Make Zeroization Optional (#592)

* introduce feature zeroize

* use zeroize_wrap macro

* implement feedback from PR

* ci: Add zeroize-only featureset test

* Fix compiler warnings for unused imports and needless mut assignments

---------

Co-authored-by: brycx <brycx@protonmail.com>

Author: achimcc

.github/workflows/test.yml

@@ -60,6 +60,12 @@ jobs:
       - name: Test debug-mode, no-default + serde feature (enables alloc)
         run: cargo test --no-default-features --features serde --tests
 
+      - name: Test debug-mode, no-default + safe_api (without zeroize)
+        run: cargo test --no-default-features --features safe_api --tests
+      
+      - name: Test debug-mode, no-default + zeroize (zeroize-only)
+        run: cargo test --no-default-features --features zeroize --tests
+
       - name: Test release-mode, default features
         run: cargo test --release
 
@@ -75,6 +81,12 @@ jobs:
       - name: Test release-mode, no-default + serde feature (enables alloc)
         run: cargo test --release --no-default-features --features serde --tests
 
+      - name: Test release-mode, no-default + safe_api (without zeroize)
+        run: cargo test --release --no-default-features --features safe_api --tests
+      
+      - name: Test release-mode, no-default + zeroize (zeroize-only)
+        run: cargo test --release --no-default-features --features zeroize --tests
+
   sanitizers:
     name: Tests w. sanitizers
     runs-on: ubuntu-latest

Cargo.toml

@@ -6,7 +6,7 @@ description = "Usable, easy and safe pure-Rust crypto"
 keywords = ["cryptography", "crypto", "aead", "pqc", "kem"]
 categories = ["cryptography", "no-std"]
 edition = "2021"
-rust-version = "1.86"                                        # Update CI (MSRV) test + README along with this.
+rust-version = "1.86"                                       # Update CI (MSRV) test + README along with this.
 readme = "README.md"
 repository = "https://github.com/orion-rs/orion"
 documentation = "https://docs.rs/orion"
@@ -15,7 +15,7 @@ exclude = [".gitignore", ".travis.yml", "tests/*"]
 
 [dependencies]
 subtle = { version = "^2.2.2", default-features = false }
-zeroize = { version = "1.1.0", default-features = false }
+zeroize = { version = "1.1.0", optional = true, default-features = false }
 fiat-crypto = { version = "0.3.0", default-features = false }
 getrandom = { version = "0.3.0", optional = true }
 ct-codecs = { version = "1.1.1", optional = true }
@@ -27,8 +27,9 @@ default-features = false
 features = ["alloc"]
 
 [features]
-default = ["safe_api"]
-safe_api = ["getrandom", "ct-codecs"]
+default = ["safe_api", "zeroize"]
+zeroize = ["dep:zeroize"]
+safe_api = ["getrandom", "ct-codecs", "zeroize?/alloc"]
 alloc = []
 serde = ["dep:serde", "alloc"]
 experimental = []

src/hazardous/aead/chacha20poly1305.rs

@@ -111,6 +111,7 @@
 //! [`C_MAX`]: chacha20poly1305::C_MAX
 
 pub use crate::hazardous::stream::chacha20::{Nonce, SecretKey};
+use crate::ZeroizeWrap;
 use crate::{
     errors::UnknownCryptoError,
     hazardous::{
@@ -120,7 +121,6 @@ use crate::{
     util,
 };
 use core::convert::TryInto;
-use zeroize::Zeroizing;
 
 /// The initial counter used for encryption and decryption.
 pub(crate) const ENC_CTR: u32 = 1;
@@ -140,7 +140,7 @@ pub const A_MAX: u64 = u64::MAX;
 /// Poly1305 key generation using IETF ChaCha20.
 pub(crate) fn poly1305_key_gen(
     ctx: &mut ChaCha20,
-    tmp_buffer: &mut Zeroizing<[u8; CHACHA_BLOCKSIZE]>,
+    tmp_buffer: &mut ZeroizeWrap<[u8; CHACHA_BLOCKSIZE]>,
 ) -> OneTimeKey {
     ctx.keystream_block(AUTH_CTR, tmp_buffer.as_mut());
     OneTimeKey::from_slice(&tmp_buffer[..POLY1305_KEYSIZE]).unwrap()
@@ -196,7 +196,7 @@ pub fn seal(
 
     let mut stream =
         ChaCha20::new(secret_key.unprotected_as_bytes(), nonce.as_ref(), true).unwrap();
-    let mut tmp = Zeroizing::new([0u8; CHACHA_BLOCKSIZE]);
+    let mut tmp = zeroize_wrap!([0u8; CHACHA_BLOCKSIZE]);
 
     let mut auth_ctx = Poly1305::new(&poly1305_key_gen(&mut stream, &mut tmp));
     let ad_len = ad.len();
@@ -285,7 +285,7 @@ pub fn open(
 
