Remove the decaf_bzero function and replace with OPENSSL_cleanse()

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)

diff --git a/crypto/ec/curve448/curve448utils.h b/crypto/ec/curve448/curve448utils.h
index 71f8795e6eb9a94a1f9158d88aeb31d5ceff0dce..1ef3d736726598e66a3bceada80b6b9c8a4f6d9c 100644 (file)
--- a/crypto/ec/curve448/curve448utils.h
+++ b/crypto/ec/curve448/curve448utils.h
@@ -88,13 +88,6 @@ decaf_successful(decaf_error_t e) {
     return (w-1)>>DECAF_WORD_BITS;
 }
     
-/** Overwrite data with zeros.  Uses memset_s if available. */
-void decaf_bzero (
-    void *data,
-    size_t size
-) DECAF_NONNULL DECAF_API_VIS;
-
-    
 #ifdef __cplusplus
 } /* extern "C" */
 #endif

diff --git a/crypto/ec/curve448/decaf.c b/crypto/ec/curve448/decaf.c
index bbee4b022ef09f25f13138dbce8e04e96b869352..b7bf156089976d73480ae2c637b82a3e7595bd9b 100644 (file)
--- a/crypto/ec/curve448/decaf.c
+++ b/crypto/ec/curve448/decaf.c
@@ -12,6 +12,7 @@
  * Please do not edit it.
  */
 #define _XOPEN_SOURCE 600 /* for posix_memalign */
+#include <openssl/crypto.h>
 #include "word.h"
 #include "field.h"
 
@@ -516,8 +517,8 @@ prepare_fixed_window(
         pt_to_pniels(multiples[i], tmp);
     }
     
-    decaf_bzero(pn,sizeof(pn));
-    decaf_bzero(tmp,sizeof(tmp));
+    OPENSSL_cleanse(pn,sizeof(pn));
+    OPENSSL_cleanse(tmp,sizeof(tmp));
 }
 
 void API_NS(point_scalarmul) (
@@ -574,10 +575,10 @@ void API_NS(point_scalarmul) (
     /* Write out the answer */
     API_NS(point_copy)(a,tmp);
     
-    decaf_bzero(scalar1x,sizeof(scalar1x));
-    decaf_bzero(pn,sizeof(pn));
-    decaf_bzero(multiples,sizeof(multiples));
-    decaf_bzero(tmp,sizeof(tmp));
+    OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
+    OPENSSL_cleanse(pn,sizeof(pn));
+    OPENSSL_cleanse(multiples,sizeof(multiples));
+    OPENSSL_cleanse(tmp,sizeof(tmp));
 }
 
 void API_NS(point_double_scalarmul) (
@@ -648,12 +649,12 @@ void API_NS(point_double_scalarmul) (
     API_NS(point_copy)(a,tmp);
     
 
-    decaf_bzero(scalar1x,sizeof(scalar1x));
-    decaf_bzero(scalar2x,sizeof(scalar2x));
-    decaf_bzero(pn,sizeof(pn));
-    decaf_bzero(multiples1,sizeof(multiples1));
-    decaf_bzero(multiples2,sizeof(multiples2));
-    decaf_bzero(tmp,sizeof(tmp));
+    OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
+    OPENSSL_cleanse(scalar2x,sizeof(scalar2x));
+    OPENSSL_cleanse(pn,sizeof(pn));
+    OPENSSL_cleanse(multiples1,sizeof(multiples1));
+    OPENSSL_cleanse(multiples2,sizeof(multiples2));
+    OPENSSL_cleanse(tmp,sizeof(tmp));
 }
 
 void API_NS(point_dual_scalarmul) (
@@ -747,13 +748,13 @@ void API_NS(point_dual_scalarmul) (
         API_NS(point_copy)(a2, multiples2[0]);
     }
 
