introduce and use memzero instead of explicit_bzero

6 years ago · bb4c3d0525
parent b7f73ee3ff
commit bb4c3d0525
17 changed files with 146 additions and 117 deletions
--- a/1
+++ b/1
@ -50,6 +50,7 @@ SRCS  += chacha20poly1305/chacha20poly1305.c chacha20poly1305/chacha_merged.c ch
 SRCS  += rc4.c
 SRCS  += nem.c
 SRCS  += segwit_addr.c
+SRCS  += memzero.c

 OBJS   = $(SRCS:.c=.o)

--- a/base58.c
+++ b/base58.c
@ -27,6 +27,7 @@
 #include "base58.h"
 #include "sha2.h"
 #include "ripemd160.h"
+#include "memzero.h"

 static const int8_t b58digits_map[] = {
 	-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
@ -199,7 +200,7 @@ int base58_encode_check(const uint8_t *data, int datalen, HasherType hasher_type
 	hasher_Raw(hasher_type, hash, 32, hash);
 	size_t res = strsize;
 	bool success = b58enc(str, &res, buf, datalen + 4);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 	return success ? res : 0;
 }

@ -253,7 +254,7 @@ int base58gph_encode_check(const uint8_t *data, int datalen, char *str, int strs
 	ripemd160(data, datalen, hash);  // No double SHA256, but a single RIPEMD160
 	size_t res = strsize;
 	bool success = b58enc(str, &res, buf, datalen + 4);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 	return success ? res : 0;
 }

--- a/bignum.c
+++ b/bignum.c
@ -27,6 +27,7 @@
 #include <string.h>
 #include <assert.h>
 #include "bignum.h"
+#include "memzero.h"

 /* big number library */

@ -489,7 +490,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime)
 	uint32_t res[18] = {0};
 	bn_multiply_long(k, x, res);
 	bn_multiply_reduce(x, res, prime); 
-	explicit_bzero(res, sizeof(res));
+	memzero(res, sizeof(res));
 }

 // partly reduce x modulo prime
@ -551,8 +552,8 @@ void bn_sqrt(bignum256 *x, const bignum256 *prime)
 	}
 	bn_mod(&res, prime);
 	memcpy(x, &res, sizeof(bignum256));
-	explicit_bzero(&res, sizeof(res));
-	explicit_bzero(&p, sizeof(p));
+	memzero(&res, sizeof(res));
+	memzero(&p, sizeof(p));
 }

 #if ! USE_INVERSE_FAST
@ -860,9 +861,9 @@ void bn_inverse(bignum256 *x, const bignum256 *prime)
 	x->val[i] = temp32;

 	// let's wipe all temp buffers
-	explicit_bzero(pp, sizeof(pp));
-	explicit_bzero(&us, sizeof(us));
-	explicit_bzero(&vr, sizeof(vr));
+	memzero(pp, sizeof(pp));
+	memzero(&us, sizeof(us));
+	memzero(&vr, sizeof(vr));
 }
 #endif

--- a/bip32.c
+++ b/bip32.c
@ -46,6 +46,7 @@
 #if USE_NEM
 #include "nem.h"
 #endif
+#include "memzero.h"

 const curve_info ed25519_info = {
 	.bip32_name = "ed25519 seed",
@ -86,7 +87,7 @@ int hdnode_from_xpub(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
 	out->depth = depth;
 	out->child_num = child_num;
 	memcpy(out->chain_code, chain_code, 32);
-	explicit_bzero(out->private_key, 32);
+	memzero(out->private_key, 32);
 	memcpy(out->public_key, public_key, 33);
 	return 1;
 }
@ -107,7 +108,7 @@ int hdnode_from_xprv(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
 				failed = true;
 			}
 		}
-		explicit_bzero(&a, sizeof(a));
+		memzero(&a, sizeof(a));
 	}

 	if (failed) {
@ -119,7 +120,7 @@ int hdnode_from_xprv(uint32_t depth, uint32_t child_num, const uint8_t *chain_co
 	out->child_num = child_num;
 	memcpy(out->chain_code, chain_code, 32);
 	memcpy(out->private_key, private_key, 32);
-	explicit_bzero(out->public_key, sizeof(out->public_key));
+	memzero(out->public_key, sizeof(out->public_key));
 	return 1;
 }

@ -150,12 +151,12 @@ int hdnode_from_seed(const uint8_t *seed, int seed_len, const char* curve, HDNod
 			hmac_sha512_Update(&ctx, I, sizeof(I));
 			hmac_sha512_Final(&ctx, I);
 		}
-		explicit_bzero(&a, sizeof(a));
+		memzero(&a, sizeof(a));
 	}
 	memcpy(out->private_key, I, 32);
 	memcpy(out->chain_code, I + 32, 32);
-	explicit_bzero(out->public_key, sizeof(out->public_key));
-	explicit_bzero(I, sizeof(I));
+	memzero(out->public_key, sizeof(out->public_key));
+	memzero(I, sizeof(I));
 	return 1;
 }

@ -168,7 +169,7 @@ uint32_t hdnode_fingerprint(HDNode *node)
 	hasher_Raw(node->curve->hasher_type, node->public_key, 33, digest);
 	ripemd160(digest, 32, digest);
 	fingerprint = (digest[0] << 24) + (digest[1] << 16) + (digest[2] << 8) + digest[3];
-	explicit_bzero(digest, sizeof(digest));
+	memzero(digest, sizeof(digest));
 	return fingerprint;
 }

