diff options
Diffstat (limited to 'vendor/zeroize/src/lib.rs')
-rw-r--r-- | vendor/zeroize/src/lib.rs | 98 |
1 files changed, 42 insertions, 56 deletions
diff --git a/vendor/zeroize/src/lib.rs b/vendor/zeroize/src/lib.rs index 4e0065788..b67b5c95d 100644 --- a/vendor/zeroize/src/lib.rs +++ b/vendor/zeroize/src/lib.rs @@ -30,7 +30,7 @@ //! //! ## Minimum Supported Rust Version //! -//! Requires Rust **1.51** or newer. +//! Requires Rust **1.60** or newer. //! //! In the future, we reserve the right to change MSRV (i.e. MSRV is out-of-scope //! for this crate's SemVer guarantees), however when we do it will be accompanied @@ -263,10 +263,7 @@ use core::{ }; #[cfg(feature = "alloc")] -use { - alloc::{boxed::Box, string::String, vec::Vec}, - core::slice, -}; +use alloc::{boxed::Box, string::String, vec::Vec}; #[cfg(feature = "std")] use std::ffi::CString; @@ -315,18 +312,28 @@ macro_rules! impl_zeroize_with_default { #[rustfmt::skip] impl_zeroize_with_default! { - bool, char, + PhantomPinned, (), bool, char, f32, f64, i8, i16, i32, i64, i128, isize, u8, u16, u32, u64, u128, usize } +/// `PhantomPinned` is zero sized so provide a ZeroizeOnDrop implementation. +impl ZeroizeOnDrop for PhantomPinned {} + +/// `()` is zero sized so provide a ZeroizeOnDrop implementation. +impl ZeroizeOnDrop for () {} + macro_rules! impl_zeroize_for_non_zero { ($($type:ty),+) => { $( impl Zeroize for $type { fn zeroize(&mut self) { - volatile_write(self, unsafe { <$type>::new_unchecked(1) }); + const ONE: $type = match <$type>::new(1) { + Some(one) => one, + None => unreachable!(), + }; + volatile_write(self, ONE); atomic_fence(); } } @@ -371,7 +378,7 @@ where /// Impl [`ZeroizeOnDrop`] on arrays of types that impl [`ZeroizeOnDrop`]. impl<Z, const N: usize> ZeroizeOnDrop for [Z; N] where Z: ZeroizeOnDrop {} -impl<'a, Z> Zeroize for IterMut<'a, Z> +impl<Z> Zeroize for IterMut<'_, Z> where Z: Zeroize, { @@ -405,18 +412,18 @@ where // The memory pointed to by `self` is valid for `mem::size_of::<Self>()` bytes. // It is also properly aligned, because `u8` has an alignment of `1`. unsafe { - volatile_set(self as *mut _ as *mut u8, 0, mem::size_of::<Self>()); + volatile_set((self as *mut Self).cast::<u8>(), 0, mem::size_of::<Self>()); } - // Ensures self is overwritten with the default bit pattern. volatile_write can't be + // Ensures self is overwritten with the `None` bit pattern. volatile_write can't be // used because Option<Z> is not copy. // // Safety: // - // self is safe to replace with the default, which the take() call above should have + // self is safe to replace with `None`, which the take() call above should have // already done semantically. Any value which needed to be dropped will have been // done so by take(). - unsafe { ptr::write_volatile(self, Option::default()) } + unsafe { ptr::write_volatile(self, None) } atomic_fence(); } @@ -424,6 +431,20 @@ where impl<Z> ZeroizeOnDrop for Option<Z> where Z: ZeroizeOnDrop {} +/// Impl [`Zeroize`] on [`MaybeUninit`] types. +/// +/// This fills the memory with zeroes. +/// Note that this ignore invariants that `Z` might have, because +/// [`MaybeUninit`] removes all invariants. +impl<Z> Zeroize for MaybeUninit<Z> { + fn zeroize(&mut self) { + // Safety: + // `MaybeUninit` is valid for any byte pattern, including zeros. + unsafe { ptr::write_volatile(self, MaybeUninit::zeroed()) } + atomic_fence(); + } +} + /// Impl [`Zeroize`] on slices of [`MaybeUninit`] types. /// /// This impl can eventually be optimized using an memset intrinsic, @@ -435,7 +456,7 @@ impl<Z> ZeroizeOnDrop for Option<Z> where Z: ZeroizeOnDrop {} /// [`MaybeUninit`] removes all invariants. impl<Z> Zeroize for [MaybeUninit<Z>] { fn zeroize(&mut self) { - let ptr = self.as_mut_ptr() as *mut MaybeUninit<u8>; + let ptr = self.as_mut_ptr().cast::<MaybeUninit<u8>>(); let size = self.len().checked_mul(mem::size_of::<Z>()).unwrap(); assert!