More performance improvements with nssdb

Cargo.toml

@@ -44,7 +44,6 @@ serde_json = "1.0.104"
 serial_test = "3.1.1"
 toml = { version = "0.8.19", default-features = false, features = ["display", "parse"] }
 uuid = { version = "1.4.1", features = ["v4"] }
-zeroize = "1.6.0"
 
 [features]
 aes = []

src/aes.rs

@@ -7,14 +7,13 @@ use crate::attribute::Attribute;
 use crate::error::Result;
 use crate::interface::*;
 use crate::mechanism::*;
+use crate::misc::zeromem;
 use crate::object::*;
 use crate::ossl::aes::*;
 use crate::{attr_element, cast_params};
 
 use once_cell::sync::Lazy;
 
-use zeroize::Zeroize;
-
 pub const MIN_AES_SIZE_BYTES: usize = 16; /* 128 bits */
 pub const MID_AES_SIZE_BYTES: usize = 24; /* 192 bits */
 pub const MAX_AES_SIZE_BYTES: usize = 32; /* 256 bits */
@@ -100,7 +99,7 @@ impl ObjectFactory for AesKeyFactory {
             Some(idx) => {
                 let len = usize::try_from(template[idx].to_ulong()?)?;
                 if len > data.len() {
-                    data.zeroize();
+                    zeromem(data.as_mut_slice());
                     return Err(CKR_KEY_SIZE_RANGE)?;
                 }
                 if len < data.len() {
@@ -112,7 +111,7 @@ impl ObjectFactory for AesKeyFactory {
         match check_key_len(data.len()) {
             Ok(_) => (),
             Err(e) => {
-                data.zeroize();
+                zeromem(data.as_mut_slice());
                 return Err(e);
             }
         }

src/attribute.rs

@@ -5,10 +5,9 @@ use std::borrow::Cow;
 
 use crate::error::{Error, Result};
 use crate::interface::*;
+use crate::misc::zeromem;
 use crate::{bytes_to_vec, sizeof, void_ptr};
 
-use zeroize::Zeroize;
-
 #[derive(Debug, Clone, Copy, PartialEq)]
 pub enum AttrType {
     BoolType,
@@ -271,7 +270,7 @@ impl Attribute {
     }
 
     pub fn zeroize(&mut self) {
-        self.value.zeroize();
+        zeromem(self.value.as_mut_slice());
     }
 
     pub fn from_date_bytes(t: CK_ULONG, val: Vec<u8>) -> Attribute {
@@ -559,7 +558,7 @@ impl Drop for CkAttrs<'_> {
     fn drop(&mut self) {
         if self.zeroize {
             while let Some(mut elem) = self.v.pop() {
-                elem.zeroize();
+                zeromem(elem.as_mut_slice());
             }
         }
     }

src/hmac.rs

@@ -7,11 +7,11 @@ use crate::error::{Error, Result};
 use crate::hash;
 use crate::interface::*;
 use crate::mechanism::*;
+use crate::misc::zeromem;
 use crate::object::*;
 use crate::sizeof;
 
 use once_cell::sync::Lazy;
-use zeroize::Zeroize;
 
 #[cfg(not(feature = "fips"))]
 use crate::native::hmac::HMACOperation;
@@ -26,7 +26,7 @@ pub struct HmacKey {
 
 impl Drop for HmacKey {
     fn drop(&mut self) {
-        self.raw.zeroize()
+        zeromem(self.raw.as_mut_slice())
     }
 }
 

src/kasn1/mod.rs

@@ -5,9 +5,9 @@ use std::borrow::Cow;
 
 use crate::error::Result;
 use crate::interface::*;
+use crate::misc::zeromem;
 
 use asn1;
-use zeroize::Zeroize;
 
