diff --git a/Makefile b/Makefile index b1b90259c..65b77a26d 100644 --- a/Makefile +++ b/Makefile @@ -50,6 +50,7 @@ SRCS += chacha20poly1305/chacha20poly1305.c chacha20poly1305/chacha_merged.c ch SRCS += rc4.c SRCS += nem.c SRCS += segwit_addr.c +SRCS += memzero.c OBJS = $(SRCS:.c=.o) diff --git a/base58.c b/base58.c index 7ca8b013f..c3e960690 100644 --- a/base58.c +++ b/base58.c @@ -27,6 +27,7 @@ #include "base58.h" #include "sha2.h" #include "ripemd160.h" +#include "memzero.h" static const int8_t b58digits_map[] = { -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, @@ -199,7 +200,7 @@ int base58_encode_check(const uint8_t *data, int datalen, HasherType hasher_type hasher_Raw(hasher_type, hash, 32, hash); size_t res = strsize; bool success = b58enc(str, &res, buf, datalen + 4); - explicit_bzero(buf, sizeof(buf)); + memzero(buf, sizeof(buf)); return success ? res : 0; } @@ -253,7 +254,7 @@ int base58gph_encode_check(const uint8_t *data, int datalen, char *str, int strs ripemd160(data, datalen, hash); // No double SHA256, but a single RIPEMD160 size_t res = strsize; bool success = b58enc(str, &res, buf, datalen + 4); - explicit_bzero(buf, sizeof(buf)); + memzero(buf, sizeof(buf)); return success ? res : 0; } diff --git a/bignum.c b/bignum.c index 803fd7836..27e361d67 100644 --- a/bignum.c +++ b/bignum.c @@ -27,6 +27,7 @@ #include #include #include "bignum.h" +#include "memzero.h" /* big number library */ @@ -489,7 +490,7 @@ void bn_multiply(const bignum256 *k, bignum256 *x, const bignum256 *prime) uint32_t res[18] = {0}; bn_multiply_long(k, x, res); bn_multiply_reduce(x, res, prime); - explicit_bzero(res, sizeof(res)); + memzero(res, sizeof(res)); } // partly reduce x modulo prime @@ -551,8 +552,8 @@ void bn_sqrt(bignum256 *x, const bignum256 *prime) } bn_mod(&res, prime); memcpy(x, &res, sizeof(bignum256)); - explicit_bzero(&res, sizeof(res)); - explicit_bzero(&p, sizeof(p)); + memzero(&res, sizeof(res)); + memzero(&p, sizeof(p)); } #if ! USE_INVERSE_FAST @@ -860,9 +861,9 @@ void bn_inverse(bignum256 *x, const bignum256 *prime) x->val[i] = temp32; // let's wipe all temp buffers - explicit_bzero(pp, sizeof(pp)); - explicit_bzero(&us, sizeof(us)); - explicit_bzero(&vr, sizeof(vr)); + memzero(pp, sizeof(pp)); + memzero(&us, sizeof(us)); + memzero(&vr, sizeof(vr)); } #endif diff --git a/bip32.c b/bip32.c index 1f22f193a..fbccb9717 100644 --- a/bip32.c +++ b/bip32.c @@ -46,6 +46,7 @@ #if USE_NEM #include "nem.h" #endif +#include "memzero.h" const curve_info ed25519_info = { .bip32_name = "ed25519 seed", @@ -86,7 +87,7 @@ int hdnode_from_xpub(uint32_t depth, uint32_t child_num, const uint8_t *chain_co out->depth = depth; out->child_num = child_num; memcpy(out->chain_code, chain_code, 32); - explicit_bzero(out->private_key, 32); + memzero(out->private_key, 32); memcpy(out->public_key, public_key, 33); return 1; } @@ -107,7 +108,7 @@ int hdnode_from_xprv(uint32_t depth, uint32_t child_num, const uint8_t *chain_co failed = true; } } - explicit_bzero(&a, sizeof(a)); + memzero(&a, sizeof(a)); } if (failed) { @@ -119,7 +120,7 @@ int hdnode_from_xprv(uint32_t depth, uint32_t child_num, const uint8_t *chain_co out->child_num = child_num; memcpy(out->chain_code, chain_code, 32); memcpy(out->private_key, private_key, 32); - explicit_bzero(out->public_key, sizeof(out->public_key)); + memzero(out->public_key, sizeof(out->public_key)); return 1; } @@ -150,12 +151,12 @@ int hdnode_from_seed(const uint8_t *seed, int seed_len, const char* curve, HDNod hmac_sha512_Update(&ctx, I, sizeof(I)); hmac_sha512_Final(&ctx, I); } - explicit_bzero(&a, sizeof(a)); + memzero(&a, sizeof(a)); } memcpy(out->private_key, I, 32); memcpy(out->chain_code, I + 32, 32); - explicit_bzero(out->public_key, sizeof(out->public_key)); - explicit_bzero(I, sizeof(I)); + memzero(out->public_key, sizeof(out->public_key)); + memzero(I, sizeof(I)); return 1; } @@ -168,7 +169,7 @@ uint32_t hdnode_fingerprint(HDNode *node) hasher_Raw(node->curve->hasher_type, node->public_key, 33, digest); ripemd160(digest, 32, digest); fingerprint = (digest[0] << 24) + (digest[1] << 16) + (digest[2] << 