fixup! feat(crypto): implement hashing to curve

trezor · Sep 22, 2023 · f89b889 · f89b889
1 parent d4e8d2a
commit f89b889
Showing 1 changed file with 21 additions and 7 deletions.
diff --git a/crypto/hash_to_curve.c b/crypto/hash_to_curve.c
@@ -19,13 +19,13 @@
  */
 #include <assert.h>
 #include <stdint.h>
+#include <string.h>
 
 #include "bignum.h"
 #include "ecdsa.h"
 #include "memzero.h"
 #include "nist256p1.h"
 #include "sha2.h"
-#include "string.h"
 
 #include "hash_to_curve.h"
 
@@ -45,25 +45,30 @@ static bool hash_to_field(const uint8_t *msg, size_t msg_len,
 
   const size_t expanded_msg_length = out_len * expansion_len;
   uint8_t expanded_msg[expanded_msg_length];
-  memset(expanded_msg, 0, sizeof(expanded_msg));
+  memzero(expanded_msg, sizeof(expanded_msg));
 
   if (!expand(msg, msg_len, dst, dst_len, expanded_msg, expanded_msg_length)) {
     return false;
   }
 
+  uint8_t raw_number[max_expansion_len];
+  memzero(raw_number, sizeof(raw_number));
+  bignum512 bn_number = {0};
+
   for (size_t i = 0; i < out_len; i++) {
-    uint8_t raw_number[max_expansion_len];
-    memset(raw_number, 0, sizeof(raw_number));
     memcpy(raw_number + (max_expansion_len - expansion_len),
            expanded_msg + i * expansion_len, expansion_len);
 
-    bignum512 bn_number = {0};
     bn_read_be_512(raw_number, &bn_number);
     bn_reduce(&bn_number, prime);
     bn_copy_lower(&bn_number, &out[i]);
     bn_mod(&out[i], prime);
   }
 
+  memzero(expanded_msg, sizeof(expanded_msg));
+  memzero(raw_number, sizeof(raw_number));
+  memzero(&bn_number, sizeof(bn_number));
+
   return true;
 }
 
@@ -260,21 +265,26 @@ static bool hash_to_curve(const uint8_t *msg, size_t msg_len,
 
   if (!simple_swu(&u[0], &bn_a, &curve->b, &curve->prime, &bn_z, sign_function,
                   &point1)) {
-    memset(u, 0, sizeof(u));
+    memzero(&u[0], sizeof(u[0]));
     return false;
   }
+  memzero(&u[0], sizeof(u[0]));
 
   if (!simple_swu(&u[1], &bn_a, &curve->b, &curve->prime, &bn_z, sign_function,
                   &point2)) {
-    memset(u, 0, sizeof(u));
+    memzero(&u[1], sizeof(u[1]));
     return false;
   }
+  memzero(&u[1], sizeof(u[1]));
 
   point_add(curve, &point1, &point2);
 
   point->x = point2.x;
   point->y = point2.y;
 
+  memzero(&point1, sizeof(point1));
+  memzero(&point2, sizeof(point2));
+
   return true;
 }
 
@@ -366,6 +376,10 @@ bool expand_message_xmd_sha256(const uint8_t *msg, size_t msg_len,
     i++;
   }
 
+  memzero(&ctx, sizeof(ctx));
+  memzero(first_digest, sizeof(first_digest));
+  memzero(current_digest, sizeof(current_digest));
+
   return true;
 }