Gate zeroize behind crate feature

daxpedda · daxpedda · commit bae9c24c2880 · 2022-06-16T16:36:18.000+02:00
diff --git a/.github/workflows/balloon-hash.yml b/.github/workflows/balloon-hash.yml
@@ -61,4 +61,8 @@ jobs:
           toolchain: ${{ matrix.rust }}
           override: true
       - run: cargo test --release
+      - run: cargo test --release --no-default-features --features alloc
+      - run: cargo test --release --no-default-features --features alloc,zeroize
+      - run: cargo test --release --no-default-features --features parallel
+      - run: cargo test --release --no-default-features --features parallel,zeroize
       - run: cargo test --release --all-features
diff --git a/balloon-hash/Cargo.toml b/balloon-hash/Cargo.toml
@@ -15,11 +15,11 @@ rust-version = "1.57"
 [dependencies]
 digest = { version = "0.10.3", default-features = false }
 crypto-bigint = { version = "0.4", default-features = false, features = ["generic-array"] }
-zeroize = { version = "1", default-features = false }
 
 # optional dependencies
 password-hash = { version = "0.4", default-features = false, optional = true }
 rayon = { version = "1.5", optional = true }
+zeroize = { version = "1", default-features = false, optional = true }
 
 [dev-dependencies]
 hex-literal = "0.3"
diff --git a/balloon-hash/src/balloon.rs b/balloon-hash/src/balloon.rs
@@ -4,6 +4,8 @@ use core::mem;
 use crypto_bigint::{ArrayDecoding, ArrayEncoding, NonZero};
 use digest::generic_array::GenericArray;
 use digest::{Digest, FixedOutputReset};
+
+#[cfg(feature = "zeroize")]
 use zeroize::Zeroize;
 
 pub fn balloon<D: Digest + FixedOutputReset>(
@@ -38,9 +40,11 @@ where
         let mut output = hash_internal::<D>(pwd, salt, secret, params, memory_blocks, Some(1))?;
 
         for thread in 2..=u64::from(params.p_cost.get()) {
+            #[cfg_attr(not(feature = "zeroize"), allow(unused_mut))]
             let mut hash =
                 hash_internal::<D>(pwd, salt, secret, params, memory_blocks, Some(thread))?;
             output.iter_mut().zip(&hash).for_each(|(a, b)| *a ^= b);
+            #[cfg(feature = "zeroize")]
             hash.zeroize();
         }
 
@@ -65,12 +69,16 @@ where
                 .map_with((params, secret), |(params, secret), (thread, memory)| {
                     hash_internal::<D>(pwd, salt, *secret, *params, memory, Some(thread))
                 })
-                .try_reduce(GenericArray::default, |mut a, mut b| {
-                    a.iter_mut().zip(&b).for_each(|(a, b)| *a ^= b);
-                    b.zeroize();
-
-                    Ok(a)
-                })
+                .try_reduce(
+                    GenericArray::default,
+                    |mut a, #[cfg_attr(not(feature = "zeroize"), allow(unused_mut))] mut b| {
+                        a.iter_mut().zip(&b).for_each(|(a, b)| *a ^= b);
+                        #[cfg(feature = "zeroize")]
+                        b.zeroize();
+
+                        Ok(a)
+                    },
+                )
         }?
     };
 
@@ -206,6 +214,7 @@ where
     // Step 3. Extract output from buffer.
     // return buf[s_cost-1]
     let out = buf.last().unwrap().clone();
+    #[cfg(feature = "zeroize")]
     buf.iter_mut().for_each(|block| block.zeroize());
 
     Ok(out)