8) + digest[3]; - explicit_bzero(digest, sizeof(digest)); + memzero(digest, sizeof(digest)); return fingerprint; } @@ -229,13 +230,13 @@ int hdnode_private_ckd(HDNode *inout, uint32_t i) memcpy(inout->chain_code, I + 32, 32); inout->depth++; inout->child_num = i; - explicit_bzero(inout->public_key, sizeof(inout->public_key)); + memzero(inout->public_key, sizeof(inout->public_key)); // making sure to wipe our memory - explicit_bzero(&a, sizeof(a)); - explicit_bzero(&b, sizeof(b)); - explicit_bzero(I, sizeof(I)); - explicit_bzero(data, sizeof(data)); + memzero(&a, sizeof(a)); + memzero(&b, sizeof(b)); + memzero(I, sizeof(I)); + memzero(data, sizeof(data)); return 1; } @@ -264,9 +265,9 @@ int hdnode_public_ckd_cp(const ecdsa_curve *curve, const curve_point *parent, co } // Wipe all stack data. - explicit_bzero(data, sizeof(data)); - explicit_bzero(I, sizeof(I)); - explicit_bzero(&c, sizeof(c)); + memzero(data, sizeof(data)); + memzero(I, sizeof(I)); + memzero(&c, sizeof(c)); return 1; } } @@ -286,15 +287,15 @@ int hdnode_public_ckd(HDNode *inout, uint32_t i) if (!hdnode_public_ckd_cp(inout->curve->params, &parent, inout->chain_code, i, &child, inout->chain_code)) { return 0; } - explicit_bzero(inout->private_key, 32); + memzero(inout->private_key, 32); inout->depth++; inout->child_num = i; inout->public_key[0] = 0x02 | (child.y.val[0] & 0x01); bn_write_be(&child.x, inout->public_key + 1); // Wipe all stack data. - explicit_bzero(&parent, sizeof(parent)); - explicit_bzero(&child, sizeof(child)); + memzero(&parent, sizeof(parent)); + memzero(&child, sizeof(child)); return 1; } @@ -349,7 +350,7 @@ int hdnode_private_ckd_cached(HDNode *inout, const uint32_t *i, size_t i_count, if (!private_ckd_cache_root_set || memcmp(&private_ckd_cache_root, inout, sizeof(HDNode)) != 0) { // clear the cache private_ckd_cache_index = 0; - explicit_bzero(private_ckd_cache, sizeof(private_ckd_cache)); + memzero(private_ckd_cache, sizeof(private_ckd_cache)); // setup new root memcpy(&private_ckd_cache_root, inout, sizeof(HDNode)); private_ckd_cache_root_set = true; @@ -496,7 +497,7 @@ int hdnode_nem_encrypt(const HDNode *node, const ed25519_public_key public_key, aes_encrypt_ctx ctx; int ret = aes_encrypt_key256(shared_key, &ctx); - explicit_bzero(shared_key, sizeof(shared_key)); + memzero(shared_key, sizeof(shared_key)); if (ret != EXIT_SUCCESS) { return 0; @@ -523,7 +524,7 @@ int hdnode_nem_decrypt(const HDNode *node, const ed25519_public_key public_key, aes_decrypt_ctx ctx; int ret = aes_decrypt_key256(shared_key, &ctx); - explicit_bzero(shared_key, sizeof(shared_key)); + memzero(shared_key, sizeof(shared_key)); if (ret != EXIT_SUCCESS) { return 0; @@ -609,7 +610,7 @@ static int hdnode_serialize(const HDNode *node, uint32_t fingerprint, uint32_t v memcpy(node_data + 46, node->private_key, 32); } int ret = base58_encode_check(node_data, sizeof(node_data), node->curve->hasher_type, str, strsize); - explicit_bzero(node_data, sizeof(node_data)); + memzero(node_data, sizeof(node_data)); return ret; } @@ -634,14 +635,14 @@ int hdnode_deserialize(const char *str, uint32_t version_public, uint32_t versio } uint32_t version = read_be(node_data); if (version == version_public) { - explicit_bzero(node->private_key, sizeof(node->private_key)); + memzero(node->private_key, sizeof(node->private_key)); memcpy(node->public_key, node_data + 45, 33); } else if (version == version_private) { // private node if (node_data[45]) { // invalid data return -2; } memcpy(node->private_key, node_data + 46, 32); - explicit_bzero(node->public_key, sizeof(node->public_key)); + memzero(node->public_key, sizeof(node->public_key)); } else { return -3; // invalid version } diff --git a/bip39.c b/bip39.c index a9f43f1ec..b1bea4454 100644 --- a/bip39.c +++ b/bip39.c @@ -31,6 +31,7 @@ #include "pbkdf2.h" #include "bip39_english.h" #include "options.h" +#include "memzero.h" #if USE_BIP39_CACHE @@ -53,7 +54,7 @@ const char *mnemonic_generate(int strength) uint8_t data[32]; random_buffer(data, 32); const char *r = mnemonic_from_data(data, strength / 8); - explicit_bzero(data, sizeof(data)); + memzero(data, sizeof(data)); return