adding zeroize to everything (this was rly easy...)

laudiacay · laudiacay · commit 1a33c35ca19b · 2023-01-28T12:02:20.000-05:00
diff --git a/blake2/Cargo.toml b/blake2/Cargo.toml
@@ -18,6 +18,7 @@ crypto-mac = "0.8"
 digest = "0.9"
 opaque-debug = "0.3"
 subtle = { version = ">=2, <2.5", default-features = false }
+zeroize = { version = "1.1", features = ["zeroize_derive"] }
 
 [dev-dependencies]
 crypto-mac = { version = "0.8", features = ["dev"] }
diff --git a/blake2/src/blake2b.rs b/blake2/src/blake2b.rs
@@ -44,6 +44,7 @@ use digest::{
     generic_array::GenericArray,
     BlockInput, FixedOutputDirty, InvalidOutputSize, Reset, Update, VariableOutputDirty,
 };
+use zeroize::ZeroizeOnDrop;
 
 pub(crate) type Word = u64;
 pub(crate) type Count = u128;
@@ -108,7 +109,7 @@ pub fn blake2b(input: &[u8]) -> Hash {
 }
 
 /// Blake2b instance with a fixed output.
-#[derive(Clone, Default)]
+#[derive(Clone, Default, ZeroizeOnDrop)]
 pub struct Blake2b {
     params: Params,
     state: State,
@@ -192,7 +193,7 @@ opaque_debug::implement!(Blake2b);
 digest::impl_write!(Blake2b);
 
 /// Blake2b instance with a variable output.
-#[derive(Clone, Default)]
+#[derive(Clone, Default, ZeroizeOnDrop)]
 pub struct VarBlake2b {
     params: Params,
     state: State,
diff --git a/blake2/src/blake2b/backend.rs b/blake2/src/blake2b/backend.rs
@@ -9,6 +9,7 @@ mod sse41;
 use super::*;
 use arrayref::array_ref;
 use core::cmp;
+use zeroize::Zeroize;
 
 #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
 pub const MAX_DEGREE: usize = 4;
@@ -138,6 +139,12 @@ impl Implementation {
     }
 }
 
+impl Zeroize for Implementation {
+    fn zeroize(&mut self) {
+        // Nothing to do.
+    }
+}
+
 pub struct Job<'a, 'b> {
     pub input: &'a [u8],
     pub words: &'b mut [Word; 8],
@@ -181,6 +188,12 @@ pub enum LastNode {
     No,
 }
 
+impl Zeroize for LastNode {
+    fn zeroize(&mut self) {
+        // Nothing to do.
+    }
+}
+
 impl LastNode {
     pub fn yes(&self) -> bool {
         match self {
diff --git a/blake2/src/blake2b/params.rs b/blake2/src/blake2b/params.rs
@@ -3,6 +3,7 @@ use super::{
 };
 use arrayref::array_refs;
 use core::fmt;
+use zeroize::ZeroizeOnDrop;
 
 /// A parameter builder that exposes all the non-default BLAKE2 features.
 ///
@@ -28,7 +29,7 @@ use core::fmt;
 /// // Or use those params to build an incremental State.
 /// let mut state = params.to_state();
 /// ```
-#[derive(Clone)]
+#[derive(Clone, ZeroizeOnDrop)]
 pub struct Params {
     pub(super) hash_length: u8,
     pub(super) key_length: u8,
diff --git a/blake2/src/blake2b/state.rs b/blake2/src/blake2b/state.rs
@@ -2,6 +2,8 @@ use super::{backend, Count, Hash, Params, Word, BLOCKBYTES, OUTBYTES};
 use arrayref::mut_array_refs;
 use core::{cmp, fmt, mem::size_of};
 
+use zeroize::ZeroizeOnDrop;
+
 /// An incremental hasher for BLAKE2b.
 ///
 /// To construct a `State` with non-default parameters, see `Params::to_state`.
@@ -19,7 +21,7 @@ use core::{cmp, fmt, mem::size_of};
 /// state.update(b"bar");
 /// assert_eq!(blake2b(b"foobar"), state.finalize());
 /// ```
-#[derive(Clone)]
+#[derive(Clone, ZeroizeOnDrop)]
 pub struct State {
     pub(super) words: [Word; 8],
     pub(super) count: Count,
diff --git a/blake2/src/blake2bp.rs b/blake2/src/blake2bp.rs
@@ -26,6 +26,7 @@ use crate::blake2b::{
     many, state, Count, Hash, Word, BLOCKBYTES, KEYBYTES, OUTBYTES,
 };
 use core::{cmp, fmt, mem::size_of};
+use zeroize::ZeroizeOnDrop;
 
 pub(crate) const DEGREE: usize = 4;
 
