Clear secrets when dropped (#183)

oleganza · web-flow · commit 505556b218d6 · 2018-10-15T16:43:16.000-07:00
closes #171
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,6 +22,7 @@ serde = "1"
 serde_derive = "1"
 failure = "0.1"
 merlin = "0.4"
+clear_on_drop = "0.2.3"
 
 [dev-dependencies]
 hex = "0.3"
diff --git a/src/lib.rs b/src/lib.rs
@@ -10,6 +10,7 @@ extern crate digest;
 extern crate rand;
 extern crate sha3;
 
+extern crate clear_on_drop;
 extern crate curve25519_dalek;
 extern crate merlin;
 extern crate subtle;
diff --git a/src/range_proof/party.rs b/src/range_proof/party.rs
@@ -14,6 +14,7 @@ use curve25519_dalek::ristretto::{CompressedRistretto, RistrettoPoint};
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::MultiscalarMul;
 
+use clear_on_drop::clear::Clear;
 use errors::MPCError;
 use generators::{BulletproofGens, PedersenGens};
 use rand;
@@ -129,6 +130,14 @@ impl<'a> PartyAwaitingPosition<'a> {
     }
 }
 
+/// Overwrite secrets with null bytes when they go out of scope.
+impl<'a> Drop for PartyAwaitingPosition<'a> {
+    fn drop(&mut self) {
+        self.v.clear();
+        self.v_blinding.clear();
+    }
+}
+
 /// A party which has committed to the bits of its value
 /// and is waiting for the aggregated value challenge from the dealer.
 pub struct PartyAwaitingBitChallenge<'a> {
@@ -206,6 +215,28 @@ impl<'a> PartyAwaitingBitChallenge<'a> {
     }
 }
 
+/// Overwrite secrets with null bytes when they go out of scope.
+impl<'a> Drop for PartyAwaitingBitChallenge<'a> {
+    fn drop(&mut self) {
+        self.v.clear();
+        self.v_blinding.clear();
+        self.a_blinding.clear();
+        self.s_blinding.clear();
+
+        // Important: due to how ClearOnDrop auto-implements InitializableFromZeroed
+        // for T: Default, calling .clear() on Vec compiles, but does not
+        // clear the content. Instead, it only clears the Vec's header.
+        // Clearing the underlying buffer item-by-item will do the job, but will
+        // keep the header as-is, which is fine since the header does not contain secrets.
+        for e in self.s_L.iter_mut() {
+            e.clear();
+        }
+        for e in self.s_R.iter_mut() {
+            e.clear();
+        }
+    }
+}
+
 /// A party which has committed to their polynomial coefficents
 /// and is waiting for the polynomial challenge from the dealer.
 pub struct PartyAwaitingPolyChallenge {
@@ -252,3 +283,17 @@ impl PartyAwaitingPolyChallenge {
         })
     }
 }
+
+/// Overwrite secrets with null bytes when they go out of scope.
+impl Drop for PartyAwaitingPolyChallenge {
+    fn drop(&mut self) {
+        self.v_blinding.clear();
+        self.a_blinding.clear();
+        self.s_blinding.clear();
+        self.t_1_blinding.clear();
+        self.t_2_blinding.clear();
+
+        // Note: polynomials r_poly, l_poly and t_poly
+        // are cleared within their own Drop impls.
+    }
+}
diff --git a/src/util.rs b/src/util.rs
@@ -1,6 +1,7 @@
 #![deny(missing_docs)]
 #![allow(non_snake_case)]
 
+use clear_on_drop::clear::Clear;
 use curve25519_dalek::scalar::Scalar;
 use inner_product_proof::inner_product;
 
@@ -87,6 +88,25 @@ impl Poly2 {
     }
 }
 
+impl Drop for VecPoly1 {
+    fn drop(&mut self) {
+        for e in self.0.iter_mut() {
+            e.clear();
+        }
+        for e in self.1.iter_mut() {
+            e.clear();
+        }
+    }
+}
+
+impl Drop for Poly2 {
+    fn drop(&mut self) {
+        self.0.clear();
+        self.1.clear();
+        self.2.clear();
+    }
+}
+
 /// Raises `x` to the power `n` using binary exponentiation,
 /// with (1 to 2)*lg(n) scalar multiplications.
 /// TODO: a consttime version of this would be awfully similar to a Montgomery ladder.
@@ -220,4 +240,49 @@ mod tests {
         assert_eq!(sum_of_powers_slow(&x, 5), Scalar::from(11111u64));
         assert_eq!(sum_of_powers_slow(&x, 6), Scalar::from(111111u64));
     }
+
+    #[test]
+    fn vec_of_scalars_clear_on_drop() {
+        let mut v = vec![Scalar::from(24u64), Scalar::from(42u64)];
+
+        for e in v.iter_mut() {
+            e.clear();
+        }
+
+        fn flat_slice<T>(x: &[T]) -> &[u8] {
+            use core::mem;
+            use core::slice;
+
+            unsafe { slice::from_raw_parts(x.as_ptr() as *const u8, mem::size_of_val(x)) }
+        }
+
+        assert_eq!(flat_slice(&v.as_slice()), &[0u8; 64][..]);
+        assert_eq!(v[0], Scalar::zero());
+        assert_eq!(v[1], Scalar::zero());
+    }
+
+    #[test]
+    fn tuple_of_scalars_clear_on_drop() {
+        let mut v = Poly2(
+            Scalar::from(24u64),
+            Scalar::from(42u64),
+            Scalar::from(255u64),
+        );
+
+        v.0.clear();
+        v.1.clear();
+        v.2.clear();
+
+        fn as_bytes<T>(x: &T) -> &[u8] {
+            use core::mem;
+            use core::slice;
+
+            unsafe { slice::from_raw_parts(x as *const T as *const u8, mem::size_of_val(x)) }
+        }
+
+        assert_eq!(as_bytes(&v), &[0u8; 96][..]);
+        assert_eq!(v.0, Scalar::zero());
+        assert_eq!(v.1, Scalar::zero());
+        assert_eq!(v.2, Scalar::zero());
+    }
 }