 /* Helper routines to use with rust/asn1 */
 
@@ -68,7 +68,7 @@ impl<'a> DerEncBigUint<'a> {
 impl Drop for DerEncBigUint<'_> {
     fn drop(&mut self) {
         match &self.data {
-            Cow::Owned(_) => self.data.to_mut().zeroize(),
+            Cow::Owned(_) => zeromem(self.data.to_mut()),
             _ => (),
         }
     }
@@ -111,7 +111,7 @@ impl<'a> DerEncOctetString<'a> {
 impl Drop for DerEncOctetString<'_> {
     fn drop(&mut self) {
         match &self.data {
-            Cow::Owned(_) => self.data.to_mut().zeroize(),
+            Cow::Owned(_) => zeromem(self.data.to_mut()),
             _ => (),
         }
     }

src/misc.rs

@@ -6,7 +6,7 @@ use crate::attribute::{Attribute, CkAttrs};
 use crate::error::Result;
 use crate::interface::*;
 use crate::object::{Object, ObjectFactories, ObjectType};
-
+use crate::ossl::common::zeromem as ossl_zeromem;
 pub const CK_ULONG_SIZE: usize = std::mem::size_of::<CK_ULONG>();
 
 #[macro_export]
@@ -191,3 +191,7 @@ pub fn copy_sized_string(s: &[u8], d: &mut [u8]) {
         d[slen..].fill(0x20); /* space in ASCII/UTF8 */
     }
 }
+
+pub fn zeromem(mem: &mut [u8]) {
+    ossl_zeromem(mem);
+}

src/native/hmac.rs

@@ -8,9 +8,15 @@ use crate::hash;
 use crate::hmac::*;
 use crate::interface::*;
 use crate::mechanism::*;
+use crate::misc::zeromem;
 
 use constant_time_eq::constant_time_eq;
-use zeroize::Zeroize;
+
+/* max algo right now is SHA3_224 with 144 bytes blocksize,
+ * use slightly larger for good measure (and alignment) */
+const MAX_BSZ: usize = 160;
+const IPAD_INIT: [u8; MAX_BSZ] = [0x36; MAX_BSZ];
+const OPAD_INIT: [u8; MAX_BSZ] = [0x5c; MAX_BSZ];
 
 /* HMAC spec From FIPS 198-1 */
 
@@ -22,19 +28,19 @@ pub struct HMACOperation {
     hashlen: usize,
     blocklen: usize,
     outputlen: usize,
-    state: Vec<u8>,
-    ipad: Vec<u8>,
-    opad: Vec<u8>,
+    state: [u8; MAX_BSZ],
+    ipad: [u8; MAX_BSZ],
+    opad: [u8; MAX_BSZ],
     inner: Operation,
     finalized: bool,
     in_use: bool,
 }
 
 impl Drop for HMACOperation {
     fn drop(&mut self) {
-        self.state.zeroize();
-        self.ipad.zeroize();
-        self.opad.zeroize();
+        zeromem(&mut self.state);
+        zeromem(&mut self.ipad);
+        zeromem(&mut self.opad);
     }
 }
 
@@ -44,16 +50,19 @@ impl HMACOperation {
         key: HmacKey,
         outputlen: usize,
     ) -> Result<HMACOperation> {
+        let hash = hmac_mech_to_hash_mech(mech)?;
+        let hashlen = hash::hash_size(hash);
+        let blocklen = hash::block_size(hash);
         let mut hmac = HMACOperation {
             mech: mech,
             key: key,
-            hash: hmac_mech_to_hash_mech(mech)?,
-            hashlen: 0usize,
-            blocklen: 0usize,
+            hash: hash,
+            hashlen: hashlen,
+            blocklen: blocklen,
             outputlen: outputlen,
-            state: Vec::new(),
-            ipad: Vec::new(),
-            opad: Vec::new(),
+            state: [0u8; MAX_BSZ],
+            ipad: IPAD_INIT,
+            opad: OPAD_INIT,
             inner: Operation::Empty,
             finalized: false,
             in_use: false,
@@ -66,41 +75,35 @@ impl HMACOperation {
         /* The hash mechanism is unimportant here,
          * what matters is the psecdef algorithm */
         let hashop = hash::internal_hash_op(self.hash)?;
-        self.hashlen = hash::hash_size(self.hash);
-        self.blocklen = hash::block_size(self.hash);
         self.inner = Operation::Digest(hashop);
 