     let mut dec_ctx =
         ChaCha20::new(secret_key.unprotected_as_bytes(), nonce.as_ref(), true).unwrap();
-    let mut tmp = Zeroizing::new([0u8; CHACHA_BLOCKSIZE]);
+    let mut tmp = zeroize_wrap!([0u8; CHACHA_BLOCKSIZE]);
     let mut auth_ctx = Poly1305::new(&poly1305_key_gen(&mut dec_ctx, &mut tmp));
 
     let ciphertext_len = ciphertext_with_tag.len() - POLY1305_OUTSIZE;
@@ -355,7 +355,7 @@ mod test_vectors {
 
         let mut chacha20_ctx =
             ChaCha20::new(key.unprotected_as_bytes(), nonce.as_ref(), true).unwrap();
-        let mut tmp_block = Zeroizing::new([0u8; CHACHA_BLOCKSIZE]);
+        let mut tmp_block = zeroize_wrap!([0u8; CHACHA_BLOCKSIZE]);
 
         assert_eq!(
             poly1305_key_gen(&mut chacha20_ctx, &mut tmp_block).unprotected_as_bytes(),
@@ -383,7 +383,7 @@ mod test_vectors {
 
         let mut chacha20_ctx =
             ChaCha20::new(key.unprotected_as_bytes(), nonce.as_ref(), true).unwrap();
-        let mut tmp_block = Zeroizing::new([0u8; CHACHA_BLOCKSIZE]);
+        let mut tmp_block = zeroize_wrap!([0u8; CHACHA_BLOCKSIZE]);
 
         assert_eq!(
             poly1305_key_gen(&mut chacha20_ctx, &mut tmp_block).unprotected_as_bytes(),
@@ -411,7 +411,7 @@ mod test_vectors {
 
         let mut chacha20_ctx =
             ChaCha20::new(key.unprotected_as_bytes(), nonce.as_ref(), true).unwrap();
-        let mut tmp_block = Zeroizing::new([0u8; CHACHA_BLOCKSIZE]);
+        let mut tmp_block = zeroize_wrap!([0u8; CHACHA_BLOCKSIZE]);
 
         assert_eq!(
             poly1305_key_gen(&mut chacha20_ctx, &mut tmp_block).unprotected_as_bytes(),

src/hazardous/aead/streaming.rs

@@ -114,7 +114,6 @@ use crate::hazardous::stream::xchacha20::subkey_and_nonce;
 pub use crate::hazardous::stream::xchacha20::Nonce;
 use core::convert::TryFrom;
 use subtle::ConstantTimeEq;
-use zeroize::{Zeroize, Zeroizing};
 
 #[derive(Debug, Clone, Copy)]
 /// Tag that indicates the type of message.
@@ -233,7 +232,7 @@ impl StreamXChaCha20Poly1305 {
             true,
         )
         .unwrap();
-        let mut tmp_block = Zeroizing::new([0u8; CHACHA_BLOCKSIZE]);
+        let mut tmp_block = zeroize_wrap!([0u8; CHACHA_BLOCKSIZE]);
 
         let mut pad = [0u8; 16];
         let mut poly = Poly1305::new(&poly1305_key_gen(&mut chacha20_ctx, &mut tmp_block));
@@ -297,7 +296,7 @@ impl StreamXChaCha20Poly1305 {
         self.inonce
             .copy_from_slice(&new_key_and_inonce[CHACHA_KEYSIZE..]);
         self.counter = 1;
-        new_key_and_inonce.zeroize();
+        zeroize_call!(new_key_and_inonce);
 
         Ok(())
     }

src/hazardous/cae/chacha20poly1305blake2b.rs

@@ -126,7 +126,6 @@ use crate::hazardous::mac::poly1305::Poly1305;
 use crate::hazardous::mac::poly1305::POLY1305_OUTSIZE;
 use crate::hazardous::stream::chacha20::{self, ChaCha20, CHACHA_BLOCKSIZE};
 use crate::util;
-use zeroize::Zeroizing;
 
 pub use crate::hazardous::aead::chacha20poly1305::A_MAX;
 pub use crate::hazardous::aead::chacha20poly1305::P_MAX;
@@ -217,7 +216,7 @@ pub fn open(
 
     let mut dec_ctx =
         ChaCha20::new(secret_key.unprotected_as_bytes(), nonce.as_ref(), true).unwrap();
-    let mut tmp = Zeroizing::new([0u8; CHACHA_BLOCKSIZE]);
+    let mut tmp = zeroize_wrap!([0u8; CHACHA_BLOCKSIZE]);
     let mut auth_ctx = Poly1305::new(&poly1305_key_gen(&mut dec_ctx, &mut tmp));
 
     let ciphertext_len = ciphertext_with_tag.len() - TAG_SIZE;

src/hazardous/cae/xchacha20poly1305blake2b.rs

@@ -118,7 +118,6 @@ use crate::hazardous::stream::chacha20::{self, ChaCha20, CHACHA_BLOCKSIZE};
 use crate::hazardous::stream::xchacha20::subkey_and_nonce;
 pub use crate::hazardous::stream::{chacha20::SecretKey, xchacha20::Nonce};
 use crate::util;
-use zeroize::Zeroizing;
 
