introduce and use memzero instead of explicit_bzero

Makefile

@@ -50,6 +50,7 @@ SRCS  += chacha20poly1305/chacha20poly1305.c chacha20poly1305/chacha_merged.c ch
 SRCS  += rc4.c
 SRCS  += nem.c
 SRCS  += segwit_addr.c
+SRCS  += memzero.c
 
 OBJS   = $(SRCS:.c=.o)
 

base58.c

@@ -27,6 +27,7 @@
 #include "base58.h"
 #include "sha2.h"
 #include "ripemd160.h"
+#include "memzero.h"
 
 static const int8_t b58digits_map[] = {
 	-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
@@ -199,7 +200,7 @@ int base58_encode_check(const uint8_t *data, int datalen, HasherType hasher_type
 	hasher_Raw(hasher_type, hash, 32, hash);
 	size_t res = strsize;
 	bool success = b58enc(str, &res, buf, datalen + 4);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 	return success ? res : 0;
 }
 
@@ -253,7 +254,7 @@ int base58gph_encode_check(const uint8_t *data, int datalen, char *str, int strs
 	ripemd160(data, datalen, hash);  // No double SHA256, but a single RIPEMD160
 	size_t res = strsize;
 	bool success = b58enc(str, &res, buf, datalen + 4);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 	return success ? res : 0;
 }
 

bignum.c

@@ -27,6 +27,7 @@
 #include <string.h>
 #include <assert.h>
 #include "bignum.h"
+#include "memzero.h"
 
 /* big number library */
 
@@ -489,7 +490,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime)
 	uint32_t res[18] = {0};
 	bn_multiply_long(k, x, res);
 	bn_multiply_reduce(x, res, prime); 
-	explicit_bzero(res, sizeof(res));
+	memzero(res, sizeof(res));
 }
 
 // partly reduce x modulo prime
@@ -551,8 +552,8 @@ void bn_sqrt(bignum256 *x, const bignum256 *prime)
 	}
 	bn_mod(&res, prime);
 	memcpy(x, &res, sizeof(bignum256));
-	explicit_bzero(&res, sizeof(res));
-	explicit_bzero(&p, sizeof(p));
+	memzero(&res, sizeof(res));
+	memzero(&p, sizeof(p));
 }
 
 #if ! USE_INVERSE_FAST
@@ -860,9 +861,9 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
 	x->val[i] = temp32;
 
 	// let's wipe all temp buffers
-	explicit_bzero(pp, sizeof(pp));
-	explicit_bzero(&us, sizeof(us));
-	explicit_bzero(&vr, sizeof(vr));
+	memzero(pp, sizeof(pp));
+	memzero(&us, sizeof(us));
+	memzero(&vr, sizeof(vr));
 }
 #endif
 

bip32.c

@@ -46,6 +46,7 @@
 #if USE_NEM
 #include "nem.h"
 #endif
+#include "memzero.h"
 
 const curve_info ed25519_info = {
 	.bip32_name = "ed25519 seed",
@@ -86,7 +87,7 @@ int hdnode_from_xpub(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
 	out->depth = depth;
 	out->child_num = child_num;
 	memcpy(out->chain_code, chain_code, 32);
-	explicit_bzero(out->private_key, 32);
+	memzero(out->private_key, 32);
 	memcpy(out->public_key, public_key, 33);
 	return 1;
 }
@@ -107,7 +108,7 @@ int hdnode_from_xprv(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
 				failed = true;
 			}
 		}
-		explicit_bzero(&a, sizeof(a));
+		memzero(&a, sizeof(a));
 	}
 
 	if (failed) {
@@ -119,7 +120,7 @@ int hdnode_from_xprv(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
 	out->child_num = child_num;
 	memcpy(out->chain_code, chain_code, 32);
 	memcpy(out->private_key, private_key, 32);
-	explicit_bzero(out->public_key, sizeof(out->public_key));
+	memzero(out->public_key, sizeof(out->public_key));
 	return 1;
 }
 
@@ -150,12 +151,12 @@ int hdnode_from_seed(const uint8_t *seed, int seed_len, const char* curve, HDNod
 			hmac_sha512_Update(&ctx, I, sizeof(I));
 			hmac_sha512_Final(&ctx, I);
 		}
-		explicit_bzero(&a, sizeof(a));
+		memzero(&a, sizeof(a));
 	}
 	memcpy(out->private_key, I, 32);
 	memcpy(out->chain_code, I + 32, 32);
-	explicit_bzero(out->public_key, sizeof(out->public_key));
-	explicit_bzero(I, sizeof(I));
+	memzero(out->public_key, sizeof(out->public_key));
+	memzero(I, sizeof(I));
 	return 1;
 }
 
@@ -168,7 +169,7 @@ uint32_t hdnode_fingerprint(HDNode *node)
 	hasher_Raw(node->curve->hasher_type, node->public_key, 33, digest);
 	ripemd160(digest, 32, digest);
 	fingerprint = (digest[0] << 24) + (digest[1] << 16) + (digest[2] << 8) + digest[3];
-	explicit_bzero(digest, sizeof(digest));
+	memzero(digest, sizeof(digest));
 	return fingerprint;
 }
 