@ -229,13 +230,13 @@ int hdnode_private_ckd(HDNode *inout, uint32_t i)
 	memcpy(inout->chain_code, I + 32, 32);
 	inout->depth++;
 	inout->child_num = i;
-	explicit_bzero(inout->public_key, sizeof(inout->public_key));
+	memzero(inout->public_key, sizeof(inout->public_key));

 	// making sure to wipe our memory
-	explicit_bzero(&a, sizeof(a));
-	explicit_bzero(&b, sizeof(b));
-	explicit_bzero(I, sizeof(I));
-	explicit_bzero(data, sizeof(data));
+	memzero(&a, sizeof(a));
+	memzero(&b, sizeof(b));
+	memzero(I, sizeof(I));
+	memzero(data, sizeof(data));
 	return 1;
 }

@ -264,9 +265,9 @@ int hdnode_public_ckd_cp(const ecdsa_curve *curve, const curve_point *parent, co
 				}

 				// Wipe all stack data.
-				explicit_bzero(data, sizeof(data));
-				explicit_bzero(I, sizeof(I));
-				explicit_bzero(&c, sizeof(c));
+				memzero(data, sizeof(data));
+				memzero(I, sizeof(I));
+				memzero(&c, sizeof(c));
 				return 1;
 			}
 		}
@ -286,15 +287,15 @@ int hdnode_public_ckd(HDNode *inout, uint32_t i)
 	if (!hdnode_public_ckd_cp(inout->curve->params, &parent, inout->chain_code, i, &child, inout->chain_code)) {
 		return 0;
 	}
-	explicit_bzero(inout->private_key, 32);
+	memzero(inout->private_key, 32);
 	inout->depth++;
 	inout->child_num = i;
 	inout->public_key[0] = 0x02 | (child.y.val[0] & 0x01);
 	bn_write_be(&child.x, inout->public_key + 1);

 	// Wipe all stack data.
-	explicit_bzero(&parent, sizeof(parent));
-	explicit_bzero(&child, sizeof(child));
+	memzero(&parent, sizeof(parent));
+	memzero(&child, sizeof(child));

 	return 1;
 }
@ -349,7 +350,7 @@ int hdnode_private_ckd_cached(HDNode *inout, const uint32_t *i, size_t i_count,
 	if (!private_ckd_cache_root_set || memcmp(&private_ckd_cache_root, inout, sizeof(HDNode)) != 0) {
 		// clear the cache
 		private_ckd_cache_index = 0;
-		explicit_bzero(private_ckd_cache, sizeof(private_ckd_cache));
+		memzero(private_ckd_cache, sizeof(private_ckd_cache));
 		// setup new root
 		memcpy(&private_ckd_cache_root, inout, sizeof(HDNode));
 		private_ckd_cache_root_set = true;
@ -496,7 +497,7 @@ int hdnode_nem_encrypt(const HDNode *node, const ed25519_public_key public_key,
 	aes_encrypt_ctx ctx;

 	int ret = aes_encrypt_key256(shared_key, &ctx);
-	explicit_bzero(shared_key, sizeof(shared_key));
+	memzero(shared_key, sizeof(shared_key));

 	if (ret != EXIT_SUCCESS) {
 		return 0;
@ -523,7 +524,7 @@ int hdnode_nem_decrypt(const HDNode *node, const ed25519_public_key public_key,
 	aes_decrypt_ctx ctx;

 	int ret = aes_decrypt_key256(shared_key, &ctx);
-	explicit_bzero(shared_key, sizeof(shared_key));
+	memzero(shared_key, sizeof(shared_key));

 	if (ret != EXIT_SUCCESS) {
 		return 0;
@ -609,7 +610,7 @@ static int hdnode_serialize(const HDNode *node, uint32_t fingerprint, uint32_t v
 		memcpy(node_data + 46, node->private_key, 32);
 	}
 	int ret = base58_encode_check(node_data, sizeof(node_data), node->curve->hasher_type, str, strsize);
-	explicit_bzero(node_data, sizeof(node_data));
+	memzero(node_data, sizeof(node_data));
 	return ret;
 }

@ -634,14 +635,14 @@ int hdnode_deserialize(const char *str, uint32_t version_public, uint32_t versio
 	}
 	uint32_t version = read_be(node_data);
 	if (version == version_public) {
-		explicit_bzero(node->private_key, sizeof(node->private_key));
+		memzero(node->private_key, sizeof(node->private_key));
 		memcpy(node->public_key, node_data + 45, 33);
 	} else if (version == version_private) { // private node
 		if (node_data[45]) { // invalid data
 			return -2;
 		}
 		memcpy(node->private_key, node_data + 46, 32);
-		explicit_bzero(node->public_key, sizeof(node->public_key));
+		memzero(node->public_key, sizeof(node->public_key));
 	} else {
 		return -3; // invalid version
 	}
--- a/bip39.c
+++ b/bip39.c
@ -31,6 +31,7 @@
 #include "pbkdf2.h"
 #include "bip39_english.h"
 #include "options.h"
+#include "memzero.h"

