fix(permutation): wrap secret locals in Zeroizing for unwind safety

Follow-up to the constant-time fix. The explicit `kv.zeroize()` and
`input.zeroize()` calls only run on the success path; if any operation
between secret extraction and the wipe ever unwinds, the secret bytes
would be left on the stack. None of the current operations between the
bookends can panic, but encoding unwind-safety in the type system is
strictly better than relying on that invariant holding forever.

Wrap `input`, `kv`, `selected`, and `src` in `Zeroizing<_>` so the wipe
is performed by `Drop`, guaranteed on every exit including panic. The
explicit `.zeroize()` calls become redundant and are removed.

Verified with the trailofbits zeroize-audit skill: volatile-zero stores
in the LLVM IR are intact at O3 (10) and not reduced from O0 (8). The
ct_analyzer still PASSES on arm64. Permutation correctness tests pass.

Author: coderdan

packages/permutation/src/elementwise.rs

@@ -1,7 +1,7 @@
 use crate::{private::IsPermutable, PermutationKey};
 use subtle::{ConditionallySelectable, ConstantTimeEq};
 use vitaminc_protected::{Controlled, Zeroed};
-use zeroize::Zeroize;
+use zeroize::{Zeroize, Zeroizing};
 
 // TODO: Make this a private trait
 // FIXME: This trait is backwards - self should be T and the argument should be a key
@@ -35,53 +35,49 @@ where
 }
 
 #[inline]
-pub fn permute_array<const N: usize, T>(key: &PermutationKey<N>, mut input: [T; N]) -> [T; N]
+pub fn permute_array<const N: usize, T>(key: &PermutationKey<N>, input: [T; N]) -> [T; N]
 where
     [T; N]: IsPermutable + Zeroed,
     T: Zeroize + Copy + ConditionallySelectable,
 {
     // Constant-time scan: for each output position `i`, the key byte `kv`
     // selects which input element to copy. We scan all `j` in 0..N and use
     // `ConditionallySelectable` so the access pattern is independent of `kv`,
-    // preventing cache-line timing leaks of the secret key bytes.
+    // preventing cache-line timing leaks of the secret key bytes. Secret
+    // locals are wrapped in `Zeroizing` so they are wiped on any unwind path.
+    let input = Zeroizing::new(input);
     let mut out: [T; N] = Zeroed::zeroed();
     for (i, k) in key.iter().enumerate() {
-        let mut kv: u8 = k.risky_unwrap();
-        let mut selected: T = input[0];
+        let kv = Zeroizing::new(k.risky_unwrap());
+        let mut selected = Zeroizing::new(input[0]);
         for (j, src) in input.iter().enumerate().skip(1) {
-            let mask = (j as u8).ct_eq(&kv);
+            let mask = (j as u8).ct_eq(&*kv);
             selected.conditional_assign(src, mask);
         }
-        out[i] = selected;
-        kv.zeroize();
+        out[i] = *selected;
     }
-
-    // We copied all elements to the output so we should zeroize the input
-    input.zeroize();
     out
 }
 
 #[inline]
-pub fn depermute_array<const N: usize, T>(key: &PermutationKey<N>, mut input: [T; N]) -> [T; N]
+pub fn depermute_array<const N: usize, T>(key: &PermutationKey<N>, input: [T; N]) -> [T; N]
 where
     [T; N]: IsPermutable + Zeroed,
     T: Zeroize + Copy + ConditionallySelectable,
 {
     // Constant-time scatter: for each (i, kv), write `input[i]` to `out[kv]`
     // by scanning every output slot and conditionally assigning when `j == kv`.
+    // Secret locals are wrapped in `Zeroizing` for unwind safety.
+    let input = Zeroizing::new(input);
     let mut out: [T; N] = Zeroed::zeroed();
     for (i, k) in key.iter().enumerate() {
-        let mut kv: u8 = k.risky_unwrap();
-        let src = input[i];
+        let kv = Zeroizing::new(k.risky_unwrap());
+        let src = Zeroizing::new(input[i]);
         for (j, dst) in out.iter_mut().enumerate() {
-            let mask = (j as u8).ct_eq(&kv);
-            dst.conditional_assign(&src, mask);
+            let mask = (j as u8).ct_eq(&*kv);
+            dst.conditional_assign(&*src, mask);
         }
-        kv.zeroize();
     }
-
-    // We copied all elements to the output so we should zeroize the input
-    input.zeroize();
     out
 }