Preserve NonZero and Odd invariants on zeroize#1287
Conversation
NonZero and Odd wrappers implemented Zeroize by zeroizing their inner values directly. That can leave a live wrapper containing zero or an even value, violating the wrapper invariant after a safe method call. After zeroizing the inner storage, restore a one-like sentinel value so the wrapper remains valid. This mirrors zeroize's behavior for core NonZero integer types, and preserves boxed integer precision via One::one_like. Co-authored-by: GPT 5.5 <gpt-5.5@openai.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1287 +/- ##
==========================================
+ Coverage 91.01% 91.05% +0.03%
==========================================
Files 189 189
Lines 22160 22185 +25
==========================================
+ Hits 20169 20200 +31
+ Misses 1991 1985 -6 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
| impl<T: zeroize::Zeroize + One> zeroize::Zeroize for NonZero<T> { | ||
| fn zeroize(&mut self) { | ||
| self.0.zeroize(); | ||
| self.0 = T::one_like(&self.0); |
There was a problem hiding this comment.
In the case of a NonZero<BoxedUint>, this actually leaves the original value in memory and creates a new allocation (unless the compiler optimizes it away, but we can't assume that). It might be best to zeroize the internal value, then use One::set_one to restore an acceptable state. Either way I think the modified bounds on the implementation make this a breaking change that would need to go into a future minor version.
There was a problem hiding this comment.
Hmm, maybe we can either actually make a proper breaking v0.8 release (I'd like to seal Encoding for #1266 as well), or I can make some extra-last-minute tiny breaking changes to v0.7 and yank the previous releases.
Within @RustCrypto we haven't cut any releases of anything that would preclude a v0.8.
3 participants
Preserve
NonZeroandOddwrapper invariants afterzeroize().The current
Zeroizeimpls zeroize the wrapped value directly. ForNonZero<T>andOdd<T>, that can leave a live wrapper containing zero or an even value after a safe method call, violating the wrapper's type invariant.This changes the impls to zeroize the inner storage and then restore a one-like sentinel value. That keeps the wrapper valid after zeroization, mirrors the
zeroizecrate's behavior for coreNonZero*integer types, and preserves boxed integer precision throughOne::one_like.The tests cover stack and boxed
NonZero/Oddvalues, including boxed precision preservation after zeroization.This work was completed by Trail of Bits as part of the Patch The Planet project in collaboration with OpenAI. The vulnerability was identified primarily by the Codex coding agent, and manually reviewed before submission.