@@ -229,13 +230,13 @@ int hdnode_private_ckd(HDNode *inout, uint32_t i)
 	memcpy(inout->chain_code, I + 32, 32);
 	inout->depth++;
 	inout->child_num = i;
-	explicit_bzero(inout->public_key, sizeof(inout->public_key));
+	memzero(inout->public_key, sizeof(inout->public_key));
 
 	// making sure to wipe our memory
-	explicit_bzero(&a, sizeof(a));
-	explicit_bzero(&b, sizeof(b));
-	explicit_bzero(I, sizeof(I));
-	explicit_bzero(data, sizeof(data));
+	memzero(&a, sizeof(a));
+	memzero(&b, sizeof(b));
+	memzero(I, sizeof(I));
+	memzero(data, sizeof(data));
 	return 1;
 }
 
@@ -264,9 +265,9 @@ int hdnode_public_ckd_cp(const ecdsa_curve *curve, const curve_point *parent, co
 				}
 
 				// Wipe all stack data.
-				explicit_bzero(data, sizeof(data));
-				explicit_bzero(I, sizeof(I));
-				explicit_bzero(&c, sizeof(c));
+				memzero(data, sizeof(data));
+				memzero(I, sizeof(I));
+				memzero(&c, sizeof(c));
 				return 1;
 			}
 		}
@@ -286,15 +287,15 @@ int hdnode_public_ckd(HDNode *inout, uint32_t i)
 	if (!hdnode_public_ckd_cp(inout->curve->params, &parent, inout->chain_code, i, &child, inout->chain_code)) {
 		return 0;
 	}
-	explicit_bzero(inout->private_key, 32);
+	memzero(inout->private_key, 32);
 	inout->depth++;
 	inout->child_num = i;
 	inout->public_key[0] = 0x02 | (child.y.val[0] & 0x01);
 	bn_write_be(&child.x, inout->public_key + 1);
 
 	// Wipe all stack data.
-	explicit_bzero(&parent, sizeof(parent));
-	explicit_bzero(&child, sizeof(child));
+	memzero(&parent, sizeof(parent));
+	memzero(&child, sizeof(child));
 
 	return 1;
 }
@@ -349,7 +350,7 @@ int hdnode_private_ckd_cached(HDNode *inout, const uint32_t *i, size_t i_count,
 	if (!private_ckd_cache_root_set || memcmp(&private_ckd_cache_root, inout, sizeof(HDNode)) != 0) {
 		// clear the cache
 		private_ckd_cache_index = 0;
-		explicit_bzero(private_ckd_cache, sizeof(private_ckd_cache));
+		memzero(private_ckd_cache, sizeof(private_ckd_cache));
 		// setup new root
 		memcpy(&private_ckd_cache_root, inout, sizeof(HDNode));
 		private_ckd_cache_root_set = true;
@@ -496,7 +497,7 @@ int hdnode_nem_encrypt(const HDNode *node, const ed25519_public_key public_key,
 	aes_encrypt_ctx ctx;
 
 	int ret = aes_encrypt_key256(shared_key, &ctx);
-	explicit_bzero(shared_key, sizeof(shared_key));
+	memzero(shared_key, sizeof(shared_key));
 
 	if (ret != EXIT_SUCCESS) {
 		return 0;
@@ -523,7 +524,7 @@ int hdnode_nem_decrypt(const HDNode *node, const ed25519_public_key public_key,
 	aes_decrypt_ctx ctx;
 
 	int ret = aes_decrypt_key256(shared_key, &ctx);
-	explicit_bzero(shared_key, sizeof(shared_key));
+	memzero(shared_key, sizeof(shared_key));
 
 	if (ret != EXIT_SUCCESS) {
 		return 0;
@@ -609,7 +610,7 @@ static int hdnode_serialize(const HDNode *node, uint32_t fingerprint, uint32_t v
 		memcpy(node_data + 46, node->private_key, 32);
 	}
 	int ret = base58_encode_check(node_data, sizeof(node_data), node->curve->hasher_type, str, strsize);
-	explicit_bzero(node_data, sizeof(node_data));
+	memzero(node_data, sizeof(node_data));
 	return ret;
 }
 
@@ -634,14 +635,14 @@ int hdnode_deserialize(const char *str, uint32_t version_public, uint32_t versio
 	}
 	uint32_t version = read_be(node_data);
 	if (version == version_public) {
-		explicit_bzero(node->private_key, sizeof(node->private_key));
+		memzero(node->private_key, sizeof(node->private_key));
 		memcpy(node->public_key, node_data + 45, 33);
 	} else if (version == version_private) { // private node
 		if (node_data[45]) { // invalid data
 			return -2;
 		}
 		memcpy(node->private_key, node_data + 46, 32);
-		explicit_bzero(node->public_key, sizeof(node->public_key));
+		memzero(node->public_key, sizeof(node->public_key));
 	} else {
 		return -3; // invalid version
 	}

bip39.c

@@ -31,6 +31,7 @@
 #include "pbkdf2.h"
 #include "bip39_english.h"
 #include "options.h"
+#include "memzero.h"
 
 #if USE_BIP39_CACHE
 
@@ -53,7 +54,7 @@ const char *mnemonic_generate(int strength)
 	uint8_t data[32];
 	random_buffer(data, 32);
 	const char *r = mnemonic_from_data(data, strength / 8);
-	explicit_bzero(data, sizeof(data));
+	memzero(data, sizeof(data));
 	return r;
 }
 
