Introduce separate _clean functions for hash module

real-or-random · real-or-random · commit 6a34c60455d2 · 2020-04-27T18:56:31.000+02:00
This gives the caller more control about whether the state should
be cleaned (= should be considered secret), which will be useful
for example for Schnorr signature verification in the future.
Moreover, it gives the caller the possibility to clean a hash struct
without finalizing it.
diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h
@@ -204,6 +204,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
     memclear(nonce32, sizeof(nonce32));
     secp256k1_scalar_clear(&b);
     secp256k1_gej_clear(&gb);
+    secp256k1_rfc6979_hmac_sha256_clear(&rng);
 }
 
 #endif /* SECP256K1_ECMULT_GEN_IMPL_H */
diff --git a/src/hash.h b/src/hash.h
@@ -19,6 +19,7 @@ typedef struct {
 static void secp256k1_sha256_initialize(secp256k1_sha256 *hash);
 static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size);
 static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32);
+static void secp256k1_sha256_clear(secp256k1_sha256 *hash);
 
 typedef struct {
     secp256k1_sha256 inner, outer;
@@ -27,6 +28,7 @@ typedef struct {
 static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size);
 static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size);
 static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32);
+static void secp256k1_hmac_sha256_clear(secp256k1_hmac_sha256 *hash);
 
 typedef struct {
     unsigned char v[32];
@@ -37,5 +39,6 @@ typedef struct {
 static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen);
 static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen);
 static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng);
+static void secp256k1_rfc6979_hmac_sha256_clear(secp256k1_rfc6979_hmac_sha256 *rng);
 
 #endif /* SECP256K1_HASH_H */
diff --git a/src/hash_impl.h b/src/hash_impl.h
@@ -164,7 +164,10 @@ static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out
 
     memclear(sizedesc, sizeof(sizedesc));
     memclear(out, sizeof(out));
-    memclear(hash, sizeof(secp256k1_sha256));
+}
+
+static void secp256k1_sha256_clear(secp256k1_sha256 *hash) {
+    memclear(hash, sizeof(*hash));
 }
 
 static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t keylen) {
@@ -207,6 +210,9 @@ static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned
     secp256k1_sha256_finalize(&hash->outer, out32);
 }
 
+static void secp256k1_hmac_sha256_clear(secp256k1_hmac_sha256 *hash) {
+    memclear(hash, sizeof(*hash));
+}
 
 static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen) {
     secp256k1_hmac_sha256 hmac;
@@ -270,7 +276,11 @@ static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256
 }
 
 static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng) {
-    memclear(rng, sizeof(secp256k1_rfc6979_hmac_sha256));
+    (void) rng;
+}
+
+static void secp256k1_rfc6979_hmac_sha256_clear(secp256k1_rfc6979_hmac_sha256 *rng) {
+    memclear(rng, sizeof(*rng));
 }
 
 #undef BE32
diff --git a/src/modules/ecdh/main_impl.h b/src/modules/ecdh/main_impl.h
@@ -19,6 +19,7 @@ static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char
     secp256k1_sha256_write(&sha, &version, 1);
     secp256k1_sha256_write(&sha, x32, 32);
     secp256k1_sha256_finalize(&sha, output);
+    secp256k1_sha256_clear(&sha);
 
     return 1;
 }
diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -456,11 +456,13 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m
        buffer_append(keydata, &offset, algo16, 16);
    }
    secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
-   memclear(keydata, sizeof(keydata));
    for (i = 0; i <= counter; i++) {
        secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
    }
    secp256k1_rfc6979_hmac_sha256_finalize(&rng);
+
+   memclear(keydata, sizeof(keydata));
+   secp256k1_rfc6979_hmac_sha256_clear(&rng);
    return 1;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -204,6 +204,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const`
`204`	`204`	`memclear(nonce32, sizeof(nonce32));`
`205`	`205`	`secp256k1_scalar_clear(&b);`
`206`	`206`	`secp256k1_gej_clear(&gb);`
	`207`	`+ secp256k1_rfc6979_hmac_sha256_clear(&rng);`
`207`	`208`	`}`
`208`	`209`
`209`	`210`	`#endif /* SECP256K1_ECMULT_GEN_IMPL_H */`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char`
`19`	`19`	`secp256k1_sha256_write(&sha, &version, 1);`
`20`	`20`	`secp256k1_sha256_write(&sha, x32, 32);`
`21`	`21`	`secp256k1_sha256_finalize(&sha, output);`
	`22`	`+ secp256k1_sha256_clear(&sha);`
`22`	`23`
`23`	`24`	`return 1;`
`24`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -456,11 +456,13 @@ static int nonce_function_rfc6979(unsigned char nonce32, const unsigned char m`
`456`	`456`	`buffer_append(keydata, &offset, algo16, 16);`
`457`	`457`	`}`
`458`	`458`	`secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);`
`459`		`- memclear(keydata, sizeof(keydata));`
`460`	`459`	`for (i = 0; i <= counter; i++) {`
`461`	`460`	`secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);`
`462`	`461`	`}`
`463`	`462`	`secp256k1_rfc6979_hmac_sha256_finalize(&rng);`
	`463`	`+`
	`464`	`+ memclear(keydata, sizeof(keydata));`
	`465`	`+ secp256k1_rfc6979_hmac_sha256_clear(&rng);`
`464`	`466`	`return 1;`
`465`	`467`	`}`
`466`	`468`