r; } @@ -65,7 +66,7 @@ const uint16_t *mnemonic_generate_indexes(int strength) uint8_t data[32]; random_buffer(data, 32); const uint16_t *r = mnemonic_from_data_indexes(data, strength / 8); - explicit_bzero(data, sizeof(data)); + memzero(data, sizeof(data)); return r; } @@ -99,7 +100,7 @@ const char *mnemonic_from_data(const uint8_t *data, int len) *p = (i < mlen - 1) ? ' ' : 0; p++; } - explicit_bzero(bits, sizeof(bits)); + memzero(bits, sizeof(bits)); return mnemo; } @@ -130,7 +131,7 @@ const uint16_t *mnemonic_from_data_indexes(const uint8_t *data, int len) } mnemo[i] = idx; } - explicit_bzero(bits, sizeof(bits)); + memzero(bits, sizeof(bits)); return mnemo; } @@ -160,7 +161,7 @@ int mnemonic_check(const char *mnemonic) uint32_t j, k, ki, bi; uint8_t bits[32 + 1]; - explicit_bzero(bits, sizeof(bits)); + memzero(bits, sizeof(bits)); i = 0; bi = 0; while (mnemonic[i]) { j = 0; @@ -240,7 +241,7 @@ void mnemonic_to_seed(const char *mnemonic, const char *passphrase, uint8_t seed } } pbkdf2_hmac_sha512_Final(&pctx, seed); - explicit_bzero(salt, sizeof(salt)); + memzero(salt, sizeof(salt)); #if USE_BIP39_CACHE // store to cache if (mnemoniclen < 256 && passphraselen < 64) { diff --git a/blake2b.c b/blake2b.c index f59f41536..15df01190 100644 --- a/blake2b.c +++ b/blake2b.c @@ -17,6 +17,7 @@ #include "blake2b.h" #include "blake2_common.h" +#include "memzero.h" typedef struct blake2b_param__ { @@ -159,7 +160,7 @@ int blake2b_InitKey( blake2b_state *S, size_t outlen, const void *key, size_t ke memset( block, 0, BLAKE2B_BLOCKBYTES ); memcpy( block, key, keylen ); blake2b_Update( S, block, BLAKE2B_BLOCKBYTES ); - explicit_bzero( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */ + memzero( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */ } return 0; } @@ -279,7 +280,7 @@ int blake2b_Final( blake2b_state *S, void *out, size_t outlen ) store64( buffer + sizeof( S->h[i] ) * i, S->h[i] ); memcpy( out, buffer, S->outlen ); - explicit_bzero(buffer, sizeof(buffer)); + memzero(buffer, sizeof(buffer)); return 0; } diff --git a/blake2s.c b/blake2s.c index e64b6504d..636479b9b 100644 --- a/blake2s.c +++ b/blake2s.c @@ -17,6 +17,7 @@ #include "blake2s.h" #include "blake2_common.h" +#include "memzero.h" typedef struct blake2s_param__ { @@ -153,7 +154,7 @@ int blake2s_InitKey( blake2s_state *S, size_t outlen, const void *key, size_t ke memset( block, 0, BLAKE2S_BLOCKBYTES ); memcpy( block, key, keylen ); blake2s_Update( S, block, BLAKE2S_BLOCKBYTES ); - explicit_bzero( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */ + memzero( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */ } return 0; } @@ -271,7 +272,7 @@ int blake2s_Final( blake2s_state *S, void *out, size_t outlen ) store32( buffer + sizeof( S->h[i] ) * i, S->h[i] ); memcpy( out, buffer, outlen ); - explicit_bzero(buffer, sizeof(buffer)); + memzero(buffer, sizeof(buffer)); return 0; } diff --git a/ecdsa.c b/ecdsa.c index 2d1e5cf76..2e679a8af 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -37,6 +37,7 @@ #include "base58.h" #include "secp256k1.h" #include "rfc6979.h" +#include "memzero.h" // Set cp2 = cp1 void point_copy(const curve_point *cp1, curve_point *cp2) @@ -541,8 +542,8 @@ void point_multiply(const ecdsa_curve *curve, const bignum256 *k, const curve_po } conditional_negate(sign, &jres.z, prime); jacobian_to_curve(&jres, res, prime); - explicit_bzero(&a, sizeof(a)); - explicit_bzero(&jres, sizeof(jres)); + memzero(&a, sizeof(a)); + memzero(&jres, sizeof(jres)); } #if USE_PRECOMPUTED_CP @@ -629,8 +630,8 @@ void scalar_multiply(const ecdsa_curve *curve, const bignum256 *k, curve_point * } conditional_negate(((a.val[0] >> 4) & 1) - 1, &jres.y, prime); jacobian_to_curve(&jres, res, prime); - explicit_bzero(&a, sizeof(a)); - explicit_bzero(&jres, sizeof(jres)); + memzero(&a, sizeof(a)); + memzero(&jres, sizeof(jres)); } #else @@ -652,12 +653,12 @@ int ecdh_multiply(const ecdsa_curve *curve, const uint8_t *priv_key, const uint8 bignum256 k; bn_read_be(priv_key, &k); point_multiply(curve, &k, &point, &point); - explicit_bzero(&k, sizeof(k)); + memzero(&k, sizeof(k)); session_key[0] = 