(size <= isize::MAX as usize); @@ -445,7 +466,7 @@ impl<Z> Zeroize for [MaybeUninit<Z>] { // and it is backed by a single allocated object for at least `self.len() * size_pf::<Z>()` bytes. // and 0 is a valid value for `MaybeUninit<Z>` // The memory of the slice should not wrap around the address space. - unsafe { volatile_set(ptr, MaybeUninit::new(0), size) } + unsafe { volatile_set(ptr, MaybeUninit::zeroed(), size) } atomic_fence(); } } @@ -492,47 +513,22 @@ impl<Z> Zeroize for PhantomData<Z> { /// [`PhantomData` is always zero sized so provide a ZeroizeOnDrop implementation. impl<Z> ZeroizeOnDrop for PhantomData<Z> {} -/// `PhantomPinned` is zero sized so provide a Zeroize implementation. -impl Zeroize for PhantomPinned { - fn zeroize(&mut self) {} -} - -/// `PhantomPinned` is zero sized so provide a ZeroizeOnDrop implementation. -impl ZeroizeOnDrop for PhantomPinned {} - -/// `()` is zero sized so provide a Zeroize implementation. -impl Zeroize for () { - fn zeroize(&mut self) {} -} - -/// `()` is zero sized so provide a ZeroizeOnDrop implementation. -impl ZeroizeOnDrop for () {} - -/// Generic implementation of Zeroize for tuples up to 10 parameters. -impl<A: Zeroize> Zeroize for (A,) { - fn zeroize(&mut self) { - self.0.zeroize(); - } -} - -/// Generic implementation of ZeroizeOnDrop for tuples up to 10 parameters. -impl<A: ZeroizeOnDrop> ZeroizeOnDrop for (A,) {} - macro_rules! impl_zeroize_tuple { ( $( $type_name:ident ),+ ) => { - impl<$($type_name: Zeroize),+> Zeroize for ($($type_name),+) { + impl<$($type_name: Zeroize),+> Zeroize for ($($type_name,)+) { fn zeroize(&mut self) { #[allow(non_snake_case)] - let ($($type_name),+) = self; + let ($($type_name,)+) = self; $($type_name.zeroize());+ } } - impl<$($type_name: ZeroizeOnDrop),+> ZeroizeOnDrop for ($($type_name),+) { } + impl<$($type_name: ZeroizeOnDrop),+> ZeroizeOnDrop for ($($type_name,)+) { } } } // Generic implementations for tuples up to 10 parameters. +impl_zeroize_tuple!(A); impl_zeroize_tuple!(A, B); impl_zeroize_tuple!(A, B, C); impl_zeroize_tuple!(A, B, C, D); @@ -561,17 +557,7 @@ where self.clear(); // Zero the full capacity of `Vec`. - // Safety: - // - // This is safe, because `Vec` never allocates more than `isize::MAX` bytes. - // This exact use case is even mentioned in the documentation of `pointer::add`. - // This is safe because MaybeUninit ignores all invariants, - // so we can create a slice of MaybeUninit<Z> using the full capacity of the Vec - let uninit_slice = unsafe { - slice::from_raw_parts_mut(self.as_mut_ptr() as *mut MaybeUninit<Z>, self.capacity()) - }; - - uninit_slice.zeroize(); + self.spare_capacity_mut().zeroize(); } } @@ -621,11 +607,11 @@ impl Zeroize for CString { // contain a trailing zero byte let this = mem::take(self); - // - CString::into_bytes calls ::into_vec which takes ownership of the heap pointer + // - CString::into_bytes_with_nul calls ::into_vec which takes ownership of the heap pointer // as a Vec<u8> // - Calling .zeroize() on the resulting vector clears out the bytes // From: https://github.com/RustCrypto/utils/pull/759#issuecomment-1087976570 - let mut buf = this.into_bytes(); + let mut buf = this.into_bytes_with_nul(); buf.zeroize(); // expect() should never fail, because zeroize() truncates the Vec |