 #if USE_BIP39_CACHE

@ -53,7 +54,7 @@ const char *mnemonic_generate(int strength)
 	uint8_t data[32];
 	random_buffer(data, 32);
 	const char *r = mnemonic_from_data(data, strength / 8);
-	explicit_bzero(data, sizeof(data));
+	memzero(data, sizeof(data));
 	return r;
 }

@ -65,7 +66,7 @@ const uint16_t *mnemonic_generate_indexes(int strength)
 	uint8_t data[32];
 	random_buffer(data, 32);
 	const uint16_t *r = mnemonic_from_data_indexes(data, strength / 8);
-	explicit_bzero(data, sizeof(data));
+	memzero(data, sizeof(data));
 	return r;
 }

@ -99,7 +100,7 @@ const char *mnemonic_from_data(const uint8_t *data, int len)
 		*p = (i < mlen - 1) ? ' ' : 0;
 		p++;
 	}
-	explicit_bzero(bits, sizeof(bits));
+	memzero(bits, sizeof(bits));

 	return mnemo;
 }
@ -130,7 +131,7 @@ const uint16_t *mnemonic_from_data_indexes(const uint8_t *data, int len)
 		}
 		mnemo[i] = idx;
 	}
-	explicit_bzero(bits, sizeof(bits));
+	memzero(bits, sizeof(bits));

 	return mnemo;
 }
@ -160,7 +161,7 @@ int mnemonic_check(const char *mnemonic)
 	uint32_t j, k, ki, bi;
 	uint8_t bits[32 + 1];

-	explicit_bzero(bits, sizeof(bits));
+	memzero(bits, sizeof(bits));
 	i = 0; bi = 0;
 	while (mnemonic[i]) {
 		j = 0;
@ -240,7 +241,7 @@ void mnemonic_to_seed(const char *mnemonic, const char *passphrase, uint8_t seed
 		}
 	}
 	pbkdf2_hmac_sha512_Final(&pctx, seed);
-	explicit_bzero(salt, sizeof(salt));
+	memzero(salt, sizeof(salt));
 #if USE_BIP39_CACHE
 	// store to cache
 	if (mnemoniclen < 256 && passphraselen < 64) {
--- a/blake2b.c
+++ b/blake2b.c
@ -17,6 +17,7 @@

 #include "blake2b.h"
 #include "blake2_common.h"
+#include "memzero.h"

 typedef struct blake2b_param__
 {
@ -159,7 +160,7 @@ int blake2b_InitKey( blake2b_state *S, size_t outlen, const void *key, size_t ke
    memset( block, 0, BLAKE2B_BLOCKBYTES );
    memcpy( block, key, keylen );
    blake2b_Update( S, block, BLAKE2B_BLOCKBYTES );
-    explicit_bzero( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
+    memzero( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
  }
  return 0;
 }
@ -279,7 +280,7 @@ int blake2b_Final( blake2b_state *S, void *out, size_t outlen )
    store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );

  memcpy( out, buffer, S->outlen );
-  explicit_bzero(buffer, sizeof(buffer));
+  memzero(buffer, sizeof(buffer));
  return 0;
 }

--- a/blake2s.c
+++ b/blake2s.c
@ -17,6 +17,7 @@

 #include "blake2s.h"
 #include "blake2_common.h"
+#include "memzero.h"

 typedef struct blake2s_param__
 {
@ -153,7 +154,7 @@ int blake2s_InitKey( blake2s_state *S, size_t outlen, const void *key, size_t ke
    memset( block, 0, BLAKE2S_BLOCKBYTES );
    memcpy( block, key, keylen );
    blake2s_Update( S, block, BLAKE2S_BLOCKBYTES );
-    explicit_bzero( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */
+    memzero( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */
  }
  return 0;
 }
@ -271,7 +272,7 @@ int blake2s_Final( blake2s_state *S, void *out, size_t outlen )
    store32( buffer + sizeof( S->h[i] ) * i, S->h[i] );

  memcpy( out, buffer, outlen );
-  explicit_bzero(buffer, sizeof(buffer));
+  memzero(buffer, sizeof(buffer));
  return 0;
 }

--- a/ecdsa.c
+++ b/ecdsa.c
@ -37,6 +37,7 @@
 #include "base58.h"
 #include "secp256k1.h"
 #include "rfc6979.h"
+#include "memzero.h"

 // Set cp2 = cp1
 void point_copy(const curve_point *cp1, curve_point *cp2)
@ -541,8 +542,8 @@ void point_multiply(const ecdsa_curve *curve, const bignum256 *k, const curve_po
 	}
 	conditional_negate(sign, &jres.z, prime);
 	jacobian_to_curve(&jres, res, prime);
-	explicit_bzero(&a, sizeof(a));
-	explicit_bzero(&jres, sizeof(jres));
+	memzero(&a, sizeof(a));
+	memzero(&jres, sizeof(jres));
 }

 #if USE_PRECOMPUTED_CP
@ -629,8 +630,8 @@ void scalar_multiply(const ecdsa_curve *curve, const bignum256 *k, curve_point *
 	}
 	conditional_negate(((a.val[0] >> 4) & 1) - 1, &jres.y, prime);
 	jacobian_to_curve(&jres, res, prime);
-	explicit_bzero(&a, sizeof(a));
-	explicit_bzero(&jres, sizeof(jres));
+	memzero(&a, sizeof(a));
+	memzero(&jres, sizeof(jres));
 }