-    decaf_bzero(scalar1x,sizeof(scalar1x));
-    decaf_bzero(scalar2x,sizeof(scalar2x));
-    decaf_bzero(pn,sizeof(pn));
-    decaf_bzero(multiples1,sizeof(multiples1));
-    decaf_bzero(multiples2,sizeof(multiples2));
-    decaf_bzero(tmp,sizeof(tmp));
-    decaf_bzero(working,sizeof(working));
+    OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
+    OPENSSL_cleanse(scalar2x,sizeof(scalar2x));
+    OPENSSL_cleanse(pn,sizeof(pn));
+    OPENSSL_cleanse(multiples1,sizeof(multiples1));
+    OPENSSL_cleanse(multiples2,sizeof(multiples2));
+    OPENSSL_cleanse(tmp,sizeof(tmp));
+    OPENSSL_cleanse(working,sizeof(working));
 }
 
 decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {
@@ -888,7 +889,7 @@ static void batch_normalize_niels (
         gf_copy(table[i]->c, product);
     }
     
-    decaf_bzero(product,sizeof(product));
+    OPENSSL_cleanse(product,sizeof(product));
 }
 
 void API_NS(precompute) (
@@ -948,12 +949,12 @@ void API_NS(precompute) (
     
     batch_normalize_niels(table->table,(const gf *)zs,zis,n<<(t-1));
     
-    decaf_bzero(zs,sizeof(zs));
-    decaf_bzero(zis,sizeof(zis));
-    decaf_bzero(pn_tmp,sizeof(pn_tmp));
-    decaf_bzero(working,sizeof(working));
-    decaf_bzero(start,sizeof(start));
-    decaf_bzero(doubles,sizeof(doubles));
+    OPENSSL_cleanse(zs,sizeof(zs));
+    OPENSSL_cleanse(zis,sizeof(zis));
+    OPENSSL_cleanse(pn_tmp,sizeof(pn_tmp));
+    OPENSSL_cleanse(working,sizeof(working));
+    OPENSSL_cleanse(start,sizeof(start));
+    OPENSSL_cleanse(doubles,sizeof(doubles));
 }
 
 static DECAF_INLINE void
@@ -1009,8 +1010,8 @@ void API_NS(precomputed_scalarmul) (
         }
     }
     
-    decaf_bzero(ni,sizeof(ni));
-    decaf_bzero(scalar1x,sizeof(scalar1x));
+    OPENSSL_cleanse(ni,sizeof(ni));
+    OPENSSL_cleanse(scalar1x,sizeof(scalar1x));
 }
 
 void API_NS(point_cond_sel) (
@@ -1085,7 +1086,7 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
 #error "... probably wrong"
         gf_copy( x, u );
 #endif
-        decaf_bzero(u,sizeof(u));
+        OPENSSL_cleanse(u,sizeof(u));
     }
 #elif IMAGINE_TWIST
     {
@@ -1112,7 +1113,7 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
         gf_mul ( x, t, y );
         gf_mul ( y, z, u );
         gf_mul ( z, u, t );
-        decaf_bzero(u,sizeof(u));
+        OPENSSL_cleanse(u,sizeof(u));
     }
 #endif
     /* Affinize */
@@ -1125,10 +1126,10 @@ void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (
     gf_serialize(enc, x, 1);
     enc[DECAF_EDDSA_448_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t);
 
-    decaf_bzero(x,sizeof(x));
-    decaf_bzero(y,sizeof(y));
-    decaf_bzero(z,sizeof(z));
-    decaf_bzero(t,sizeof(t));
+    OPENSSL_cleanse(x,sizeof(x));
+    OPENSSL_cleanse(y,sizeof(y));
+    OPENSSL_cleanse(z,sizeof(z));
+    OPENSSL_cleanse(t,sizeof(t));
     API_NS(point_destroy)(q);
 }
 
