elliptic-curve: fix Zeroize impl on NonZeroScalar (#785)

The previous impl wrote `0`, which violates `NonZeroScalar`'s invariant that the inner scalar value must be non-zero. This commit changes the impl to write `1` instead.
RustCrypto · Oct 9, 2021 · 97fe329 · 97fe329
1 parent e2dd075
commit 97fe329
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/elliptic-curve/src/scalar/non_zero.rs b/elliptic-curve/src/scalar/non_zero.rs
@@ -190,20 +190,33 @@ where
     C: Curve + ProjectiveArithmetic,
 {
     fn zeroize(&mut self) {
+        // Use zeroize's volatile writes to ensure value is cleared.
         self.scalar.zeroize();
+
+        // Write a 1 instead of a 0 to ensure this type's non-zero invariant
+        // is upheld.
+        self.scalar = Scalar::<C>::one();
     }
 }
 
 #[cfg(all(test, feature = "dev"))]
 mod tests {
-    use crate::dev::NonZeroScalar;
-    use ff::PrimeField;
+    use crate::dev::{NonZeroScalar, Scalar};
+    use ff::{Field, PrimeField};
     use hex_literal::hex;
+    use zeroize::Zeroize;
 
     #[test]
     fn round_trip() {
         let bytes = hex!("c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721");
         let scalar = NonZeroScalar::from_repr(bytes.into()).unwrap();
         assert_eq!(&bytes, scalar.to_repr().as_slice());
     }
+
+    #[test]
+    fn zeroize() {
+        let mut scalar = NonZeroScalar::new(Scalar::from(42u64)).unwrap();
+        scalar.zeroize();
+        assert_eq!(*scalar, Scalar::one());
+    }
 }