 #else
@ -652,12 +653,12 @@ int ecdh_multiply(const ecdsa_curve *curve, const uint8_t *priv_key, const uint8
 	bignum256 k;
 	bn_read_be(priv_key, &k);
 	point_multiply(curve, &k, &point, &point);
-	explicit_bzero(&k, sizeof(k));
+	memzero(&k, sizeof(k));

 	session_key[0] = 0x04;
 	bn_write_be(&point.x, session_key + 1);
 	bn_write_be(&point.y, session_key + 33);
-	explicit_bzero(&point, sizeof(point));
+	memzero(&point, sizeof(point));

 	return 0;
 }
@ -684,8 +685,8 @@ void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *s
 	hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
 	hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);

-	explicit_bzero(bx, sizeof(bx));
-	explicit_bzero(buf, sizeof(buf));
+	memzero(bx, sizeof(bx));
+	memzero(buf, sizeof(buf));
 }

 // generate next number from deterministic random number generator
@ -699,7 +700,7 @@ void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state)
 	hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k);
 	hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
 	memcpy(rnd, buf, 32);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 }

 // generate K in a deterministic way, according to RFC6979
@ -709,7 +710,7 @@ void generate_k_rfc6979(bignum256 *k, rfc6979_state *state)
 	uint8_t buf[32];
 	generate_rfc6979(buf, state);
 	bn_read_be(buf, k);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 }

 // msg is a data to be signed
@ -719,7 +720,7 @@ int ecdsa_sign(const ecdsa_curve *curve, HasherType hasher_type, const uint8_t *
 	uint8_t hash[32];
 	hasher_Raw(hasher_type, msg, msg_len, hash);
 	int res = ecdsa_sign_digest(curve, priv_key, hash, sig, pby, is_canonical);
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return res;

 }
@ -732,7 +733,7 @@ int ecdsa_sign_double(const ecdsa_curve *curve, HasherType hasher_type, const ui
 	hasher_Raw(hasher_type, msg, msg_len, hash);
 	hasher_Raw(hasher_type, hash, 32, hash);
 	int res = ecdsa_sign_digest(curve, priv_key, hash, sig, pby, is_canonical);
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return res;
 }

@ -817,20 +818,20 @@ int ecdsa_sign_digest(const ecdsa_curve *curve, const uint8_t *priv_key, const u
 			*pby = by;
 		}

-		explicit_bzero(&k, sizeof(k));
-		explicit_bzero(&randk, sizeof(randk));
+		memzero(&k, sizeof(k));
+		memzero(&randk, sizeof(randk));
 #if USE_RFC6979
-		explicit_bzero(&rng, sizeof(rng));
+		memzero(&rng, sizeof(rng));
 #endif
 		return 0;
 	}

 	// Too many retries without a valid signature
 	// -> fail with an error
-	explicit_bzero(&k, sizeof(k));
-	explicit_bzero(&randk, sizeof(randk));
+	memzero(&k, sizeof(k));
+	memzero(&randk, sizeof(randk));
 #if USE_RFC6979
-	explicit_bzero(&rng, sizeof(rng));
+	memzero(&rng, sizeof(rng));
 #endif
 	return -1;
 }
@ -845,8 +846,8 @@ void ecdsa_get_public_key33(const ecdsa_curve *curve, const uint8_t *priv_key, u
 	scalar_multiply(curve, &k, &R);
 	pub_key[0] = 0x02 | (R.y.val[0] & 0x01);
 	bn_write_be(&R.x, pub_key + 1);
-	explicit_bzero(&R, sizeof(R));
-	explicit_bzero(&k, sizeof(k));
+	memzero(&R, sizeof(R));
+	memzero(&k, sizeof(k));
 }

 void ecdsa_get_public_key65(const ecdsa_curve *curve, const uint8_t *priv_key, uint8_t *pub_key)
@ -860,8 +861,8 @@ void ecdsa_get_public_key65(const ecdsa_curve *curve, const uint8_t *priv_key, u
 	pub_key[0] = 0x04;
 	bn_write_be(&R.x, pub_key + 1);
 	bn_write_be(&R.y, pub_key + 33);
-	explicit_bzero(&R, sizeof(R));
-	explicit_bzero(&k, sizeof(k));
+	memzero(&R, sizeof(R));
+	memzero(&k, sizeof(k));
 }

 int ecdsa_uncompress_pubkey(const ecdsa_curve *curve, const uint8_t *pub_key, uint8_t *uncompressed)
@ -890,7 +891,7 @@ void ecdsa_get_pubkeyhash(const uint8_t *pub_key, HasherType hasher_type, uint8_
 		hasher_Raw(hasher_type, pub_key, 33, h);
 	}
 	ripemd160(h, HASHER_DIGEST_LENGTH, pubkeyhash);
-	explicit_bzero(h, sizeof(h));
+	memzero(h, sizeof(h));
 }

 void ecdsa_get_address_raw(const uint8_t *pub_key, uint32_t version, HasherType hasher_type, uint8_t *addr_raw)
@ -907,7 +908,7 @@ void ecdsa_get_address(const uint8_t *pub_key, uint32_t version, HasherType hash
 	ecdsa_get_address_raw(pub_key, version, hasher_type, raw);
 	base58_encode_check(raw, 20 + prefix_len, hasher_type, addr, addrsize);
 	// not as important to clear this one, but we might as well
-	explicit_bzero(raw, sizeof(raw));
+	memzero(raw, sizeof(raw));
 }