@@ -1195,10 +1196,10 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
         gf_mul ( p->z, p->t, c ); // (y^2-x^2)sd(2z^2 - y^2 + x^2)
         gf_mul ( p->y, d, c ); // (y^2+x^2)sd(2z^2 - y^2 + x^2)
         gf_mul ( p->t, d, b );
-        decaf_bzero(a,sizeof(a));
-        decaf_bzero(b,sizeof(b));
-        decaf_bzero(c,sizeof(c));
-        decaf_bzero(d,sizeof(d));
+        OPENSSL_cleanse(a,sizeof(a));
+        OPENSSL_cleanse(b,sizeof(b));
+        OPENSSL_cleanse(c,sizeof(c));
+        OPENSSL_cleanse(d,sizeof(d));
     } 
     #elif IMAGINE_TWIST
     {
@@ -1224,14 +1225,14 @@ decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (
         gf_mul ( p->z, p->t, a );
         gf_mul ( p->y, p->t, d );
         gf_mul ( p->t, b, d );
-        decaf_bzero(a,sizeof(a));
-        decaf_bzero(b,sizeof(b));
-        decaf_bzero(c,sizeof(c));
-        decaf_bzero(d,sizeof(d));
+        OPENSSL_cleanse(a,sizeof(a));
+        OPENSSL_cleanse(b,sizeof(b));
+        OPENSSL_cleanse(c,sizeof(c));
+        OPENSSL_cleanse(d,sizeof(d));
     }
     #endif
     
-    decaf_bzero(enc2,sizeof(enc2));
+    OPENSSL_cleanse(enc2,sizeof(enc2));
     assert(API_NS(point_valid)(p) || ~succ);
     
     return decaf_succeed_if(mask_to_bool(succ));
@@ -1297,13 +1298,13 @@ decaf_error_t decaf_x448 (
     gf_serialize(out,x1,1);
     mask_t nz = ~gf_eq(x1,ZERO);
     
-    decaf_bzero(x1,sizeof(x1));
-    decaf_bzero(x2,sizeof(x2));
-    decaf_bzero(z2,sizeof(z2));
-    decaf_bzero(x3,sizeof(x3));
-    decaf_bzero(z3,sizeof(z3));
-    decaf_bzero(t1,sizeof(t1));
-    decaf_bzero(t2,sizeof(t2));
+    OPENSSL_cleanse(x1,sizeof(x1));
+    OPENSSL_cleanse(x2,sizeof(x2));
+    OPENSSL_cleanse(z2,sizeof(z2));
+    OPENSSL_cleanse(x3,sizeof(x3));
+    OPENSSL_cleanse(z3,sizeof(z3));
+    OPENSSL_cleanse(t1,sizeof(t1));
+    OPENSSL_cleanse(t2,sizeof(t2));
     
     return decaf_succeed_if(mask_to_bool(nz));
 }
@@ -1339,9 +1340,9 @@ void decaf_ed448_convert_public_key_to_x448 (
         gf_serialize(x,n,1);
 #endif /* EDDSA_USE_SIGMA_ISOGENY */
         
-        decaf_bzero(y,sizeof(y));
-        decaf_bzero(n,sizeof(n));
-        decaf_bzero(d,sizeof(d));
+        OPENSSL_cleanse(y,sizeof(y));
+        OPENSSL_cleanse(n,sizeof(n));
+        OPENSSL_cleanse(d,sizeof(d));
     }
 }
 
@@ -1475,7 +1476,7 @@ prepare_wnaf_table(
     }
     
     API_NS(point_destroy)(tmp);
-    decaf_bzero(twop,sizeof(twop));
+    OPENSSL_cleanse(twop,sizeof(twop));
 }
 
 extern const gf API_NS(precomputed_wnaf_as_fe)[];
@@ -1502,9 +1503,9 @@ void API_NS(precompute_wnafs) (
     }
     batch_normalize_niels(out, (const gf *)zs, zis, 1<<DECAF_WNAF_FIXED_TABLE_BITS);
     