@@ -65,7 +66,7 @@ const uint16_t *mnemonic_generate_indexes(int strength)
 	uint8_t data[32];
 	random_buffer(data, 32);
 	const uint16_t *r = mnemonic_from_data_indexes(data, strength / 8);
-	explicit_bzero(data, sizeof(data));
+	memzero(data, sizeof(data));
 	return r;
 }
 
@@ -99,7 +100,7 @@ const char *mnemonic_from_data(const uint8_t *data, int len)
 		*p = (i < mlen - 1) ? ' ' : 0;
 		p++;
 	}
-	explicit_bzero(bits, sizeof(bits));
+	memzero(bits, sizeof(bits));
 
 	return mnemo;
 }
@@ -130,7 +131,7 @@ const uint16_t *mnemonic_from_data_indexes(const uint8_t *data, int len)
 		}
 		mnemo[i] = idx;
 	}
-	explicit_bzero(bits, sizeof(bits));
+	memzero(bits, sizeof(bits));
 
 	return mnemo;
 }
@@ -160,7 +161,7 @@ int mnemonic_check(const char *mnemonic)
 	uint32_t j, k, ki, bi;
 	uint8_t bits[32 + 1];
 
-	explicit_bzero(bits, sizeof(bits));
+	memzero(bits, sizeof(bits));
 	i = 0; bi = 0;
 	while (mnemonic[i]) {
 		j = 0;
@@ -240,7 +241,7 @@ void mnemonic_to_seed(const char *mnemonic, const char *passphrase, uint8_t seed
 		}
 	}
 	pbkdf2_hmac_sha512_Final(&pctx, seed);
-	explicit_bzero(salt, sizeof(salt));
+	memzero(salt, sizeof(salt));
 #if USE_BIP39_CACHE
 	// store to cache
 	if (mnemoniclen < 256 && passphraselen < 64) {

blake2b.c

@@ -17,6 +17,7 @@
 
 #include "blake2b.h"
 #include "blake2_common.h"
+#include "memzero.h"
 
 typedef struct blake2b_param__
 {
@@ -159,7 +160,7 @@ int blake2b_InitKey( blake2b_state *S, size_t outlen, const void *key, size_t ke
     memset( block, 0, BLAKE2B_BLOCKBYTES );
     memcpy( block, key, keylen );
     blake2b_Update( S, block, BLAKE2B_BLOCKBYTES );
-    explicit_bzero( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
+    memzero( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
   }
   return 0;
 }
@@ -279,7 +280,7 @@ int blake2b_Final( blake2b_state *S, void *out, size_t outlen )
     store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
 
   memcpy( out, buffer, S->outlen );
-  explicit_bzero(buffer, sizeof(buffer));
+  memzero(buffer, sizeof(buffer));
   return 0;
 }
 

blake2s.c

@@ -17,6 +17,7 @@
 
 #include "blake2s.h"
 #include "blake2_common.h"
+#include "memzero.h"
 
 typedef struct blake2s_param__
 {
@@ -153,7 +154,7 @@ int blake2s_InitKey( blake2s_state *S, size_t outlen, const void *key, size_t ke
     memset( block, 0, BLAKE2S_BLOCKBYTES );
     memcpy( block, key, keylen );
     blake2s_Update( S, block, BLAKE2S_BLOCKBYTES );
-    explicit_bzero( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */
+    memzero( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */
   }
   return 0;
 }
@@ -271,7 +272,7 @@ int blake2s_Final( blake2s_state *S, void *out, size_t outlen )
     store32( buffer + sizeof( S->h[i] ) * i, S->h[i] );
 
   memcpy( out, buffer, outlen );
-  explicit_bzero(buffer, sizeof(buffer));
+  memzero(buffer, sizeof(buffer));
   return 0;
 }
 

ecdsa.c

@@ -37,6 +37,7 @@
 #include "base58.h"
 #include "secp256k1.h"
 #include "rfc6979.h"
+#include "memzero.h"
 
 // Set cp2 = cp1
 void point_copy(const curve_point *cp1, curve_point *cp2)
@@ -541,8 +542,8 @@ void point_multiply(const ecdsa_curve *curve, const bignum256 *k, const curve_po
 	}
 	conditional_negate(sign, &jres.z, prime);
 	jacobian_to_curve(&jres, res, prime);
-	explicit_bzero(&a, sizeof(a));
-	explicit_bzero(&jres, sizeof(jres));
+	memzero(&a, sizeof(a));
+	memzero(&jres, sizeof(jres));
 }
 
 #if USE_PRECOMPUTED_CP
@@ -629,8 +630,8 @@ void scalar_multiply(const ecdsa_curve *curve, const bignum256 *k, curve_point *
 	}
 	conditional_negate(((a.val[0] >> 4) & 1) - 1, &jres.y, prime);
 	jacobian_to_curve(&jres, res, prime);
-	explicit_bzero(&a, sizeof(a));
-	explicit_bzero(&jres, sizeof(jres));
+	memzero(&a, sizeof(a));
+	memzero(&jres, sizeof(jres));
 }
 