 void ecdsa_get_address_segwit_p2sh_raw(const uint8_t *pub_key, uint32_t version, HasherType hasher_type, uint8_t *addr_raw)
@ -928,7 +929,7 @@ void ecdsa_get_address_segwit_p2sh(const uint8_t *pub_key, uint32_t version, Has
 	size_t prefix_len = address_prefix_bytes_len(version);
 	ecdsa_get_address_segwit_p2sh_raw(pub_key, version, hasher_type, raw);
 	base58_encode_check(raw, prefix_len + 20, hasher_type, addr, addrsize);
-	explicit_bzero(raw, sizeof(raw));
+	memzero(raw, sizeof(raw));
 }

 void ecdsa_get_wif(const uint8_t *priv_key, uint32_t version, HasherType hasher_type, char *wif, int wifsize)
@ -940,7 +941,7 @@ void ecdsa_get_wif(const uint8_t *priv_key, uint32_t version, HasherType hasher_
 	wif_raw[prefix_len + 32] = 0x01;
 	base58_encode_check(wif_raw, prefix_len + 32 + 1, hasher_type, wif, wifsize);
 	// private keys running around our stack can cause trouble
-	explicit_bzero(wif_raw, sizeof(wif_raw));
+	memzero(wif_raw, sizeof(wif_raw));
 }

 int ecdsa_address_decode(const char *addr, uint32_t version, HasherType hasher_type, uint8_t *out)
@ -1033,7 +1034,7 @@ int ecdsa_verify(const ecdsa_curve *curve, HasherType hasher_type, const uint8_t
 	uint8_t hash[32];
 	hasher_Raw(hasher_type, msg, msg_len, hash);
 	int res = ecdsa_verify_digest(curve, pub_key, sig, hash);
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return res;
 }

@ -1043,7 +1044,7 @@ int ecdsa_verify_double(const ecdsa_curve *curve, HasherType hasher_type, const
 	hasher_Raw(hasher_type, msg, msg_len, hash);
 	hasher_Raw(hasher_type, hash, 32, hash);
 	int res = ecdsa_verify_digest(curve, pub_key, sig, hash);
-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return res;
 }

@ -1142,11 +1143,11 @@ int ecdsa_verify_digest(const ecdsa_curve *curve, const uint8_t *pub_key, const
 		}
 	}

-	explicit_bzero(&pub, sizeof(pub));
-	explicit_bzero(&res, sizeof(res));
-	explicit_bzero(&r, sizeof(r));
-	explicit_bzero(&s, sizeof(s));
-	explicit_bzero(&z, sizeof(z));
+	memzero(&pub, sizeof(pub));
+	memzero(&res, sizeof(res));
+	memzero(&r, sizeof(r));
+	memzero(&s, sizeof(s));
+	memzero(&z, sizeof(z));

 	// all OK
 	return result;
--- a/hmac.c
+++ b/hmac.c
@ -25,6 +25,7 @@

 #include "hmac.h"
 #include "options.h"
+#include "memzero.h"

 void hmac_sha256_Init(HMAC_SHA256_CTX *hctx, const uint8_t *key, const uint32_t keylen)
 {
@ -41,7 +42,7 @@ void hmac_sha256_Init(HMAC_SHA256_CTX *hctx, const uint8_t *key, const uint32_t
 	}
 	sha256_Init(&(hctx->ctx));
 	sha256_Update(&(hctx->ctx), i_key_pad, SHA256_BLOCK_LENGTH);
-	explicit_bzero(i_key_pad, sizeof(i_key_pad));
+	memzero(i_key_pad, sizeof(i_key_pad));
 }

 void hmac_sha256_Update(HMAC_SHA256_CTX *hctx, const uint8_t *msg, const uint32_t msglen)
@ -56,7 +57,7 @@ void hmac_sha256_Final(HMAC_SHA256_CTX *hctx, uint8_t *hmac)
 	sha256_Update(&(hctx->ctx), hctx->o_key_pad, SHA256_BLOCK_LENGTH);
 	sha256_Update(&(hctx->ctx), hmac, SHA256_DIGEST_LENGTH);
 	sha256_Final(&(hctx->ctx), hmac);
-	explicit_bzero(hctx, sizeof(HMAC_SHA256_CTX));
+	memzero(hctx, sizeof(HMAC_SHA256_CTX));
 }

 void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac)
@ -71,7 +72,7 @@ void hmac_sha256_prepare(const uint8_t *key, const uint32_t keylen, uint32_t *op
 {
 	static CONFIDENTIAL uint32_t key_pad[SHA256_BLOCK_LENGTH/sizeof(uint32_t)];