@@ -58,7 +59,7 @@ pub fn blake2bp(input: &[u8]) -> Hash {
 /// use blake2::blake2bp;
 /// let mut state = blake2bp::Params::new().hash_length(32).to_state();
 /// ```
-#[derive(Clone)]
+#[derive(Clone, ZeroizeOnDrop)]
 pub struct Params {
     hash_length: u8,
     key_length: u8,
@@ -206,7 +207,7 @@ impl fmt::Debug for Params {
 ///                 dfa3205f7f7f71e4f0673d25fa82a368488911f446bccd323af3ab03f53e56e5";
 /// assert_eq!(expected, &hash.to_hex());
 /// ```
-#[derive(Clone)]
+#[derive(Clone, ZeroizeOnDrop)]
 pub struct State {
     leaf_words: [[Word; 8]; DEGREE],
     root_words: [Word; 8],
diff --git a/blake2/src/blake2s.rs b/blake2/src/blake2s.rs
@@ -43,6 +43,7 @@ use digest::{
     generic_array::GenericArray,
     BlockInput, FixedOutputDirty, InvalidOutputSize, Reset, Update, VariableOutputDirty,
 };
+use zeroize::ZeroizeOnDrop;
 
 pub(crate) type Word = u32;
 pub(crate) type Count = u64;
@@ -97,7 +98,7 @@ pub fn blake2s(input: &[u8]) -> Hash {
 }
 
 /// Blake2s instance with a fixed output.
-#[derive(Clone, Default)]
+#[derive(Clone, Default, ZeroizeOnDrop)]
 pub struct Blake2s {
     params: Params,
     state: State,
@@ -181,7 +182,7 @@ opaque_debug::implement!(Blake2s);
 digest::impl_write!(Blake2s);
 
 /// Blake2s instance with a variable output.
-#[derive(Clone, Default)]
+#[derive(Clone, Default, ZeroizeOnDrop)]
 pub struct VarBlake2s {
     params: Params,
     state: State,
diff --git a/blake2/src/blake2s/backend.rs b/blake2/src/blake2s/backend.rs
@@ -9,6 +9,8 @@ mod sse41;
 use super::*;
 use arrayref::array_ref;
 use core::cmp;
+use digest::generic_array::typenum::Zero;
+use zeroize::Zeroize;
 
 #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
 pub const MAX_DEGREE: usize = 8;
@@ -136,6 +138,12 @@ impl Implementation {
     }
 }
 
+impl Zeroize for Implementation {
+    fn zeroize(&mut self) {
+        // Nothing to do.
+    }
+}
+
 pub struct Job<'a, 'b> {
     pub input: &'a [u8],
     pub words: &'b mut [Word; 8],
@@ -179,6 +187,12 @@ pub enum LastNode {
     No,
 }
 
+impl Zeroize for LastNode {
+    fn zeroize(&mut self) {
+        // Nothing to do.
+    }
+}
+
 impl LastNode {
     pub fn yes(&self) -> bool {
         match self {
diff --git a/blake2/src/blake2s/params.rs b/blake2/src/blake2s/params.rs
@@ -3,6 +3,7 @@ use super::{
 };
 use arrayref::array_refs;
 use core::fmt;
+use zeroize::ZeroizeOnDrop;
 
 /// A parameter builder that exposes all the non-default BLAKE2 features.
 ///
@@ -28,7 +29,7 @@ use core::fmt;
 /// // Or use those params to build an incremental State.
 /// let mut state = params.to_state();
 /// ```
-#[derive(Clone)]
+#[derive(Clone, ZeroizeOnDrop)]
 pub struct Params {
     pub(super) hash_length: u8,
     pub(super) key_length: u8,
diff --git a/blake2/src/blake2s/state.rs b/blake2/src/blake2s/state.rs
@@ -1,6 +1,7 @@
 use super::{backend, Count, Hash, Params, Word, BLOCKBYTES, OUTBYTES};
 use arrayref::mut_array_refs;
 use core::{cmp, fmt, mem::size_of};
+use zeroize::ZeroizeOnDrop;
 
 /// An incremental hasher for BLAKE2s.
 ///
@@ -19,7 +20,7 @@ use core::{cmp, fmt, mem::size_of};
 /// state.update(b"bar");
 /// assert_eq!(blake2s(b"foobar"), state.finalize());
 /// ```
-#[derive(Clone)]
+#[derive(Clone, ZeroizeOnDrop)]
 pub struct State {
     pub(super) words: [Word; 8],
     pub(super) count: Count,
diff --git a/blake2/src/blake2sp.rs b/blake2/src/blake2sp.rs
@@ -26,6 +26,7 @@ use crate::blake2s::{
     many, state, Count, Hash, Word, BLOCKBYTES, KEYBYTES, OUTBYTES,
 };
 use core::{cmp, fmt, mem::size_of};
+use zeroize::ZeroizeOnDrop;
 
 pub(crate) const DEGREE: usize = 8;
 
@@ -57,7 +58,7 @@ pub fn blake2sp(input: &[u8]) -> Hash {
 /// use blake2::blake2sp;
 /// let mut state = blake2sp::Params::new().hash_length(32).to_state();
 /// ```
-#[derive(Clone)]
+#[derive(Clone, ZeroizeOnDrop)]
 pub struct Params {
     hash_length: u8,
     key_length: u8,
@@ -213,7 +214,7 @@ impl fmt::Debug for Params {
 /// let expected = "268120e51df583c61d6bfb7915f1c8ead299696c42f413092cd0b2247e1a388d";
 /// assert_eq!(expected, &hash.to_hex());
 /// ```
-#[derive(Clone)]
+#[derive(Clone, ZeroizeOnDrop)]
 pub struct State {
     leaf_words: [[Word; 8]; DEGREE],
     root_words: [Word; 8],