-    decaf_bzero(tmp,sizeof(tmp));
-    decaf_bzero(zs,sizeof(zs));
-    decaf_bzero(zis,sizeof(zis));
+    OPENSSL_cleanse(tmp,sizeof(tmp));
+    OPENSSL_cleanse(zs,sizeof(zs));
+    OPENSSL_cleanse(zis,sizeof(zis));
 }
 
 void API_NS(base_double_scalarmul_non_secret) (
@@ -1570,9 +1571,9 @@ void API_NS(base_double_scalarmul_non_secret) (
     }
     
     /* This function is non-secret, but whatever this is cheap. */
-    decaf_bzero(control_var,sizeof(control_var));
-    decaf_bzero(control_pre,sizeof(control_pre));
-    decaf_bzero(precmp_var,sizeof(precmp_var));
+    OPENSSL_cleanse(control_var,sizeof(control_var));
+    OPENSSL_cleanse(control_pre,sizeof(control_pre));
+    OPENSSL_cleanse(precmp_var,sizeof(precmp_var));
 
     assert(contv == ncb_var); (void)ncb_var;
     assert(contp == ncb_pre); (void)ncb_pre;
@@ -1581,11 +1582,11 @@ void API_NS(base_double_scalarmul_non_secret) (
 void API_NS(point_destroy) (
     point_t point
 ) {
-    decaf_bzero(point, sizeof(point_t));
+    OPENSSL_cleanse(point, sizeof(point_t));
 }
 
 void API_NS(precomputed_destroy) (
     precomputed_s *pre
 ) {
-    decaf_bzero(pre, API_NS(sizeof_precomputed_s));
+    OPENSSL_cleanse(pre, API_NS(sizeof_precomputed_s));
 }

diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c
index 9f68e31177171546787eb29b24d5454f6e4f65bd..2fa7d5dce273ceda1f119c1a2742734e69ddc3ab 100644 (file)
--- a/crypto/ec/curve448/eddsa.c
+++ b/crypto/ec/curve448/eddsa.c
@@ -12,6 +12,8 @@
  * @warning This file was automatically generated in Python.
  * Please do not edit it.
  */
+#include <openssl/crypto.h>
+
 #include "word.h"
 #include "ed448.h"
 #include "shake.h"
@@ -140,7 +142,7 @@ void decaf_ed448_derive_public_key (
     /* Cleanup */
     API_NS(scalar_destroy)(secret_scalar);
     API_NS(point_destroy)(p);
-    decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));
+    OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
 }
 
 void decaf_ed448_sign (
@@ -174,7 +176,7 @@ void decaf_ed448_sign (
         hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,expanded.seed,sizeof(expanded.seed));
         hash_update(hash,message,message_len);
-        decaf_bzero(&expanded, sizeof(expanded));
+        OPENSSL_cleanse(&expanded, sizeof(expanded));
     }
     
     /* Decode the nonce */
@@ -183,7 +185,7 @@ void decaf_ed448_sign (
         uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
         hash_final(hash,nonce,sizeof(nonce));
         API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
-        decaf_bzero(nonce, sizeof(nonce));
+        OPENSSL_cleanse(nonce, sizeof(nonce));
     }
     
     uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
@@ -213,13 +215,13 @@ void decaf_ed448_sign (
         hash_final(hash,challenge,sizeof(challenge));
         hash_destroy(hash);
         API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
-        decaf_bzero(challenge,sizeof(challenge));
+        OPENSSL_cleanse(challenge,sizeof(challenge));
     }
     
     API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
     API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
     
-    decaf_bzero(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);
+    OPENSSL_cleanse(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);
     memcpy(signature,nonce_point,sizeof(nonce_point));
     API_NS(scalar_encode)(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);
     