-	explicit_bzero(key_pad, sizeof(key_pad));
+	memzero(key_pad, sizeof(key_pad));
 	if (keylen > SHA256_BLOCK_LENGTH) {
 		static CONFIDENTIAL SHA256_CTX context;
 		sha256_Init(&context);
@ -98,7 +99,7 @@ void hmac_sha256_prepare(const uint8_t *key, const uint32_t keylen, uint32_t *op
 		key_pad[i] = key_pad[i] ^ 0x5c5c5c5c ^ 0x36363636;
 	}
 	sha256_Transform(sha256_initial_hash_value, key_pad, ipad_digest);
-	explicit_bzero(key_pad, sizeof(key_pad));
+	memzero(key_pad, sizeof(key_pad));
 }

 void hmac_sha512_Init(HMAC_SHA512_CTX *hctx, const uint8_t *key, const uint32_t keylen)
@ -116,7 +117,7 @@ void hmac_sha512_Init(HMAC_SHA512_CTX *hctx, const uint8_t *key, const uint32_t
 	}
 	sha512_Init(&(hctx->ctx));
 	sha512_Update(&(hctx->ctx), i_key_pad, SHA512_BLOCK_LENGTH);
-	explicit_bzero(i_key_pad, sizeof(i_key_pad));
+	memzero(i_key_pad, sizeof(i_key_pad));
 }

 void hmac_sha512_Update(HMAC_SHA512_CTX *hctx, const uint8_t *msg, const uint32_t msglen)
@ -131,7 +132,7 @@ void hmac_sha512_Final(HMAC_SHA512_CTX *hctx, uint8_t *hmac)
 	sha512_Update(&(hctx->ctx), hctx->o_key_pad, SHA512_BLOCK_LENGTH);
 	sha512_Update(&(hctx->ctx), hmac, SHA512_DIGEST_LENGTH);
 	sha512_Final(&(hctx->ctx), hmac);
-	explicit_bzero(hctx, sizeof(HMAC_SHA512_CTX));
+	memzero(hctx, sizeof(HMAC_SHA512_CTX));
 }

 void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac)
@ -146,7 +147,7 @@ void hmac_sha512_prepare(const uint8_t *key, const uint32_t keylen, uint64_t *op
 {
 	static CONFIDENTIAL uint64_t key_pad[SHA512_BLOCK_LENGTH/sizeof(uint64_t)];

-	explicit_bzero(key_pad, sizeof(key_pad));
+	memzero(key_pad, sizeof(key_pad));
 	if (keylen > SHA512_BLOCK_LENGTH) {
 		static CONFIDENTIAL SHA512_CTX context;
 		sha512_Init(&context);
@ -173,5 +174,5 @@ void hmac_sha512_prepare(const uint8_t *key, const uint32_t keylen, uint64_t *op
 		key_pad[i] = key_pad[i] ^ 0x5c5c5c5c5c5c5c5c ^ 0x3636363636363636;
 	}
 	sha512_Transform(sha512_initial_hash_value, key_pad, ipad_digest);
-	explicit_bzero(key_pad, sizeof(key_pad));
+	memzero(key_pad, sizeof(key_pad));
 }
--- a/memzero.c
+++ b/memzero.c
@ -0,0 +1,6 @@
+#include <string.h>
+
+void memzero(void *s, size_t n)
+{
+	memset(s, 0, n);
+}
--- a/memzero.h
+++ b/memzero.h
@ -0,0 +1,8 @@
+#ifndef __MEMZERO_H__
+#define __MEMZERO_H__
+
+#include <stddef.h>
+
+void memzero(void *s, size_t n);
+
+#endif
--- a/nem.c
+++ b/nem.c
@ -28,6 +28,7 @@
 #include "ed25519-donna/ed25519-keccak.h"
 #include "ripemd160.h"
 #include "sha3.h"
+#include "memzero.h"

 const char *nem_network_name(uint8_t network) {
 	switch (network) {
@ -111,7 +112,7 @@ void nem_get_address_raw(const ed25519_public_key public_key, uint8_t version, u
 	/* 5.  Concatenate output of step 3 and the checksum from step 4 */
 	memcpy(&address[1 + RIPEMD160_DIGEST_LENGTH], hash, 4);

-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 }

 bool nem_get_address(const ed25519_public_key public_key, uint8_t version, char *address) {
@ -121,7 +122,7 @@ bool nem_get_address(const ed25519_public_key public_key, uint8_t version, char

 	char *ret = base32_encode(pubkeyhash, sizeof(pubkeyhash), address, NEM_ADDRESS_SIZE + 1, BASE32_ALPHABET_RFC4648);

-	explicit_bzero(pubkeyhash, sizeof(pubkeyhash));
+	memzero(pubkeyhash, sizeof(pubkeyhash));
 	return (ret != NULL);
 }

@ -135,7 +136,7 @@ bool nem_validate_address_raw(const uint8_t *address, uint8_t network) {
 	keccak_256(address, 1 + RIPEMD160_DIGEST_LENGTH, hash);
 	bool valid = (memcmp(&address[1 + RIPEMD160_DIGEST_LENGTH], hash, 4) == 0);

-	explicit_bzero(hash, sizeof(hash));
+	memzero(hash, sizeof(hash));
 	return valid;
 }

@ -149,7 +150,7 @@ bool nem_validate_address(const char *address, uint8_t network) {
 	uint8_t *ret = base32_decode(address, NEM_ADDRESS_SIZE, pubkeyhash, sizeof(pubkeyhash), BASE32_ALPHABET_RFC4648);
 	bool valid = (ret != NULL) && nem_validate_address_raw(pubkeyhash, network);

-	explicit_bzero(pubkeyhash, sizeof(pubkeyhash));
+	memzero(pubkeyhash, sizeof(pubkeyhash));
 	return valid;
 }