0x04; bn_write_be(&point.x, session_key + 1); bn_write_be(&point.y, session_key + 33); - explicit_bzero(&point, sizeof(point)); + memzero(&point, sizeof(point)); return 0; } @@ -684,8 +685,8 @@ void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *s hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k); hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - explicit_bzero(bx, sizeof(bx)); - explicit_bzero(buf, sizeof(buf)); + memzero(bx, sizeof(bx)); + memzero(buf, sizeof(buf)); } // generate next number from deterministic random number generator @@ -699,7 +700,7 @@ void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k); hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); memcpy(rnd, buf, 32); - explicit_bzero(buf, sizeof(buf)); + memzero(buf, sizeof(buf)); } // generate K in a deterministic way, according to RFC6979 @@ -709,7 +710,7 @@ void generate_k_rfc6979(bignum256 *k, rfc6979_state *state) uint8_t buf[32]; generate_rfc6979(buf, state); bn_read_be(buf, k); - explicit_bzero(buf, sizeof(buf)); + memzero(buf, sizeof(buf)); } // msg is a data to be signed @@ -719,7 +720,7 @@ int ecdsa_sign(const ecdsa_curve *curve, HasherType hasher_type, const uint8_t * uint8_t hash[32]; hasher_Raw(hasher_type, msg, msg_len, hash); int res = ecdsa_sign_digest(curve, priv_key, hash, sig, pby, is_canonical); - explicit_bzero(hash, sizeof(hash)); + memzero(hash, sizeof(hash)); return res; } @@ -732,7 +733,7 @@ int ecdsa_sign_double(const ecdsa_curve *curve, HasherType hasher_type, const ui hasher_Raw(hasher_type, msg, msg_len, hash); hasher_Raw(hasher_type, hash, 32, hash); int res = ecdsa_sign_digest(curve, priv_key, hash, sig, pby, is_canonical); - explicit_bzero(hash, sizeof(hash)); + memzero(hash, sizeof(hash)); return res; } @@ -817,20 +818,20 @@ int ecdsa_sign_digest(const ecdsa_curve *curve, const uint8_t *priv_key, const u *pby = by; } - explicit_bzero(&k, sizeof(k)); - explicit_bzero(&randk, sizeof(randk)); + memzero(&k, sizeof(k)); + memzero(&randk, sizeof(randk)); #if USE_RFC6979 - explicit_bzero(&rng, sizeof(rng)); + memzero(&rng, sizeof(rng)); #endif return 0; } // Too many retries without a valid signature // -> fail with an error - explicit_bzero(&k, sizeof(k)); - explicit_bzero(&randk, sizeof(randk)); + memzero(&k, sizeof(k)); + memzero(&randk, sizeof(randk)); #if USE_RFC6979 - explicit_bzero(&rng, sizeof(rng)); + memzero(&rng, sizeof(rng)); #endif return -1; } @@ -845,8 +846,8 @@ void ecdsa_get_public_key33(const ecdsa_curve *curve, const uint8_t *priv_key, u scalar_multiply(curve, &k, &R); pub_key[0] = 0x02 | (R.y.val[0] & 0x01); bn_write_be(&R.x, pub_key + 1); - explicit_bzero(&R, sizeof(R)); - explicit_bzero(&k, sizeof(k)); + memzero(&R, sizeof(R)); + memzero(&k, sizeof(k)); } void ecdsa_get_public_key65(const ecdsa_curve *curve, const uint8_t *priv_key, uint8_t *pub_key) @@ -860,8 +861,8 @@ void ecdsa_get_public_key65(const ecdsa_curve *curve, const uint8_t *priv_key, u pub_key[0] = 0x04; bn_write_be(&R.x, pub_key + 1); bn_write_be(&R.y, pub_key + 33); - explicit_bzero(&R, sizeof(R)); - explicit_bzero(&k, sizeof(k)); + memzero(&R, sizeof(R)); + memzero(&k, sizeof(k)); } int ecdsa_uncompress_pubkey(const ecdsa_curve *curve, const uint8_t *pub_key, uint8_t *uncompressed) @@ -890,7 +891,7 @@ void ecdsa_get_pubkeyhash(const uint8_t *pub_key, HasherType hasher_type, uint8_ hasher_Raw(hasher_type, pub_key, 33, h); } ripemd160(h, HASHER_DIGEST_LENGTH, pubkeyhash); - explicit_bzero(h, sizeof(h)); + memzero(h, sizeof(h)); } void ecdsa_get_address_raw(const uint8_t *pub_key, uint32_t version, HasherType hasher_type, uint8_t *addr_raw) @@ -907,7 +908,7 @@ void ecdsa_get_address(const uint8_t *pub_key, uint32_t version, HasherType hash ecdsa_get_address_raw(pub_key, version, hasher_type, raw); base58_encode_check(raw, 20 + prefix_len, hasher_type, addr, addrsize); // not as important to clear this one, but we might as well - explicit_bzero(raw, sizeof(raw)); + memzero(raw, sizeof(raw)); } void ecdsa_get_address_segwit_p2sh_raw(const uint8_t *pub_key, uint32_t version, HasherType