 #[must_use = "SECURITY WARNING: Ignoring a Result can have real security implications."]
 /// CTX XChaCha20Poly1305 with BLAKE2b-256.
@@ -201,7 +200,7 @@ pub fn open(
     let (subkey, ietf_nonce) = subkey_and_nonce(secret_key, nonce);
     let mut dec_ctx =
         ChaCha20::new(subkey.unprotected_as_bytes(), ietf_nonce.as_ref(), true).unwrap();
-    let mut tmp = Zeroizing::new([0u8; CHACHA_BLOCKSIZE]);
+    let mut tmp = zeroize_wrap!([0u8; CHACHA_BLOCKSIZE]);
     let mut auth_ctx = Poly1305::new(&poly1305_key_gen(&mut dec_ctx, &mut tmp));
 
     let ciphertext_len = ciphertext_with_tag.len() - TAG_SIZE;

src/hazardous/ecc/x25519.rs

@@ -301,6 +301,7 @@ impl FieldElement {
 /// Represents a Scalar decoded from a byte array.
 struct Scalar([u8; PRIVATE_KEY_SIZE]);
 
+#[cfg(feature = "zeroize")]
 impl Drop for Scalar {
     fn drop(&mut self) {
         use zeroize::Zeroize;

src/hazardous/hash/blake2/mod.rs

@@ -128,6 +128,7 @@ pub(crate) mod blake2b_core {
         pub(crate) size: usize,
     }
 
+    #[cfg(feature = "zeroize")]
     impl Drop for State {
         fn drop(&mut self) {
             use zeroize::Zeroize;

src/hazardous/hash/sha2/mod.rs

@@ -34,8 +34,19 @@ pub(crate) mod sha2_core {
     use core::fmt::Debug;
     use core::marker::PhantomData;
     use core::ops::*;
+    #[cfg(feature = "zeroize")]
     use zeroize::Zeroize;
 
+    #[cfg(feature = "zeroize")]
+    pub(crate) trait MaybeZeroize: Zeroize {}
+    #[cfg(feature = "zeroize")]
+    impl<T: Zeroize> MaybeZeroize for T {}
+
+    #[cfg(not(feature = "zeroize"))]
+    pub(crate) trait MaybeZeroize {}
+    #[cfg(not(feature = "zeroize"))]
+    impl<T> MaybeZeroize for T {}
+
     /// Word used within the SHA2 internal state.
     pub(crate) trait Word:
         Sized
@@ -49,7 +60,7 @@ pub(crate) mod sha2_core {
         + Copy
         + Debug
         + PartialEq<Self>
-        + Zeroize
+        + MaybeZeroize
     {
         #[cfg(any(debug_assertions, test))]
         const MAX: Self;
@@ -136,6 +147,7 @@ pub(crate) mod sha2_core {
         pub(crate) is_finalized: bool,
     }
 
+    #[cfg(feature = "zeroize")]
     impl<
             W: Word,
             T: Variant<W, { N_CONSTS }>,
@@ -411,11 +423,13 @@ pub(crate) mod sha2_core {
 pub(crate) mod w32 {
     use core::convert::{From, TryFrom, TryInto};
     use core::ops::*;
+    #[cfg(feature = "zeroize")]
     use zeroize::Zeroize;
 
     #[derive(Debug, PartialEq, Copy, Clone, Default)]
     pub(crate) struct WordU32(pub(crate) u32);
 
+    #[cfg(feature = "zeroize")]
     impl Zeroize for WordU32 {
         fn zeroize(&mut self) {
             self.0.zeroize();
@@ -554,11 +568,13 @@ pub(crate) mod w32 {
 pub(crate) mod w64 {
     use core::convert::{From, TryFrom, TryInto};
     use core::ops::*;
+    #[cfg(feature = "zeroize")]
     use zeroize::Zeroize;
 
     #[derive(Debug, PartialEq, Copy, Clone, Default)]
     pub(crate) struct WordU64(pub(crate) u64);
 
+    #[cfg(feature = "zeroize")]
     impl Zeroize for WordU64 {
         fn zeroize(&mut self) {
             self.0.zeroize();

src/hazardous/hash/sha3/mod.rs

@@ -40,6 +40,7 @@ pub mod shake256;
 
 use crate::errors::UnknownCryptoError;
 use core::fmt::Debug;
+#[cfg(feature = "zeroize")]
 use zeroize::Zeroize;
 
 /// Round constants. See NIST intermediate test vectors for source.
@@ -401,6 +402,7 @@ pub(crate) struct Sha3<const RATE: usize> {
     is_finalized: bool,
 }
 
+#[cfg(feature = "zeroize")]
 impl<const RATE: usize> Drop for Sha3<RATE> {
     fn drop(&mut self) {
         self.state.iter_mut().zeroize();
@@ -597,6 +599,7 @@ pub(crate) struct Shake<const RATE: usize> {
     is_finalized: bool,
 }
 
+#[cfg(feature = "zeroize")]
 impl<const RATE: usize> Drop for Shake<RATE> {
     fn drop(&mut self) {
         self.state.iter_mut().zeroize();