 #else
@@ -652,12 +653,12 @@ int ecdh_multiply(const ecdsa_curve *curve, const uint8_t *priv_key, const uint8
 	bignum256 k;
 	bn_read_be(priv_key, &k);
 	point_multiply(curve, &k, &point, &point);
-	explicit_bzero(&k, sizeof(k));
+	memzero(&k, sizeof(k));
 
 	session_key[0] = 0x04;
 	bn_write_be(&point.x, session_key + 1);
 	bn_write_be(&point.y, session_key + 33);
-	explicit_bzero(&point, sizeof(point));
+	memzero(&point, sizeof(point));
 
 	return 0;
 }
@@ -684,8 +685,8 @@ void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *s
 	hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
 	hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
 
-	explicit_bzero(bx, sizeof(bx));
-	explicit_bzero(buf, sizeof(buf));
+	memzero(bx, sizeof(bx));
+	memzero(buf, sizeof(buf));
 }
 
 // generate next number from deterministic random number generator
@@ -699,7 +700,7 @@ void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state)
 	hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k);
 	hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
 	memcpy(rnd, buf, 32);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 }
 
 // generate K in a deterministic way, according to RFC6979
@@ -709,7 +710,7 @@ void generate_k_rfc6979(bignum256 *k, rfc6979_state *state)
 	uint8_t buf[32];
 	generate_rfc6979(buf, state);
 	bn_read_be(buf, k);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 }
 
 // msg is a data to be signed
@@ -719,7 +720,7 @@ int ecdsa_sign(const ecdsa_curve *curve, HasherType hasher_type, const uint8_t *
 	uint8_t hash[32];
 	hasher_Raw(hasher_type, msg, msg_len, hash);
 	int res = ecdsa_sign_digest(curve, priv_key, hash, sig, pby, is_canonical);
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return res;
 
 }
@@ -732,7 +733,7 @@ int ecdsa_sign_double(const ecdsa_curve *curve, HasherType hasher_type, const ui
 	hasher_Raw(hasher_type, msg, msg_len, hash);
 	hasher_Raw(hasher_type, hash, 32, hash);
 	int res = ecdsa_sign_digest(curve, priv_key, hash, sig, pby, is_canonical);
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return res;
 }
 
@@ -817,20 +818,20 @@ int ecdsa_sign_digest(const ecdsa_curve *curve, const uint8_t *priv_key, const u
 			*pby = by;
 		}
 
-		explicit_bzero(&k, sizeof(k));
-		explicit_bzero(&randk, sizeof(randk));
+		memzero(&k, sizeof(k));
+		memzero(&randk, sizeof(randk));
 #if USE_RFC6979
-		explicit_bzero(&rng, sizeof(rng));
+		memzero(&rng, sizeof(rng));
 #endif
 		return 0;
 	}
 
 	// Too many retries without a valid signature
 	// -> fail with an error
-	explicit_bzero(&k, sizeof(k));
-	explicit_bzero(&randk, sizeof(randk));
+	memzero(&k, sizeof(k));
+	memzero(&randk, sizeof(randk));
 #if USE_RFC6979
-	explicit_bzero(&rng, sizeof(rng));
+	memzero(&rng, sizeof(rng));
 #endif
 	return -1;
 }
@@ -845,8 +846,8 @@ void ecdsa_get_public_key33(const ecdsa_curve *curve, const uint8_t *priv_key, u
 	scalar_multiply(curve, &k, &R);
 	pub_key[0] = 0x02 | (R.y.val[0] & 0x01);
 	bn_write_be(&R.x, pub_key + 1);
-	explicit_bzero(&R, sizeof(R));
-	explicit_bzero(&k, sizeof(k));
+	memzero(&R, sizeof(R));
+	memzero(&k, sizeof(k));
 }
 
 void ecdsa_get_public_key65(const ecdsa_curve *curve, const uint8_t *priv_key, uint8_t *pub_key)
@@ -860,8 +861,8 @@ void ecdsa_get_public_key65(const ecdsa_curve *curve, const uint8_t *priv_key, u
 	pub_key[0] = 0x04;
 	bn_write_be(&R.x, pub_key + 1);
 	bn_write_be(&R.y, pub_key + 33);
-	explicit_bzero(&R, sizeof(R));
-	explicit_bzero(&k, sizeof(k));
+	memzero(&R, sizeof(R));
+	memzero(&k, sizeof(k));
 }
 
 int ecdsa_uncompress_pubkey(const ecdsa_curve *curve, const uint8_t *pub_key, uint8_t *uncompressed)
@@ -890,7 +891,7 @@ void ecdsa_get_pubkeyhash(const uint8_t *pub_key, HasherType hasher_type, uint8_
 		hasher_Raw(hasher_type, pub_key, 33, h);
 	}
 	ripemd160(h, HASHER_DIGEST_LENGTH, pubkeyhash);
-	explicit_bzero(h, sizeof(h));
+	memzero(h, sizeof(h));
 }
 
 void ecdsa_get_address_raw(const uint8_t *pub_key, uint32_t version, HasherType hasher_type, uint8_t *addr_raw)
@@ -907,7 +908,7 @@ void ecdsa_get_address(const uint8_t *pub_key, uint32_t version, HasherType hash
 	ecdsa_get_address_raw(pub_key, version, hasher_type, raw);
 	base58_encode_check(raw, 20 + prefix_len, hasher_type, addr, addrsize);
 	// not as important to clear this one, but we might as well
-	explicit_bzero(raw, sizeof(raw));
+	memzero(raw, sizeof(raw));
 }
 
