diff --git a/zerotier-core-crypto/src/salsa.rs b/zerotier-core-crypto/src/salsa.rs index b0a7ace8e..a0c0fc094 100644 --- a/zerotier-core-crypto/src/salsa.rs +++ b/zerotier-core-crypto/src/salsa.rs @@ -51,8 +51,24 @@ impl Salsa { } pub fn crypt(&mut self, mut plaintext: &[u8], mut ciphertext: &mut [u8]) { - let (j0, j1, j2, j3, j4, j5, j6, j7, mut j8, mut j9, j10, j11, j12, j13, j14, j15) = - (self.state[0], self.state[1], self.state[2], self.state[3], self.state[4], self.state[5], self.state[6], self.state[7], self.state[8], self.state[9], self.state[10], self.state[11], self.state[12], self.state[13], self.state[14], self.state[15]); + let (j0, j1, j2, j3, j4, j5, j6, j7, mut j8, mut j9, j10, j11, j12, j13, j14, j15) = ( + self.state[0], + self.state[1], + self.state[2], + self.state[3], + self.state[4], + self.state[5], + self.state[6], + self.state[7], + self.state[8], + self.state[9], + self.state[10], + self.state[11], + self.state[12], + self.state[13], + self.state[14], + self.state[15], + ); loop { let (mut x0, mut x1, mut x2, mut x3, mut x4, mut x5, mut x6, mut x7, mut x8, mut x9, mut x10, mut x11, mut x12, mut x13, mut x14, mut x15) = (j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15); diff --git a/zerotier-core-crypto/src/secret.rs b/zerotier-core-crypto/src/secret.rs index 787fd931e..2813fe818 100644 --- a/zerotier-core-crypto/src/secret.rs +++ b/zerotier-core-crypto/src/secret.rs @@ -6,8 +6,12 @@ * https://www.zerotier.com/ */ +use std::ffi::c_void; use std::mem::MaybeUninit; -use std::ptr::write_volatile; + +extern "C" { + fn OPENSSL_cleanse(ptr: *mut c_void, len: usize); +} /// Container for secrets that clears them on drop. /// @@ -49,12 +53,10 @@ impl Secret { } impl Drop for Secret { + #[inline(always)] fn drop(&mut self) { - unsafe { - for i in 0..L { - write_volatile(self.0.as_mut_ptr().add(i), 0_u8); - } - } + unsafe { OPENSSL_cleanse(self.0.as_mut_ptr().cast(), L) }; + std::sync::atomic::fence(std::sync::atomic::Ordering::SeqCst); } } diff --git a/zerotier-network-hypervisor/src/util/mod.rs b/zerotier-network-hypervisor/src/util/mod.rs index c1822346d..dd9a5763c 100644 --- a/zerotier-network-hypervisor/src/util/mod.rs +++ b/zerotier-network-hypervisor/src/util/mod.rs @@ -23,16 +23,6 @@ pub(crate) fn byte_array_range() } } -/// Non-cryptographic 64-bit bit mixer for things like local hashing. -#[inline(always)] -pub(crate) fn hash64_noncrypt(mut x: u64) -> u64 { - x ^= x.wrapping_shr(30); - x = x.wrapping_mul(0xbf58476d1ce4e5b9); - x ^= x.wrapping_shr(27); - x = x.wrapping_mul(0x94d049bb133111eb); - x ^ x.wrapping_shr(31) -} - /// A super-minimal hasher for u64 keys for keys already fairly randomly distributed like addresses and network IDs. #[derive(Copy, Clone)] pub(crate) struct U64NoOpHasher(u64);