hasher_type, uint8_t *addr_raw) @@ -928,7 +929,7 @@ void ecdsa_get_address_segwit_p2sh(const uint8_t *pub_key, uint32_t version, Has size_t prefix_len = address_prefix_bytes_len(version); ecdsa_get_address_segwit_p2sh_raw(pub_key, version, hasher_type, raw); base58_encode_check(raw, prefix_len + 20, hasher_type, addr, addrsize); - explicit_bzero(raw, sizeof(raw)); + memzero(raw, sizeof(raw)); } void ecdsa_get_wif(const uint8_t *priv_key, uint32_t version, HasherType hasher_type, char *wif, int wifsize) @@ -940,7 +941,7 @@ void ecdsa_get_wif(const uint8_t *priv_key, uint32_t version, HasherType hasher_ wif_raw[prefix_len + 32] = 0x01; base58_encode_check(wif_raw, prefix_len + 32 + 1, hasher_type, wif, wifsize); // private keys running around our stack can cause trouble - explicit_bzero(wif_raw, sizeof(wif_raw)); + memzero(wif_raw, sizeof(wif_raw)); } int ecdsa_address_decode(const char *addr, uint32_t version, HasherType hasher_type, uint8_t *out) @@ -1033,7 +1034,7 @@ int ecdsa_verify(const ecdsa_curve *curve, HasherType hasher_type, const uint8_t uint8_t hash[32]; hasher_Raw(hasher_type, msg, msg_len, hash); int res = ecdsa_verify_digest(curve, pub_key, sig, hash); - explicit_bzero(hash, sizeof(hash)); + memzero(hash, sizeof(hash)); return res; } @@ -1043,7 +1044,7 @@ int ecdsa_verify_double(const ecdsa_curve *curve, HasherType hasher_type, const hasher_Raw(hasher_type, msg, msg_len, hash); hasher_Raw(hasher_type, hash, 32, hash); int res = ecdsa_verify_digest(curve, pub_key, sig, hash); - explicit_bzero(hash, sizeof(hash)); + memzero(hash, sizeof(hash)); return res; } @@ -1142,11 +1143,11 @@ int ecdsa_verify_digest(const ecdsa_curve *curve, const uint8_t *pub_key, const } } - explicit_bzero(&pub, sizeof(pub)); - explicit_bzero(&res, sizeof(res)); - explicit_bzero(&r, sizeof(r)); - explicit_bzero(&s, sizeof(s)); - explicit_bzero(&z, sizeof(z)); + memzero(&pub, sizeof(pub)); + memzero(&res, sizeof(res)); + memzero(&r, sizeof(r)); + memzero(&s, sizeof(s)); + memzero(&z, sizeof(z)); // all OK return result; diff --git a/hmac.c b/hmac.c index ff462c37f..04448c8f2 100644 --- a/hmac.c +++ b/hmac.c @@ -25,6 +25,7 @@ #include "hmac.h" #include "options.h" +#include "memzero.h" void hmac_sha256_Init(HMAC_SHA256_CTX *hctx, const uint8_t *key, const uint32_t keylen) { @@ -41,7 +42,7 @@ void hmac_sha256_Init(HMAC_SHA256_CTX *hctx, const uint8_t *key, const uint32_t } sha256_Init(&(hctx->ctx)); sha256_Update(&(hctx->ctx), i_key_pad, SHA256_BLOCK_LENGTH); - explicit_bzero(i_key_pad, sizeof(i_key_pad)); + memzero(i_key_pad, sizeof(i_key_pad)); } void hmac_sha256_Update(HMAC_SHA256_CTX *hctx, const uint8_t *msg, const uint32_t msglen) @@ -56,7 +57,7 @@ void hmac_sha256_Final(HMAC_SHA256_CTX *hctx, uint8_t *hmac) sha256_Update(&(hctx->ctx), hctx->o_key_pad, SHA256_BLOCK_LENGTH); sha256_Update(&(hctx->ctx), hmac, SHA256_DIGEST_LENGTH); sha256_Final(&(hctx->ctx), hmac); - explicit_bzero(hctx, sizeof(HMAC_SHA256_CTX)); + memzero(hctx, sizeof(HMAC_SHA256_CTX)); } void hmac_sha256(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac) @@ -71,7 +72,7 @@ void hmac_sha256_prepare(const uint8_t *key, const uint32_t keylen, uint32_t *op { static CONFIDENTIAL uint32_t key_pad[SHA256_BLOCK_LENGTH/sizeof(uint32_t)]; - explicit_bzero(key_pad, sizeof(key_pad)); + memzero(key_pad, sizeof(key_pad)); if (keylen > SHA256_BLOCK_LENGTH) { static CONFIDENTIAL SHA256_CTX context; sha256_Init(&context); @@ -98,7 +99,7 @@ void hmac_sha256_prepare(const uint8_t *key, const uint32_t keylen, uint32_t *op key_pad[i] = key_pad[i] ^ 0x5c5c5c5c ^ 0x36363636; } sha256_Transform(sha256_initial_hash_value, key_pad, ipad_digest); - explicit_bzero(key_pad, sizeof(key_pad)); + memzero(key_pad, sizeof(key_pad)); } void hmac_sha512_Init(HMAC_SHA512_CTX *hctx, const uint8_t *key, const uint32_t keylen) @@ -116,7 +117,7 @@ void hmac_sha512_Init(HMAC_SHA512_CTX *hctx, const uint8_t *key, const uint32_t } sha512_Init(&(hctx->ctx)); sha512_Update(&(hctx->ctx), i_key_pad, SHA512_BLOCK_LENGTH); - explicit_bzero(i_key_pad, sizeof(i_key_pad)); + memzero(i_key_pad, sizeof(i_key_pad)); } void