 void ecdsa_get_address_segwit_p2sh_raw(const uint8_t *pub_key, uint32_t version, HasherType hasher_type, uint8_t *addr_raw)
@@ -928,7 +929,7 @@ void ecdsa_get_address_segwit_p2sh(const uint8_t *pub_key, uint32_t version, Has
 	size_t prefix_len = address_prefix_bytes_len(version);
 	ecdsa_get_address_segwit_p2sh_raw(pub_key, version, hasher_type, raw);
 	base58_encode_check(raw, prefix_len + 20, hasher_type, addr, addrsize);
-	explicit_bzero(raw, sizeof(raw));
+	memzero(raw, sizeof(raw));
 }
 
 void ecdsa_get_wif(const uint8_t *priv_key, uint32_t version, HasherType hasher_type, char *wif, int wifsize)
@@ -940,7 +941,7 @@ void ecdsa_get_wif(const uint8_t *priv_key, uint32_t version, HasherType hasher_
 	wif_raw[prefix_len + 32] = 0x01;
 	base58_encode_check(wif_raw, prefix_len + 32 + 1, hasher_type, wif, wifsize);
 	// private keys running around our stack can cause trouble
-	explicit_bzero(wif_raw, sizeof(wif_raw));
+	memzero(wif_raw, sizeof(wif_raw));
 }
 
 int ecdsa_address_decode(const char *addr, uint32_t version, HasherType hasher_type, uint8_t *out)
@@ -1033,7 +1034,7 @@ int ecdsa_verify(const ecdsa_curve *curve, HasherType hasher_type, const uint8_t
 	uint8_t hash[32];
 	hasher_Raw(hasher_type, msg, msg_len, hash);
 	int res = ecdsa_verify_digest(curve, pub_key, sig, hash);
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return res;
 }
 
@@ -1043,7 +1044,7 @@ int ecdsa_verify_double(const ecdsa_curve *curve, HasherType hasher_type, const
 	hasher_Raw(hasher_type, msg, msg_len, hash);
 	hasher_Raw(hasher_type, hash, 32, hash);
 	int res = ecdsa_verify_digest(curve, pub_key, sig, hash);
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return res;
 }
 
@@ -1142,11 +1143,11 @@ int ecdsa_verify_digest(const ecdsa_curve *curve, const uint8_t *pub_key, const
 		}
 	}
 
-	explicit_bzero(&pub, sizeof(pub));
-	explicit_bzero(&res, sizeof(res));
-	explicit_bzero(&r, sizeof(r));
-	explicit_bzero(&s, sizeof(s));
-	explicit_bzero(&z, sizeof(z));
+	memzero(&pub, sizeof(pub));
+	memzero(&res, sizeof(res));
+	memzero(&r, sizeof(r));
+	memzero(&s, sizeof(s));
+	memzero(&z, sizeof(z));
 
 	// all OK
 	return result;

hmac.c

@@ -25,6 +25,7 @@
 
 #include "hmac.h"
 #include "options.h"
+#include "memzero.h"
 
 void hmac_sha256_Init(HMAC_SHA256_CTX *hctx, const uint8_t *key, const uint32_t keylen)
 {
@@ -41,7 +42,7 @@ void hmac_sha256_Init(HMAC_SHA256_CTX *hctx, const uint8_t *key, const uint32_t
 	}
 	sha256_Init(&(hctx->ctx));
 	sha256_Update(&(hctx->ctx), i_key_pad, SHA256_BLOCK_LENGTH);
-	explicit_bzero(i_key_pad, sizeof(i_key_pad));
+	memzero(i_key_pad, sizeof(i_key_pad));
 }
 
 void hmac_sha256_Update(HMAC_SHA256_CTX *hctx, const uint8_t *msg, const uint32_t msglen)
@@ -56,7 +57,7 @@ void hmac_sha256_Final(HMAC_SHA256_CTX *hctx, uint8_t *hmac)
 	sha256_Update(&(hctx->ctx), hctx->o_key_pad, SHA256_BLOCK_LENGTH);
 	sha256_Update(&(hctx->ctx), hmac, SHA256_DIGEST_LENGTH);
 	sha256_Final(&(hctx->ctx), hmac);
-	explicit_bzero(hctx, sizeof(HMAC_SHA256_CTX));
+	memzero(hctx, sizeof(HMAC_SHA256_CTX));
 }
 
 void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac)
@@ -71,7 +72,7 @@ void hmac_sha256_prepare(const uint8_t *key, const uint32_t keylen, uint32_t *op
 {
 	static CONFIDENTIAL uint32_t key_pad[SHA256_BLOCK_LENGTH/sizeof(uint32_t)];
 