@@ -246,7 +248,7 @@ void decaf_ed448_sign_prehash (
     }
 
     decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
-    decaf_bzero(hash_output,sizeof(hash_output));
+    OPENSSL_cleanse(hash_output,sizeof(hash_output));
 }
 
 decaf_error_t decaf_ed448_verify (
@@ -277,7 +279,7 @@ decaf_error_t decaf_ed448_verify (
         hash_final(hash,challenge,sizeof(challenge));
         hash_destroy(hash);
         API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
-        decaf_bzero(challenge,sizeof(challenge));
+        OPENSSL_cleanse(challenge,sizeof(challenge));
     }
     API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
     

diff --git a/crypto/ec/curve448/scalar.c b/crypto/ec/curve448/scalar.c
index 6f9c371e792f80a90a9d31885ac9add5e64c0ee6..5bc7b24cc614e66c8dd49c843122472366440aa4 100644 (file)
--- a/crypto/ec/curve448/scalar.c
+++ b/crypto/ec/curve448/scalar.c
@@ -11,6 +11,8 @@
  * @warning This file was automatically generated in Python.
  * Please do not edit it.
  */
+#include <openssl/crypto.h>
+
 #include "word.h"
 #include "constant_time.h"
 #include "point_448.h"
@@ -169,7 +171,7 @@ decaf_error_t API_NS(scalar_invert) (
     
     /* Demontgomerize */
     sc_montmul(out,out,API_NS(scalar_one));
-    decaf_bzero(precmp, sizeof(precmp));
+    OPENSSL_cleanse(precmp, sizeof(precmp));
     return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));
 }
 
@@ -259,7 +261,7 @@ decaf_error_t API_NS(scalar_decode)(
 void API_NS(scalar_destroy) (
     scalar_t scalar
 ) {
-    decaf_bzero(scalar, sizeof(scalar_t));
+    OPENSSL_cleanse(scalar, sizeof(scalar_t));
 }
 
 void API_NS(scalar_decode_long)(

diff --git a/crypto/ec/curve448/shake.c b/crypto/ec/curve448/shake.c
index aab044691f883db2852582b34156fd157f9c52f7..fc119f2e8ed9ffb07eb53fcde76ad95e297b07e8 100644 (file)
--- a/crypto/ec/curve448/shake.c
+++ b/crypto/ec/curve448/shake.c
@@ -17,6 +17,7 @@
 #include <assert.h>
 #include <stdint.h>
 #include <string.h>
+#include <openssl/crypto.h>
 
 #include "portable_endian.h"
 #include "keccak_internal.h"
@@ -179,7 +180,7 @@ void decaf_sha3_reset (
 }
 
 void decaf_sha3_destroy (decaf_keccak_sponge_t decaf_sponge) {
-    decaf_bzero(decaf_sponge, sizeof(decaf_keccak_sponge_t));
+    OPENSSL_cleanse(decaf_sponge, sizeof(decaf_keccak_sponge_t));
 }
 
 void decaf_sha3_init (

diff --git a/crypto/ec/curve448/utils.c b/crypto/ec/curve448/utils.c
deleted file mode 100644 (file)
index b28a164..0000000
--- a/crypto/ec/curve448/utils.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/* Copyright (c) 2015 Cryptography Research, Inc.
- * Released under the MIT License.  See LICENSE.txt for license information.
- */
-
-/**
- * @file utils.c
- * @author Mike Hamburg
- * @brief Decaf utility functions.
- */
-
-#include "curve448utils.h"
-
-void decaf_bzero (
-    void *s,
-    size_t size
-) {
-#ifdef __STDC_LIB_EXT1__
-    memset_s(s, size, 0, size);
-#else
-    const size_t sw = sizeof(decaf_word_t);
-    volatile uint8_t *destroy = (volatile uint8_t *)s;
-    for (; size && ((uintptr_t)destroy)%sw; size--, destroy++)
-        *destroy = 0;
-    for (; size >= sw; size -= sw, destroy += sw)
-        *(volatile decaf_word_t *)destroy = 0;
-    for (; size; size--, destroy++)
-        *destroy = 0;
-#endif
-}