--- a/pbkdf2.c
+++ b/pbkdf2.c
@ -25,6 +25,7 @@
 #include "pbkdf2.h"
 #include "hmac.h"
 #include "sha2.h"
+#include "memzero.h"

 void pbkdf2_hmac_sha256_Init(PBKDF2_HMAC_SHA256_CTX *pctx, const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen)
 {
@ -74,7 +75,7 @@ void pbkdf2_hmac_sha256_Final(PBKDF2_HMAC_SHA256_CTX *pctx, uint8_t *key)
 	}
 #endif
 	memcpy(key, pctx->f, SHA256_DIGEST_LENGTH);
-	explicit_bzero(pctx, sizeof(PBKDF2_HMAC_SHA256_CTX));
+	memzero(pctx, sizeof(PBKDF2_HMAC_SHA256_CTX));
 }

 void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key)
@ -134,7 +135,7 @@ void pbkdf2_hmac_sha512_Final(PBKDF2_HMAC_SHA512_CTX *pctx, uint8_t *key)
 	}
 #endif
 	memcpy(key, pctx->f, SHA512_DIGEST_LENGTH);
-	explicit_bzero(pctx, sizeof(PBKDF2_HMAC_SHA512_CTX));
+	memzero(pctx, sizeof(PBKDF2_HMAC_SHA512_CTX));
 }

 void pbkdf2_hmac_sha512(const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key)
--- a/rfc6979.c
+++ b/rfc6979.c
@ -25,6 +25,7 @@
 #include <string.h>
 #include "rfc6979.h"
 #include "hmac.h"
+#include "memzero.h"

 void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *state) {
 	uint8_t bx[2*32];
@ -48,8 +49,8 @@ void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *s
 	hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k);
 	hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);

-	explicit_bzero(bx, sizeof(bx));
-	explicit_bzero(buf, sizeof(buf));
+	memzero(bx, sizeof(bx));
+	memzero(buf, sizeof(buf));
 }

 // generate next number from deterministic random number generator
@ -63,7 +64,7 @@ void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state)
 	hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k);
 	hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v);
 	memcpy(rnd, buf, 32);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 }

 // generate K in a deterministic way, according to RFC6979
@ -73,5 +74,5 @@ void generate_k_rfc6979(bignum256 *k, rfc6979_state *state)
 	uint8_t buf[32];
 	generate_rfc6979(buf, state);
 	bn_read_be(buf, k);
-	explicit_bzero(buf, sizeof(buf));
+	memzero(buf, sizeof(buf));
 }
--- a/ripemd160.c
+++ b/ripemd160.c
@ -28,6 +28,7 @@
 #include <string.h>

 #include "ripemd160.h"
+#include "memzero.h"

 /*
 * 32-bit integer manipulation macros (little endian)
@ -327,7 +328,7 @@ void ripemd160_Final( RIPEMD160_CTX *ctx, uint8_t output[RIPEMD160_DIGEST_LENGTH
    PUT_UINT32_LE( ctx->state[3], output, 12 );
    PUT_UINT32_LE( ctx->state[4], output, 16 );

-    explicit_bzero(ctx, sizeof(RIPEMD160_CTX));
+    memzero(ctx, sizeof(RIPEMD160_CTX));
 }

 /*
--- a/sha2.c
+++ b/sha2.c
@ -31,6 +31,7 @@
 #include <string.h>
 #include <stdint.h>
 #include "sha2.h"
+#include "memzero.h"

 /*
 * ASSERT NOTE:
@ -281,7 +282,7 @@ static const char *sha2_hex_digits = "0123456789abcdef";
 /*** SHA-1: ***********************************************************/
 void sha1_Init(SHA1_CTX* context) {
 	MEMCPY_BCOPY(context->state, sha1_initial_hash_value, SHA1_DIGEST_LENGTH);
-	explicit_bzero(context->buffer, SHA1_BLOCK_LENGTH);
+	memzero(context->buffer, SHA1_BLOCK_LENGTH);
 	context->bitcount = 0;
 }

@ -591,14 +592,14 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {
 		 * No digest buffer, so we can do nothing
 		 * except clean up and go home
 		 */
-		explicit_bzero(context, sizeof(SHA1_CTX));
+		memzero(context, sizeof(SHA1_CTX));
 		return;
 	}

 	usedspace = (context->bitcount >> 3) % SHA1_BLOCK_LENGTH;
 	if (usedspace == 0) {
 		/* Set-up for the last transform: */
-		explicit_bzero(context->buffer, SHA1_SHORT_BLOCK_LENGTH);
+		memzero(context->buffer, SHA1_SHORT_BLOCK_LENGTH);

 		/* Begin padding with a 1 bit: */
 		*context->buffer = 0x80;
@ -608,16 +609,16 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {

 		if (usedspace <= 56) {
 			/* Set-up for the last transform: */
-			explicit_bzero(((uint8_t*)context->buffer) + usedspace, 56 - usedspace);
+			memzero(((uint8_t*)context->buffer) + usedspace, 56 - usedspace);
 		} else {
 			if (usedspace < 64) {
-				explicit_bzero(((uint8_t*)context->buffer) + usedspace, 64 - usedspace);
+				memzero(((uint8_t*)context->buffer) + usedspace, 64 - usedspace);
 			}
 			/* Do second-to-last transform: */
 			sha1_Transform(context->state, context->buffer, context->state);