hmac_sha512_Update(HMAC_SHA512_CTX *hctx, const uint8_t *msg, const uint32_t msglen) @@ -131,7 +132,7 @@ void hmac_sha512_Final(HMAC_SHA512_CTX *hctx, uint8_t *hmac) sha512_Update(&(hctx->ctx), hctx->o_key_pad, SHA512_BLOCK_LENGTH); sha512_Update(&(hctx->ctx), hmac, SHA512_DIGEST_LENGTH); sha512_Final(&(hctx->ctx), hmac); - explicit_bzero(hctx, sizeof(HMAC_SHA512_CTX)); + memzero(hctx, sizeof(HMAC_SHA512_CTX)); } void hmac_sha512(const uint8_t *key, const uint32_t keylen, const uint8_t *msg, const uint32_t msglen, uint8_t *hmac) @@ -146,7 +147,7 @@ void hmac_sha512_prepare(const uint8_t *key, const uint32_t keylen, uint64_t *op { static CONFIDENTIAL uint64_t key_pad[SHA512_BLOCK_LENGTH/sizeof(uint64_t)]; - explicit_bzero(key_pad, sizeof(key_pad)); + memzero(key_pad, sizeof(key_pad)); if (keylen > SHA512_BLOCK_LENGTH) { static CONFIDENTIAL SHA512_CTX context; sha512_Init(&context); @@ -173,5 +174,5 @@ void hmac_sha512_prepare(const uint8_t *key, const uint32_t keylen, uint64_t *op key_pad[i] = key_pad[i] ^ 0x5c5c5c5c5c5c5c5c ^ 0x3636363636363636; } sha512_Transform(sha512_initial_hash_value, key_pad, ipad_digest); - explicit_bzero(key_pad, sizeof(key_pad)); + memzero(key_pad, sizeof(key_pad)); } diff --git a/memzero.c b/memzero.c new file mode 100644 index 000000000..68fad584b --- /dev/null +++ b/memzero.c @@ -0,0 +1,6 @@ +#include + +void memzero(void *s, size_t n) +{ + memset(s, 0, n); +} diff --git a/memzero.h b/memzero.h new file mode 100644 index 000000000..ce51acaef --- /dev/null +++ b/memzero.h @@ -0,0 +1,8 @@ +#ifndef __MEMZERO_H__ +#define __MEMZERO_H__ + +#include + +void memzero(void *s, size_t n); + +#endif diff --git a/nem.c b/nem.c index 4b226a1c8..d5faff008 100644 --- a/nem.c +++ b/nem.c @@ -28,6 +28,7 @@ #include "ed25519-donna/ed25519-keccak.h" #include "ripemd160.h" #include "sha3.h" +#include "memzero.h" const char *nem_network_name(uint8_t network) { switch (network) { @@ -111,7 +112,7 @@ void nem_get_address_raw(const ed25519_public_key public_key, uint8_t version, u /* 5. Concatenate output of step 3 and the checksum from step 4 */ memcpy(&address[1 + RIPEMD160_DIGEST_LENGTH], hash, 4); - explicit_bzero(hash, sizeof(hash)); + memzero(hash, sizeof(hash)); } bool nem_get_address(const ed25519_public_key public_key, uint8_t version, char *address) { @@ -121,7 +122,7 @@ bool nem_get_address(const ed25519_public_key public_key, uint8_t version, char char *ret = base32_encode(pubkeyhash, sizeof(pubkeyhash), address, NEM_ADDRESS_SIZE + 1, BASE32_ALPHABET_RFC4648); - explicit_bzero(pubkeyhash, sizeof(pubkeyhash)); + memzero(pubkeyhash, sizeof(pubkeyhash)); return (ret != NULL); } @@ -135,7 +136,7 @@ bool nem_validate_address_raw(const uint8_t *address, uint8_t network) { keccak_256(address, 1 + RIPEMD160_DIGEST_LENGTH, hash); bool valid = (memcmp(&address[1 + RIPEMD160_DIGEST_LENGTH], hash, 4) == 0); - explicit_bzero(hash, sizeof(hash)); + memzero(hash, sizeof(hash)); return valid; } @@ -149,7 +150,7 @@ bool nem_validate_address(const char *address, uint8_t network) { uint8_t *ret = base32_decode(address, NEM_ADDRESS_SIZE, pubkeyhash, sizeof(pubkeyhash), BASE32_ALPHABET_RFC4648); bool valid = (ret != NULL) && nem_validate_address_raw(pubkeyhash, network); - explicit_bzero(pubkeyhash, sizeof(pubkeyhash)); + memzero(pubkeyhash, sizeof(pubkeyhash)); return valid; } diff --git a/pbkdf2.c b/pbkdf2.c index f94ef368b..e6dbd008b 100644 --- a/pbkdf2.c +++ b/pbkdf2.c @@ -25,6 +25,7 @@ #include "pbkdf2.h" #include "hmac.h" #include "sha2.h" +#include "memzero.h" void pbkdf2_hmac_sha256_Init(PBKDF2_HMAC_SHA256_CTX *pctx, const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen) { @@ -74,7 +75,7 @@ void pbkdf2_hmac_sha256_Final(PBKDF2_HMAC_SHA256_CTX *pctx, uint8_t *key) } #endif memcpy(key, pctx->f, SHA256_DIGEST_LENGTH); - explicit_bzero(pctx, sizeof(PBKDF2_HMAC_SHA256_CTX)); + memzero(pctx, sizeof(PBKDF2_HMAC_SHA256_CTX)); } void pbkdf2_hmac_sha256(const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key) @@ -134,7 +135,7 @@ void pbkdf2_hmac_sha512_Final(PBKDF2_HMAC_SHA512_CTX *pctx, uint8_t *key) } #endif