         /* K0 */
         if self.key.raw.len() <= self.blocklen {
-            self.state.extend_from_slice(self.key.raw.as_slice());
+            self.state[0..self.key.raw.len()]
+                .copy_from_slice(self.key.raw.as_slice());
         } else {
-            self.state.resize(self.hashlen, 0);
             match &mut self.inner {
                 Operation::Digest(op) => op.digest(
                     self.key.raw.as_slice(),
-                    self.state.as_mut_slice(),
+                    &mut self.state[..self.hashlen],
                 )?,
                 _ => return Err(CKR_GENERAL_ERROR)?,
             }
         }
-        self.state.resize(self.blocklen, 0);
-        /* K0 ^ ipad */
-        self.ipad.resize(self.blocklen, 0x36);
-        self.ipad
-            .iter_mut()
-            .zip(self.state.iter())
-            .for_each(|(i1, i2)| *i1 ^= *i2);
-        /* K0 ^ opad */
-        self.opad.resize(self.blocklen, 0x5c);
-        self.opad
-            .iter_mut()
-            .zip(self.state.iter())
-            .for_each(|(i1, i2)| *i1 ^= *i2);
+        let ipad = &mut self.ipad[..self.blocklen];
+        let opad = &mut self.opad[..self.blocklen];
+        let state = &self.state[..self.blocklen];
+        for i in 0..self.blocklen {
+            /* K0 ^ ipad */
+            ipad[i] ^= state[i];
+            /* K0 ^ opad */
+            opad[i] ^= state[i];
+        }
         /* H((K0 ^ ipad) || .. ) */
         match &mut self.inner {
             Operation::Digest(op) => {
                 op.reset()?;
-                op.digest_update(self.ipad.as_slice())?;
+                op.digest_update(ipad)?;
             }
             _ => return Err(CKR_GENERAL_ERROR)?,
         }
@@ -143,21 +146,20 @@ impl HMACOperation {
             return Err(CKR_GENERAL_ERROR)?;
         }
 
-        self.state.resize(self.hashlen, 0);
         /* state = H((K0 ^ ipad) || text) */
         match &mut self.inner {
             Operation::Digest(op) => {
-                op.digest_final(self.state.as_mut_slice())?;
+                op.digest_final(&mut self.state[..self.hashlen])?;
             }
             _ => return Err(CKR_GENERAL_ERROR)?,
         }
         /* state = H((K0 ^ opad) || H((K0 ^ ipad) || text)) */
         match &mut self.inner {
             Operation::Digest(op) => {
                 op.reset()?;
-                op.digest_update(self.opad.as_slice())?;
-                op.digest_update(self.state.as_slice())?;
-                op.digest_final(self.state.as_mut_slice())?;
+                op.digest_update(&self.opad[..self.blocklen])?;
+                op.digest_update(&self.state[..self.hashlen])?;
+                op.digest_final(&mut self.state[..self.hashlen])?;
             }
             _ => return Err(CKR_GENERAL_ERROR)?,
         }
@@ -167,11 +169,9 @@ impl HMACOperation {
     }
 
     fn reinit(&mut self) -> Result<()> {
-        self.hashlen = 0;
-        self.blocklen = 0;
-        self.state = Vec::new();
-        self.ipad = Vec::new();
-        self.opad = Vec::new();
+        zeromem(&mut self.state);
+        self.ipad.copy_from_slice(&IPAD_INIT);
+        self.opad.copy_from_slice(&OPAD_INIT);
         self.inner = Operation::Empty;
         self.finalized = false;
         self.in_use = false;

src/object.rs

@@ -8,12 +8,12 @@ use crate::attribute::{AttrType, Attribute};
 use crate::error::{Error, Result};
 use crate::interface::*;
 use crate::mechanism::{Mechanism, Mechanisms};
+use crate::misc::zeromem;
 use crate::CSPRNG;
 
 use bitflags::bitflags;
 use once_cell::sync::Lazy;
 use uuid::Uuid;
-use zeroize::Zeroize;
 
 macro_rules! create_bool_checker {
     (make $name:ident; from $id:expr; def $def:expr) => {
@@ -1032,7 +1032,7 @@ macro_rules! ok_or_clear {
         match $exp {
             Ok(x) => x,
             Err(e) => {
-                $clear.zeroize();
+                zeromem($clear.as_mut_slice());
                 return Err(e);
             }
         }