 			/* And set-up for the last transform: */
-			explicit_bzero(context->buffer, 56);
+			memzero(context->buffer, 56);
 		}
 		/* Clean up: */
 		usedspace = 0;
@ -648,7 +649,7 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) {
 #endif

 	/* Clean up: */
-	explicit_bzero(context, sizeof(SHA1_CTX));
+	memzero(context, sizeof(SHA1_CTX));
 }

 char *sha1_End(SHA1_CTX* context, char buffer[]) {
@ -665,9 +666,9 @@ char *sha1_End(SHA1_CTX* context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-		explicit_bzero(context, sizeof(SHA1_CTX));
+		memzero(context, sizeof(SHA1_CTX));
 	}
-	explicit_bzero(digest, SHA1_DIGEST_LENGTH);
+	memzero(digest, SHA1_DIGEST_LENGTH);
 	return buffer;
 }

@ -692,7 +693,7 @@ void sha256_Init(SHA256_CTX* context) {
 		return;
 	}
 	MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
-	explicit_bzero(context->buffer, SHA256_BLOCK_LENGTH);
+	memzero(context->buffer, SHA256_BLOCK_LENGTH);
 	context->bitcount = 0;
 }

@ -929,7 +930,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
 		((uint8_t*)context->buffer)[usedspace++] = 0x80;
 		
 		if (usedspace > SHA256_SHORT_BLOCK_LENGTH) {
-			explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace);
+			memzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace);

 #if BYTE_ORDER == LITTLE_ENDIAN
 			/* Convert TO host byte order */
@ -944,7 +945,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
 			usedspace = 0;
 		}
 		/* Set-up for the last transform: */
-		explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace);
+		memzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace);

 #if BYTE_ORDER == LITTLE_ENDIAN
 		/* Convert TO host byte order */
@ -969,7 +970,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) {
 	}

 	/* Clean up state data: */
-	explicit_bzero(context, sizeof(SHA256_CTX));
+	memzero(context, sizeof(SHA256_CTX));
 	usedspace = 0;
 }

@ -987,9 +988,9 @@ char *sha256_End(SHA256_CTX* context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-		explicit_bzero(context, sizeof(SHA256_CTX));
+		memzero(context, sizeof(SHA256_CTX));
 	}
-	explicit_bzero(digest, SHA256_DIGEST_LENGTH);
+	memzero(digest, SHA256_DIGEST_LENGTH);
 	return buffer;
 }

@ -1015,7 +1016,7 @@ void sha512_Init(SHA512_CTX* context) {
 		return;
 	}
 	MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
-	explicit_bzero(context->buffer, SHA512_BLOCK_LENGTH);
+	memzero(context->buffer, SHA512_BLOCK_LENGTH);
 	context->bitcount[0] = context->bitcount[1] =  0;
 }

@ -1232,7 +1233,7 @@ static void sha512_Last(SHA512_CTX* context) {
 	((uint8_t*)context->buffer)[usedspace++] = 0x80;
 	
 	if (usedspace > SHA512_SHORT_BLOCK_LENGTH) {
-		explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace);
+		memzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace);

 #if BYTE_ORDER == LITTLE_ENDIAN
 		/* Convert TO host byte order */
@ -1247,7 +1248,7 @@ static void sha512_Last(SHA512_CTX* context) {
 		usedspace = 0;
 	}
 	/* Set-up for the last transform: */
-	explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace);
+	memzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace);

 #if BYTE_ORDER == LITTLE_ENDIAN
 	/* Convert TO host byte order */
@ -1279,7 +1280,7 @@ void sha512_Final(SHA512_CTX* context, sha2_byte digest[]) {
 	}

 	/* Zero out state data */
-	explicit_bzero(context, sizeof(SHA512_CTX));
+	memzero(context, sizeof(SHA512_CTX));
 }

 char *sha512_End(SHA512_CTX* context, char buffer[]) {
@ -1296,9 +1297,9 @@ char *sha512_End(SHA512_CTX* context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-		explicit_bzero(context, sizeof(SHA512_CTX));
+		memzero(context, sizeof(SHA512_CTX));
 	}
-	explicit_bzero(digest, SHA512_DIGEST_LENGTH);
+	memzero(digest, SHA512_DIGEST_LENGTH);
 	return buffer;
 }

--- a/sha3.c
+++ b/sha3.c
@ -21,6 +21,7 @@
 #include <string.h>

 #include "sha3.h"
+#include "memzero.h"

 #define I64(x) x##LL
 #define ROTL64(qword, n) ((qword) << (n) ^ ((qword) >> (64 - (n))))
@ -330,7 +331,7 @@ void sha3_Final(SHA3_CTX *ctx, unsigned char* result)

 	assert(block_size > digest_length);
 	if (result) me64_to_le_str(result, ctx->hash, digest_length);
-	explicit_bzero(ctx, sizeof(SHA3_CTX));
+	memzero(ctx, sizeof(SHA3_CTX));
 }

 #if USE_KECCAK
@ -359,7 +360,7 @@ void keccak_Final(SHA3_CTX *ctx, unsigned char* result)

 	assert(block_size > digest_length);
 	if (result) me64_to_le_str(result, ctx->hash, digest_length);
-	explicit_bzero(ctx, sizeof(SHA3_CTX));
+	memzero(ctx, sizeof(SHA3_CTX));
 }

 void keccak_256(const unsigned char* data, size_t len, unsigned char* digest)