-	explicit_bzero(key_pad, sizeof(key_pad));
+	memzero(key_pad, sizeof(key_pad));
 	if (keylen > SHA256_BLOCK_LENGTH) {
 		static CONFIDENTIAL SHA256_CTX context;
 		sha256_Init(&context);
@@ -98,7 +99,7 @@ void hmac_sha256_prepare(const uint8_t *key, const uint32_t keylen, uint32_t *op
 		key_pad[i] = key_pad[i] ^ 0x5c5c5c5c ^ 0x36363636;
 	}
 	sha256_Transform(sha256_initial_hash_value, key_pad, ipad_digest);
-	explicit_bzero(key_pad, sizeof(key_pad));
+	memzero(key_pad, sizeof(key_pad));
 }
 
 void hmac_sha512_Init(HMAC_SHA512_CTX *hctx, const uint8_t *key, const uint32_t keylen)
@@ -116,7 +117,7 @@ void hmac_sha512_Init(HMAC_SHA512_CTX *hctx, const uint8_t *key, const uint32_t
 	}
 	sha512_Init(&(hctx->ctx));
 	sha512_Update(&(hctx->ctx), i_key_pad, SHA512_BLOCK_LENGTH);
-	explicit_bzero(i_key_pad, sizeof(i_key_pad));
+	memzero(i_key_pad, sizeof(i_key_pad));
 }
 
 void hmac_sha512_Update(HMAC_SHA512_CTX *hctx, const uint8_t *msg, const uint32_t msglen)
@@ -131,7 +132,7 @@ void hmac_sha512_Final(HMAC_SHA512_CTX *hctx, uint8_t *hmac)
 	sha512_Update(&(hctx->ctx), hctx->o_key_pad, SHA512_BLOCK_LENGTH);
 	sha512_Update(&(hctx->ctx), hmac, SHA512_DIGEST_LENGTH);
 	sha512_Final(&(hctx->ctx), hmac);
-	explicit_bzero(hctx, sizeof(HMAC_SHA512_CTX));
+	memzero(hctx, sizeof(HMAC_SHA512_CTX));
 }
 
 void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac)
@@ -146,7 +147,7 @@ void hmac_sha512_prepare(const uint8_t *key, const uint32_t keylen, uint64_t *op
 {
 	static CONFIDENTIAL uint64_t key_pad[SHA512_BLOCK_LENGTH/sizeof(uint64_t)];
 
-	explicit_bzero(key_pad, sizeof(key_pad));
+	memzero(key_pad, sizeof(key_pad));
 	if (keylen > SHA512_BLOCK_LENGTH) {
 		static CONFIDENTIAL SHA512_CTX context;
 		sha512_Init(&context);
@@ -173,5 +174,5 @@ void hmac_sha512_prepare(const uint8_t *key, const uint32_t keylen, uint64_t *op
 		key_pad[i] = key_pad[i] ^ 0x5c5c5c5c5c5c5c5c ^ 0x3636363636363636;
 	}
 	sha512_Transform(sha512_initial_hash_value, key_pad, ipad_digest);
-	explicit_bzero(key_pad, sizeof(key_pad));
+	memzero(key_pad, sizeof(key_pad));
 }

memzero.c

@@ -0,0 +1,6 @@
+#include <string.h>
+
+void memzero(void *s, size_t n)
+{
+	memset(s, 0, n);
+}

memzero.h

@@ -0,0 +1,8 @@
+#ifndef __MEMZERO_H__
+#define __MEMZERO_H__
+
+#include <stddef.h>
+
+void memzero(void *s, size_t n);
+
+#endif

nem.c

@@ -28,6 +28,7 @@
 #include "ed25519-donna/ed25519-keccak.h"
 #include "ripemd160.h"
 #include "sha3.h"
+#include "memzero.h"
 
 const char *nem_network_name(uint8_t network) {
 	switch (network) {
@@ -111,7 +112,7 @@ void nem_get_address_raw(const ed25519_public_key public_key, uint8_t version, u
 	/* 5.  Concatenate output of step 3 and the checksum from step 4 */
 	memcpy(&address[1 + RIPEMD160_DIGEST_LENGTH], hash, 4);
 
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 }
 
 bool nem_get_address(const ed25519_public_key public_key, uint8_t version, char *address) {
@@ -121,7 +122,7 @@ bool nem_get_address(const ed25519_public_key public_key, uint8_t version, char
 
 	char *ret = base32_encode(pubkeyhash, sizeof(pubkeyhash), address, NEM_ADDRESS_SIZE + 1, BASE32_ALPHABET_RFC4648);
 
-	explicit_bzero(pubkeyhash, sizeof(pubkeyhash));
+	memzero(pubkeyhash, sizeof(pubkeyhash));
 	return (ret != NULL);
 }
 
@@ -135,7 +136,7 @@ bool nem_validate_address_raw(const uint8_t *address, uint8_t network) {
 	keccak_256(address, 1 + RIPEMD160_DIGEST_LENGTH, hash);
 	bool valid = (memcmp(&address[1 + RIPEMD160_DIGEST_LENGTH], hash, 4) == 0);
 
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return valid;
 }
 
@@ -149,7 +150,7 @@ bool nem_validate_address(const char *address, uint8_t network) {
 	uint8_t *ret = base32_decode(address, NEM_ADDRESS_SIZE, pubkeyhash, sizeof(pubkeyhash), BASE32_ALPHABET_RFC4648);
 	bool valid = (ret != NULL) && nem_validate_address_raw(pubkeyhash, network);
 