memcpy(key, pctx->f, SHA512_DIGEST_LENGTH); - explicit_bzero(pctx, sizeof(PBKDF2_HMAC_SHA512_CTX)); + memzero(pctx, sizeof(PBKDF2_HMAC_SHA512_CTX)); } void pbkdf2_hmac_sha512(const uint8_t *pass, int passlen, const uint8_t *salt, int saltlen, uint32_t iterations, uint8_t *key) diff --git a/rfc6979.c b/rfc6979.c index 1168645e6..ec808a7cf 100644 --- a/rfc6979.c +++ b/rfc6979.c @@ -25,6 +25,7 @@ #include #include "rfc6979.h" #include "hmac.h" +#include "memzero.h" void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *state) { uint8_t bx[2*32]; @@ -48,8 +49,8 @@ void init_rfc6979(const uint8_t *priv_key, const uint8_t *hash, rfc6979_state *s hmac_sha256(state->k, sizeof(state->k), buf, sizeof(buf), state->k); hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); - explicit_bzero(bx, sizeof(bx)); - explicit_bzero(buf, sizeof(buf)); + memzero(bx, sizeof(bx)); + memzero(buf, sizeof(buf)); } // generate next number from deterministic random number generator @@ -63,7 +64,7 @@ void generate_rfc6979(uint8_t rnd[32], rfc6979_state *state) hmac_sha256(state->k, sizeof(state->k), buf, sizeof(state->v) + 1, state->k); hmac_sha256(state->k, sizeof(state->k), state->v, sizeof(state->v), state->v); memcpy(rnd, buf, 32); - explicit_bzero(buf, sizeof(buf)); + memzero(buf, sizeof(buf)); } // generate K in a deterministic way, according to RFC6979 @@ -73,5 +74,5 @@ void generate_k_rfc6979(bignum256 *k, rfc6979_state *state) uint8_t buf[32]; generate_rfc6979(buf, state); bn_read_be(buf, k); - explicit_bzero(buf, sizeof(buf)); + memzero(buf, sizeof(buf)); } diff --git a/ripemd160.c b/ripemd160.c index fb65f71b2..66b13ca3d 100644 --- a/ripemd160.c +++ b/ripemd160.c @@ -28,6 +28,7 @@ #include #include "ripemd160.h" +#include "memzero.h" /* * 32-bit integer manipulation macros (little endian) @@ -327,7 +328,7 @@ void ripemd160_Final( RIPEMD160_CTX *ctx, uint8_t output[RIPEMD160_DIGEST_LENGTH PUT_UINT32_LE( ctx->state[3], output, 12 ); PUT_UINT32_LE( ctx->state[4], output, 16 ); - explicit_bzero(ctx, sizeof(RIPEMD160_CTX)); + memzero(ctx, sizeof(RIPEMD160_CTX)); } /* diff --git a/sha2.c b/sha2.c index 1b399e947..0d27f4335 100644 --- a/sha2.c +++ b/sha2.c @@ -31,6 +31,7 @@ #include #include #include "sha2.h" +#include "memzero.h" /* * ASSERT NOTE: @@ -281,7 +282,7 @@ static const char *sha2_hex_digits = "0123456789abcdef"; /*** SHA-1: ***********************************************************/ void sha1_Init(SHA1_CTX* context) { MEMCPY_BCOPY(context->state, sha1_initial_hash_value, SHA1_DIGEST_LENGTH); - explicit_bzero(context->buffer, SHA1_BLOCK_LENGTH); + memzero(context->buffer, SHA1_BLOCK_LENGTH); context->bitcount = 0; } @@ -591,14 +592,14 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) { * No digest buffer, so we can do nothing * except clean up and go home */ - explicit_bzero(context, sizeof(SHA1_CTX)); + memzero(context, sizeof(SHA1_CTX)); return; } usedspace = (context->bitcount >> 3) % SHA1_BLOCK_LENGTH; if (usedspace == 0) { /* Set-up for the last transform: */ - explicit_bzero(context->buffer, SHA1_SHORT_BLOCK_LENGTH); + memzero(context->buffer, SHA1_SHORT_BLOCK_LENGTH); /* Begin padding with a 1 bit: */ *context->buffer = 0x80; @@ -608,16 +609,16 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) { if (usedspace <= 56) { /* Set-up for the last transform: */ - explicit_bzero(((uint8_t*)context->buffer) + usedspace, 56 - usedspace); + memzero(((uint8_t*)context->buffer) + usedspace, 56 - usedspace); } else { if (usedspace < 64) { - explicit_bzero(((uint8_t*)context->buffer) + usedspace, 64 - usedspace); + memzero(((uint8_t*)context->buffer) + usedspace, 64 - usedspace); } /* Do second-to-last transform: */ sha1_Transform(context->state, context->buffer, context->state); /* And set-up for the last transform: */ - explicit_bzero(context->buffer, 56); + memzero(context->buffer, 56); } /* Clean up: */ usedspace = 0; @@ -648,7 +649,7 @@ void sha1_Final(SHA1_CTX* context, sha2_byte digest[]) { #endif /* Clean up: */ - explicit_bzero(context, sizeof(SHA1_CTX)); + memzero(context, sizeof(SHA1_CTX)); } char *sha1_End(SHA1_CTX* context, char buffer[]) { @@ -665,9 +666,9 @@ char *sha1_End(SHA1_CTX* context, char buffer[]) { } *buffer = (char)0; } else { - explicit_bzero(context, sizeof(SHA1_CTX)); + memzero(context, sizeof(SHA1_CTX)); } - explicit_bzero(digest, SHA1_DIGEST_LENGTH); + memzero(digest, SHA1_DIGEST_LENGTH); return buffer; } @@ -692,7 +693,7 @@ void sha256_Init(SHA256_CTX* context) { return; } MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH); - explicit_bzero(context->buffer, SHA256_BLOCK_LENGTH); + memzero(context->buffer, SHA256_BLOCK_LENGTH); context->bitcount = 0; } @@ -929,7 +930,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) { ((uint8_t*)context->buffer)[usedspace++] = 0x80; if (usedspace > SHA256_SHORT_BLOCK_LENGTH) { - explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace); + memzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace); #if BYTE_ORDER == LITTLE_ENDIAN /* Convert TO host byte order */ @@ -944,7 +945,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) { usedspace = 0; } /* Set-up for the last transform: */ - explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace); + memzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace); #if BYTE_ORDER == LITTLE_ENDIAN /* Convert TO host byte order */ @@ -969,7 +970,7 @@ void sha256_Final(SHA256_CTX* context, sha2_byte digest[]) { } /* Clean up state data: */ - explicit_bzero(context, sizeof(SHA256_CTX)); + memzero(context, sizeof(SHA256_CTX)); usedspace = 0; } @@ -987,9 +988,9 @@ char *sha256_End(SHA256_CTX* context, char buffer[]) { } *buffer = (char)0; } else { - explicit_bzero(context, sizeof(SHA256_CTX)); + memzero(context, sizeof(SHA256_CTX)); } - explicit_bzero(digest, SHA256_DIGEST_LENGTH); + memzero(digest, SHA256_DIGEST_LENGTH); return buffer; } @@ -1015,7 +1016,7 @@ void sha512_Init(SHA512_CTX* context) { return; } MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH); - explicit_bzero(context->buffer, SHA512_BLOCK_LENGTH); + memzero(context->buffer, SHA512_BLOCK_LENGTH); context->bitcount[0] = context->bitcount[1] = 0; } @@ -1232,7 +1233,7 @@ static void sha512_Last(SHA512_CTX* context) { ((uint8_t*)context->buffer)[usedspace++] = 0x80; if (usedspace > SHA512_SHORT_BLOCK_LENGTH) { - explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace); + memzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace); #if BYTE_ORDER == LITTLE_ENDIAN /* Convert TO host byte order */ @@ -1247,7 +1248,7 @@ static void sha512_Last(SHA512_CTX* context) { usedspace = 0; } /* Set-up for the last transform: */ - explicit_bzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace); + memzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace); #if BYTE_ORDER == LITTLE_ENDIAN /* Convert TO host byte order */ @@ -1279,7 +1280,7 @@ void sha512_Final(SHA512_CTX* context, sha2_byte digest[]) { } /* Zero out state data */ - explicit_bzero(context, sizeof(SHA512_CTX)); + memzero(context, sizeof(SHA512_CTX)); } char *sha512_End(SHA512_CTX* context, char buffer[]) { @@ -1296,9 +1297,9 @@ char *sha512_End(SHA512_CTX* context, char buffer[]) { } *buffer = (char)0; } else { - explicit_bzero(context, sizeof(SHA512_CTX)); + memzero(context, sizeof(SHA512_CTX)); } - explicit_bzero(digest, SHA512_DIGEST_LENGTH); + memzero(digest, SHA512_DIGEST_LENGTH); return buffer; } diff --git a/sha3.c b/sha3.c index bba56326a..3ef9db8ae 100644 --- a/sha3.c +++ b/sha3.c @@ -21,6 +21,7 @@ #include #include "sha3.h" +#include "memzero.h" #define I64(x) x##LL #define ROTL64(qword, n) ((qword) << (n) ^ ((qword) >> (64 - (n)))) @@ -330,7 +331,7 @@ void sha3_Final(SHA3_CTX *ctx, unsigned char* result) assert(block_size > digest_length); if (result) me64_to_le_str(result, ctx->hash, digest_length); - explicit_bzero(ctx, sizeof(SHA3_CTX)); + memzero(ctx, sizeof(SHA3_CTX)); } #if USE_KECCAK @@ -359,7 +360,7 @@ void keccak_Final(SHA3_CTX *ctx, unsigned char* result) assert(block_size > digest_length); if (result) me64_to_le_str(result, ctx->hash, digest_length); - explicit_bzero(ctx, sizeof(SHA3_CTX)); + memzero(ctx, sizeof(SHA3_CTX)); } void keccak_256(const unsigned char* data, size_t len, unsigned char* digest)