Skip to content

Support ZeroizeOnDrop for BazeIban#54

Open
nepalez wants to merge 4 commits intoThomasdenH:masterfrom
nepalez:master
Open

Support ZeroizeOnDrop for BazeIban#54
nepalez wants to merge 4 commits intoThomasdenH:masterfrom
nepalez:master

Conversation

@nepalez
Copy link

@nepalez nepalez commented Oct 17, 2025
edited
Loading

Hi! Here I added the feature-protected support for the BaseIban zeroization via the well-known crate zeroize. This would help using the type as a part of secure structures supporting the zeroization (to comply with PCI DSS and other security standards).

Under the hood it just relies on the ArrayString's implementation of Zeroize.

In addition (see the second commit) I provided zeroization of the temporary objects created during the validation to prevent any partial leaks of invalid IBAN-s

I added zeroization to the BaseIban only (not to the Iban) because the later is expected to be checked, but its zeroization would break any invariants. If the Iban were not copied, it would be worth it to implement ZeroizeOnDrop, but for sturcts on a stack (which is necessary for #[no_std]), the Copy is definitely more important.

See the test example for the usage.

@ThomasdenH
Copy link
Owner

ThomasdenH commented Oct 24, 2025

Thanks for the PR!

I'm not sure what would be the right way to do this. Zeroization of a BaseIban already breaks its invariants, for example the requirement that it starts with two letters. Therefore I think it makes sense to implement Zeroize on both Iban and BaseIban, or otherwise on neither. Maybe it would be better to be pragmatic and go for the first option. I can think of two alternative options:

  • Add a feature to allow choosing ZeroizeOnDrop/Copy depending on the needs.
  • Creating some higher level type, something like Option<Iban> that implements Zeroize.

I'm sure there is already some established preferred ways to do this that I'm not familiar with. What do you think?

@nepalez
Copy link
Author

nepalez commented Oct 31, 2025

Hi! You're right, thank you.

It seems like ZeroizeOnDrop is the only thing that prevents leaking the data (to another process, for exampe) after memory deallocation. I recognized that a manual zeroization does not guarantees safety when the panic is unwinded.

I'll fix the PR ASAP with this factors in mind.

@nepalez
Support ZeroizeOnDrop for BaseIban
e5feadd 
# Conflicts:
#	iban_validate/README.md
#	iban_validate/src/base_iban.rs
@nepalez nepalez changed the title Support zeroization of BazeIban Support ZeroizeOnDrop for BazeIban Nov 2, 2025
@nepalez
Copy link
Author

nepalez commented Nov 2, 2025
edited
Loading

I updated the PR to only support the ZeroizeOnDrop for BaseIban.

Some helper functions were fixed to ensure strings allocated inside them are wrapped to the BaseIban from the very beginning. This prevents their memory to keep sensitive data during the panic. Being parts of zeroized structure they are guaranteed to be zeroized as well.

The consequence of this change is that Copy won't be implemented for BaseIban, Iban, and their errors (that wrap BaseIban) because structures that implement Drop trait cannot be copy-ed. This restriction is applicable when a "zeroize" feature is turned on only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nepalez @ThomasdenH