-	explicit_bzero(pubkeyhash, sizeof(pubkeyhash));
+	memzero(pubkeyhash, sizeof(pubkeyhash));
 	return valid;
 }
 

pbkdf2.c

@@ -25,6 +25,7 @@
 #include "pbkdf2.h"
 #include "hmac.h"
 #include "sha2.h"
+#include "memzero.h"
 
 void pbkdf2_hmac_sha256_Init(PBKDF2_HMAC_SHA256_CTX *pctx, const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen)
 {
@@ -74,7 +75,7 @@ void pbkdf2_hmac_sha256_Final(PBKDF2_HMAC_SHA256_CTX *pctx, uint8_t *key)
 	}
 #endif
 	memcpy(key, pctx->f, SHA256_DIGEST_LENGTH);
-	explicit_bzero(pctx, sizeof(PBKDF2_HMAC_SHA256_CTX));
+	memzero(pctx, sizeof(PBKDF2_HMAC_SHA256_CTX));
 }
 
 void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key)
@@ -134,7 +135,7 @@ void pbkdf2_hmac_sha512_Final(PBKDF2_HMAC_SHA512_CTX *pctx, uint8_t *key)
 	}
 #endif
 	memcpy(key, pctx->f, SHA512_DIGEST_LENGTH);
-	explicit_bzero(pctx, sizeof(PBKDF2_HMAC_SHA512_CTX));
+	memzero(pctx, sizeof(PBKDF2_HMAC_SHA512_CTX));
 }
 
 void pbkdf2_hmac_sha512(const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key)

rfc6979.c

@@ -25,6 +25,7 @@
 #include <string.h>
 #include "rfc6979.h"
 #include "hmac.h"
+#include "memzero.h"
 
 void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *state) {
 	uint8_t bx[2*32];
@@ -48,8 +49,8 @@ void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *s
 	hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
 	hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
 
-	explicit_bzero(bx, sizeof(bx));
-	explicit_bzero(buf, sizeof(buf));
+	memzero(bx, sizeof(bx));
+	memzero(buf, sizeof(buf));
 }
 
 // generate next number from deterministic random number generator
@@ -63,7 +64,7 @@ void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state)
 	hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k);
 	hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
 	memcpy(rnd, buf, 32);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 }
 
 // generate K in a deterministic way, according to RFC6979
@@ -73,5 +74,5 @@ void generate_k_rfc6979(bignum256 *k, rfc6979_state *state)
 	uint8_t buf[32];
 	generate_rfc6979(buf, state);
 	bn_read_be(buf, k);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 }

ripemd160.c

@@ -28,6 +28,7 @@
 #include <string.h>
 
 #include "ripemd160.h"
+#include "memzero.h"
 
 /*
  * 32-bit integer manipulation macros (little endian)
@@ -327,7 +328,7 @@ void ripemd160_Final( RIPEMD160_CTX *ctx, uint8_t output[RIPEMD160_DIGEST_LENGTH
     PUT_UINT32_LE( ctx->state[3], output, 12 );
     PUT_UINT32_LE( ctx->state[4], output, 16 );
 
-    explicit_bzero(ctx, sizeof(RIPEMD160_CTX));
+    memzero(ctx, sizeof(RIPEMD160_CTX));
 }
 
 /*

sha2.c

@@ -31,6 +31,7 @@
 #include <string.h>
 #include <stdint.h>
 #include "sha2.h"
+#include "memzero.h"
 
 /*
  * ASSERT NOTE:
@@ -281,7 +282,7 @@ static const char *sha2_hex_digits = "0123456789abcdef";
 /*** SHA-1: ***********************************************************/
 void sha1_Init(SHA1_CTX* context) {
 	MEMCPY_BCOPY(context->state, sha1_initial_hash_value, SHA1_DIGEST_LENGTH);
-	explicit_bzero(context->buffer, SHA1_BLOCK_LENGTH);
+	memzero(context->buffer, SHA1_BLOCK_LENGTH);
 	context->bitcount = 0;
 }
 
@@ -591,14 +592,14 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {
 		 * No digest buffer, so we can do nothing
 		 * except clean up and go home
 		 */
-		explicit_bzero(context, sizeof(SHA1_CTX));
+		memzero(context, sizeof(SHA1_CTX));
 		return;
 	}
 
 	usedspace = (context->bitcount >> 3) % SHA1_BLOCK_LENGTH;
 	if (usedspace == 0) {
 		/* Set-up for the last transform: */
-		explicit_bzero(context->buffer, SHA1_SHORT_BLOCK_LENGTH);
+		memzero(context->buffer, SHA1_SHORT_BLOCK_LENGTH);
 
 		/* Begin padding with a 1 bit: */
 		*context->buffer = 0x80;
@@ -608,16 +609,16 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {
 
 		if (usedspace <= 56) {
 			/* Set-up for the last transform: */
-			explicit_bzero(((uint8_t*)context->buffer) + usedspace, 56 - usedspace);
+			memzero(((uint8_t*)context->buffer) + usedspace, 56 - usedspace);
 		} else {
 			if (usedspace < 64) {
-				explicit_bzero(((uint8_t*)context->buffer) + usedspace, 64 - usedspace);
+				memzero(((uint8_t*)context->buffer) + usedspace, 64 - usedspace);
 			}
 			/* Do second-to-last transform: */
 			sha1_Transform(context->state, context->buffer, context->state);
 
 			/* And set-up for the last transform: */
-			explicit_bzero(context->buffer, 56);
+			memzero(context->buffer, 56);
 		}
 		/* Clean up: */
 		usedspace = 0;
@@ -648,7 +649,7 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {
 #endif
 
