Use SECP256K1_CLEANSE() to zero stack memory instead of memset()

isle2983 · real-or-random · commit 3148b2803ee9 · 2019-06-06T22:07:43.000+02:00
All of these conversions:

1) operate on stack memory.
2) happen after the function is done with the variable
3) had an existing memset() action to be replaced

These were found by visual inspection and may not be the total set of
places where SECP256K1_CLEANSE should ideally be applied.
diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h
@@ -176,7 +176,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
         memcpy(keydata + 32, seed32, 32);
     }
     secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
-    memset(keydata, 0, sizeof(keydata));
+    SECP256K1_CLEANSE(keydata);
     /* Retry for out of range results to achieve uniformity. */
     do {
         secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
@@ -193,7 +193,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
         retry = retry || secp256k1_scalar_is_zero(&b);
     } while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > order. */
     secp256k1_rfc6979_hmac_sha256_finalize(&rng);
-    memset(nonce32, 0, 32);
+    SECP256K1_CLEANSE(nonce32);
     secp256k1_ecmult_gen(ctx, &gb, &b);
     secp256k1_scalar_negate(&b, &b);
     ctx->blind = b;
diff --git a/src/hash_impl.h b/src/hash_impl.h
@@ -188,7 +188,7 @@ static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const
         rkey[n] ^= 0x5c ^ 0x36;
     }
     secp256k1_sha256_write(&hash->inner, rkey, sizeof(rkey));
-    memset(rkey, 0, sizeof(rkey));
+    SECP256K1_CLEANSE(rkey);
 }
 
 static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size) {
@@ -199,7 +199,7 @@ static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned
     unsigned char temp[32];
     secp256k1_sha256_finalize(&hash->inner, temp);
     secp256k1_sha256_write(&hash->outer, temp, 32);
-    memset(temp, 0, 32);
+    SECP256K1_CLEANSE(temp);
     secp256k1_sha256_finalize(&hash->outer, out32);
 }
 
diff --git a/src/modules/recovery/main_impl.h b/src/modules/recovery/main_impl.h
@@ -154,7 +154,7 @@ int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecd
             }
             count++;
         }
-        memset(nonce32, 0, 32);
+        SECP256K1_CLEANSE(nonce32);
         SECP256K1_CLEANSE(msg);
         SECP256K1_CLEANSE(non);
         SECP256K1_CLEANSE(sec);
diff --git a/src/num_gmp_impl.h b/src/num_gmp_impl.h
@@ -39,7 +39,7 @@ static void secp256k1_num_get_bin(unsigned char *r, unsigned int rlen, const sec
     if (len > shift) {
         memcpy(r + rlen - len + shift, tmp + shift, len - shift);
     }
-    memset(tmp, 0, sizeof(tmp));
+    SECP256K1_CLEANSE(tmp);
 }
 
 static void secp256k1_num_set_bin(secp256k1_num *r, const unsigned char *a, unsigned int alen) {
@@ -85,7 +85,7 @@ static void secp256k1_num_mod(secp256k1_num *r, const secp256k1_num *m) {
     if (r->limbs >= m->limbs) {
         mp_limb_t t[2*NUM_LIMBS];
         mpn_tdiv_qr(t, r->data, 0, r->data, r->limbs, m->data, m->limbs);
-        memset(t, 0, sizeof(t));
+        SECP256K1_CLEANSE(t);
         r->limbs = m->limbs;
         while (r->limbs > 1 && r->data[r->limbs-1]==0) {
             r->limbs--;
@@ -139,9 +139,9 @@ static void secp256k1_num_mod_inverse(secp256k1_num *r, const secp256k1_num *a,
     } else {
         r->limbs = sn;
     }
-    memset(g, 0, sizeof(g));
-    memset(u, 0, sizeof(u));
-    memset(v, 0, sizeof(v));
+    SECP256K1_CLEANSE(g);
+    SECP256K1_CLEANSE(u);
+    SECP256K1_CLEANSE(v);
 }
 
 static int secp256k1_num_jacobi(const secp256k1_num *a, const secp256k1_num *b) {
@@ -256,7 +256,7 @@ static void secp256k1_num_mul(secp256k1_num *r, const secp256k1_num *a, const se
     VERIFY_CHECK(r->limbs <= 2*NUM_LIMBS);
     mpn_copyi(r->data, tmp, r->limbs);
     r->neg = a->neg ^ b->neg;
-    memset(tmp, 0, sizeof(tmp));
+    SECP256K1_CLEANSE(tmp);
 }
 
 static void secp256k1_num_shift(secp256k1_num *r, int bits) {
diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -435,7 +435,7 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m
        buffer_append(keydata, &offset, algo16, 16);
    }
    secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
-   memset(keydata, 0, sizeof(keydata));
+   SECP256K1_CLEANSE(keydata);
    for (i = 0; i <= counter; i++) {
        secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
    }
@@ -479,7 +479,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
             }
             count++;
         }
-        memset(nonce32, 0, 32);
+        SECP256K1_CLEANSE(nonce32);
         SECP256K1_CLEANSE(msg);
         SECP256K1_CLEANSE(non);
         SECP256K1_CLEANSE(sec);

Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const`
`188`	`188`	`rkey[n] ^= 0x5c ^ 0x36;`
`189`	`189`	`}`
`190`	`190`	`secp256k1_sha256_write(&hash->inner, rkey, sizeof(rkey));`
`191`		`- memset(rkey, 0, sizeof(rkey));`
	`191`	`+ SECP256K1_CLEANSE(rkey);`
`192`	`192`	`}`
`193`	`193`
`194`	`194`	`static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 hash, const unsigned char data, size_t size) {`
`@@ -199,7 +199,7 @@ static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned`
`199`	`199`	`unsigned char temp[32];`
`200`	`200`	`secp256k1_sha256_finalize(&hash->inner, temp);`
`201`	`201`	`secp256k1_sha256_write(&hash->outer, temp, 32);`
`202`		`- memset(temp, 0, 32);`
	`202`	`+ SECP256K1_CLEANSE(temp);`
`203`	`203`	`secp256k1_sha256_finalize(&hash->outer, out32);`
`204`	`204`	`}`
`205`	`205`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecd`
`154`	`154`	`}`
`155`	`155`	`count++;`
`156`	`156`	`}`
`157`		`- memset(nonce32, 0, 32);`
	`157`	`+ SECP256K1_CLEANSE(nonce32);`
`158`	`158`	`SECP256K1_CLEANSE(msg);`
`159`	`159`	`SECP256K1_CLEANSE(non);`
`160`	`160`	`SECP256K1_CLEANSE(sec);`
Original file line number	Diff line number	Diff line change
`@@ -435,7 +435,7 @@ static int nonce_function_rfc6979(unsigned char nonce32, const unsigned char m`
`435`	`435`	`buffer_append(keydata, &offset, algo16, 16);`
`436`	`436`	`}`
`437`	`437`	`secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);`
`438`		`- memset(keydata, 0, sizeof(keydata));`
	`438`	`+ SECP256K1_CLEANSE(keydata);`
`439`	`439`	`for (i = 0; i <= counter; i++) {`
`440`	`440`	`secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);`
`441`	`441`	`}`
`@@ -479,7 +479,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature`
`479`	`479`	`}`
`480`	`480`	`count++;`
`481`	`481`	`}`
`482`		`- memset(nonce32, 0, 32);`
	`482`	`+ SECP256K1_CLEANSE(nonce32);`
`483`	`483`	`SECP256K1_CLEANSE(msg);`
`484`	`484`	`SECP256K1_CLEANSE(non);`
`485`	`485`	`SECP256K1_CLEANSE(sec);`