(raw_val)
                     .ok()
-                    .and_then(|buf| parse_device_key(&buf))
+                    .and_then(parse_device_key)
                     .ok_or_else(|| ParseErr::InvalidPresharedKey(raw_val.to_string()))?;
                 state.peer_builder.preshared_key(preshared_key);
                 Ok(ParseState::PeerLevelKeys(state))
@@ -316,20 +318,21 @@ fn process_line(
 }
 
 // TODO: Get this from a shared util
-pub fn parse_device_key(buf: &[u8]) -> Option<[u8; 32]> {
+pub fn parse_device_key(mut buf: Vec<u8>) -> Option<Key> {
     if buf.len() != 32 {
         return None;
     }
 
-    let mut key = [0u8; 32];
-    key.copy_from_slice(buf);
+    let mut key = Key::default();
+    key.copy_from_slice(&buf);
+    buf.zeroize();
     Some(key)
 }
 
 #[cfg(test)]
 mod tests {
     use super::{parse, parse_device_key};
-    use crate::get;
+    use crate::{get, key::Key};
     use std::time::Duration;
 
     #[test]
@@ -352,18 +355,18 @@ mod tests {
         let expected = get::Device {
             ifindex: 0,
             ifname: "".to_string(),
-            private_key: parse_device_key(&base64::decode(
+            private_key: parse_device_key(base64::decode(
                 "GKoQwFpTH1xTehhCazdjh/wsvXAa4bm0Jx4yeqrenU8=",
             )?),
             public_key: None,
             listen_port: 56137,
             fwmark: 0,
             peers: vec![get::Peer {
-                public_key: parse_device_key(&base64::decode(
+                public_key: parse_device_key(base64::decode(
                     "kT6g4g4owStcX1qFi5OgXmhtw85SThbzFDu7ECNnl1E=",
                 )?)
                 .unwrap(),
-                preshared_key: [0u8; 32],
+                preshared_key: Key::default(),
                 endpoint: Some("192.168.64.73:51820".parse()?),
                 last_handshake_time: Duration::new(1_590_459_201, 283_546_000),
                 tx_bytes: 824,
@@ -394,7 +397,7 @@ mod tests {
         let expected = get::Device {
             ifindex: 0,
             ifname: "".to_string(),
-            private_key: parse_device_key(&base64::decode(
+            private_key: parse_device_key(base64::decode(
                 "GKoQwFpTH1xTehhCazdjh/wsvXAa4bm0Jx4yeqrenU8=",
             )?),
             public_key: None,
@@ -440,19 +443,19 @@ mod tests {
         let expected = get::Device {
             ifindex: 0,
             ifname: "".to_string(),
-            private_key: parse_device_key(&base64::decode(
+            private_key: parse_device_key(base64::decode(
                 "6EtabScXwQA6E7QxVwNT26ypFGzxUMX4V1aA/rpSAno=",
             )?),
             public_key: None,
             listen_port: 12912,
             fwmark: 0,
             peers: vec![
                 get::Peer {
-                    public_key: parse_device_key(&base64::decode(
+                    public_key: parse_device_key(base64::decode(
                         "uFmW/sycfx/G0lcqdu2hHVm80gvo5UOxXOS9hajnWjM=",
                     )?)
                     .unwrap(),
-                    preshared_key: parse_device_key(&base64::decode(
+                    preshared_key: parse_device_key(base64::decode(
                         "GIUVCT6VL18i6GXO8wEucvi18LWYrAMJ1drM47cPz1I=",
                     )?)
                     .unwrap(),
@@ -469,11 +472,11 @@ mod tests {
                     protocol_version: 1,
                 },
                 get::Peer {
-                    public_key: parse_device_key(&base64::decode(
+                    public_key: parse_device_key(base64::decode(
                         "WEAuaVuhdyscyTCXVfBDJR6nf9zxD75jmJzrfhkyE3Y=",
                     )?)
                     .unwrap(),
-                    preshared_key: [0u8; 32],
+                    preshared_key: Key::default(),
                     endpoint: Some("182.122.22.19:3233".parse()?),
                     last_handshake_time: Duration::new(0, 0),
                     tx_bytes: 38333,
@@ -487,11 +490,11 @@ mod tests {
                     protocol_version: 1,
                 },
                 get::Peer {
-                    public_key: parse_device_key(&base64::decode(
+                    public_key: parse_device_key(base64::decode(
                         "Zi4U/VlFVvUiYEcDNANRJYkDtk81VTdj8ZQmqypRXFg=",
                     )?)
                     .unwrap(),
-                    preshared_key: [0u8; 32],
+                    preshared_key: Key::default(),
                     endpoint: Some("5.152.198.39:51820".parse()?),
                     last_handshake_time: Duration::new(0, 0),
                     tx_bytes: 1_212_111,