 	/* Clean up: */
-	explicit_bzero(context, sizeof(SHA1_CTX));
+	memzero(context, sizeof(SHA1_CTX));
 }
 
 char *sha1_End(SHA1_CTX* context, char buffer[]) {
@@ -665,9 +666,9 @@ char *sha1_End(SHA1_CTX* context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-		explicit_bzero(context, sizeof(SHA1_CTX));
+		memzero(context, sizeof(SHA1_CTX));
 	}
-	explicit_bzero(digest, SHA1_DIGEST_LENGTH);
+	memzero(digest, SHA1_DIGEST_LENGTH);
 	return buffer;
 }
 
@@ -692,7 +693,7 @@ void sha256_Init(SHA256_CTX* context) {
 		return;
 	}
 	MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
-	explicit_bzero(context->buffer, SHA256_BLOCK_LENGTH);
+	memzero(context->buffer, SHA256_BLOCK_LENGTH);
 	context->bitcount = 0;
 }
 
@@ -929,7 +930,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
 		((uint8_t*)context->buffer)[usedspace++] = 0x80;
 		
 		if (usedspace > SHA256_SHORT_BLOCK_LENGTH) {
-			explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace);
+			memzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace);
 
 #if BYTE_ORDER == LITTLE_ENDIAN
 			/* Convert TO host byte order */
@@ -944,7 +945,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
 			usedspace = 0;
 		}
 		/* Set-up for the last transform: */
-		explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace);
+		memzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace);
 
 #if BYTE_ORDER == LITTLE_ENDIAN
 		/* Convert TO host byte order */
@@ -969,7 +970,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
 	}
 
 	/* Clean up state data: */
-	explicit_bzero(context, sizeof(SHA256_CTX));
+	memzero(context, sizeof(SHA256_CTX));
 	usedspace = 0;
 }
 
@@ -987,9 +988,9 @@ char *sha256_End(SHA256_CTX* context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-		explicit_bzero(context, sizeof(SHA256_CTX));
+		memzero(context, sizeof(SHA256_CTX));
 	}
-	explicit_bzero(digest, SHA256_DIGEST_LENGTH);
+	memzero(digest, SHA256_DIGEST_LENGTH);
 	return buffer;
 }
 
@@ -1015,7 +1016,7 @@ void sha512_Init(SHA512_CTX* context) {
 		return;
 	}
 	MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
-	explicit_bzero(context->buffer, SHA512_BLOCK_LENGTH);
+	memzero(context->buffer, SHA512_BLOCK_LENGTH);
 	context->bitcount[0] = context->bitcount[1] =  0;
 }
 
@@ -1232,7 +1233,7 @@ static void sha512_Last(SHA512_CTX* context) {
 	((uint8_t*)context->buffer)[usedspace++] = 0x80;
 	
 	if (usedspace > SHA512_SHORT_BLOCK_LENGTH) {
-		explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace);
+		memzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace);
 
 #if BYTE_ORDER == LITTLE_ENDIAN
 		/* Convert TO host byte order */
@@ -1247,7 +1248,7 @@ static void sha512_Last(SHA512_CTX* context) {
 		usedspace = 0;
 	}
 	/* Set-up for the last transform: */
-	explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace);
+	memzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace);
 
 #if BYTE_ORDER == LITTLE_ENDIAN
 	/* Convert TO host byte order */
@@ -1279,7 +1280,7 @@ void sha512_Final(SHA512_CTX* context, sha2_byte digest[]) {
 	}
 
 	/* Zero out state data */
-	explicit_bzero(context, sizeof(SHA512_CTX));
+	memzero(context, sizeof(SHA512_CTX));
 }
 
 char *sha512_End(SHA512_CTX* context, char buffer[]) {
@@ -1296,9 +1297,9 @@ char *sha512_End(SHA512_CTX* context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-		explicit_bzero(context, sizeof(SHA512_CTX));
+		memzero(context, sizeof(SHA512_CTX));
 	}
-	explicit_bzero(digest, SHA512_DIGEST_LENGTH);
+	memzero(digest, SHA512_DIGEST_LENGTH);
 	return buffer;
 }
 

sha3.c

@@ -21,6 +21,7 @@
 #include <string.h>
 
 #include "sha3.h"
+#include "memzero.h"
 
 #define I64(x) x##LL
 #define ROTL64(qword, n) ((qword) << (n) ^ ((qword) >> (64 - (n))))
@@ -330,7 +331,7 @@ void sha3_Final(SHA3_CTX *ctx, unsigned char* result)
 
 	assert(block_size > digest_length);
 	if (result) me64_to_le_str(result, ctx->hash, digest_length);
-	explicit_bzero(ctx, sizeof(SHA3_CTX));
+	memzero(ctx, sizeof(SHA3_CTX));
 }
 
 #if USE_KECCAK
@@ -359,7 +360,7 @@ void keccak_Final(SHA3_CTX *ctx, unsigned char* result)
 
 	assert(block_size > digest_length);
 	if (result) me64_to_le_str(result, ctx->hash, digest_length);
-	explicit_bzero(ctx, sizeof(SHA3_CTX));
+	memzero(ctx, sizeof(SHA3_CTX));
 }
 
 void keccak_256(const unsigned char* data, size_t len, unsigned char* digest)