From f9701d21d2066a1374b3289c4b34cfbf3fbf4f5e Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 17 Sep 2025 17:57:27 -0700 Subject: [PATCH] crypto: use clear built-in Replace for loops with clear built-in, available since Go 1.21. Change-Id: I16a2691a68042e9c5cd9bc4197690fa541a081eb Reviewed-on: https://go-review.googlesource.com/c/go/+/704877 Reviewed-by: Michael Knyszek Reviewed-by: Mark Freeman Reviewed-by: Roland Shoemaker Reviewed-by: Sean Liao LUCI-TryBot-Result: Go LUCI --- src/crypto/internal/fips140/mlkem/field.go | 4 +--- src/crypto/internal/fips140/sha3/sha3.go | 4 +--- src/crypto/rc4/rc4.go | 4 +--- src/crypto/tls/conn.go | 8 ++------ src/crypto/tls/handshake_server_test.go | 4 +--- 5 files changed, 6 insertions(+), 18 deletions(-) diff --git a/src/crypto/internal/fips140/mlkem/field.go b/src/crypto/internal/fips140/mlkem/field.go index 1a42818247..577062526c 100644 --- a/src/crypto/internal/fips140/mlkem/field.go +++ b/src/crypto/internal/fips140/mlkem/field.go @@ -203,9 +203,7 @@ func sliceForAppend(in []byte, n int) (head, tail []byte) { // followed by ByteEncode₁, according to FIPS 203, Algorithm 5. func ringCompressAndEncode1(s []byte, f ringElement) []byte { s, b := sliceForAppend(s, encodingSize1) - for i := range b { - b[i] = 0 - } + clear(b) for i := range f { b[i/8] |= uint8(compress(f[i], 1) << (i % 8)) } diff --git a/src/crypto/internal/fips140/sha3/sha3.go b/src/crypto/internal/fips140/sha3/sha3.go index 7513f8ef5d..5c77fae4e7 100644 --- a/src/crypto/internal/fips140/sha3/sha3.go +++ b/src/crypto/internal/fips140/sha3/sha3.go @@ -61,9 +61,7 @@ func (d *Digest) Size() int { return d.outputLen } // Reset resets the Digest to its initial state. func (d *Digest) Reset() { // Zero the permutation's state. - for i := range d.a { - d.a[i] = 0 - } + clear(d.a[:]) d.state = spongeAbsorbing d.n = 0 } diff --git a/src/crypto/rc4/rc4.go b/src/crypto/rc4/rc4.go index 90943a0935..eebc1c04cb 100644 --- a/src/crypto/rc4/rc4.go +++ b/src/crypto/rc4/rc4.go @@ -55,9 +55,7 @@ func NewCipher(key []byte) (*Cipher, error) { // Deprecated: Reset can't guarantee that the key will be entirely removed from // the process's memory. func (c *Cipher) Reset() { - for i := range c.s { - c.s[i] = 0 - } + clear(c.s[:]) c.i, c.j = 0, 0 } diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go index d4d68c0744..09dc9ea94c 100644 --- a/src/crypto/tls/conn.go +++ b/src/crypto/tls/conn.go @@ -220,9 +220,7 @@ func (hc *halfConn) changeCipherSpec() error { hc.mac = hc.nextMac hc.nextCipher = nil hc.nextMac = nil - for i := range hc.seq { - hc.seq[i] = 0 - } + clear(hc.seq[:]) return nil } @@ -231,9 +229,7 @@ func (hc *halfConn) setTrafficSecret(suite *cipherSuiteTLS13, level QUICEncrypti hc.level = level key, iv := suite.trafficKey(secret) hc.cipher = suite.aead(key, iv) - for i := range hc.seq { - hc.seq[i] = 0 - } + clear(hc.seq[:]) } // incSeq increments the sequence number. diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go index 4df3f5a737..941f2a3373 100644 --- a/src/crypto/tls/handshake_server_test.go +++ b/src/crypto/tls/handshake_server_test.go @@ -1590,9 +1590,7 @@ var getConfigForClientTests = []struct { }, func(clientHello *ClientHelloInfo) (*Config, error) { config := testConfig.Clone() - for i := range config.SessionTicketKey { - config.SessionTicketKey[i] = 0 - } + clear(config.SessionTicketKey[:]) config.sessionTicketKeys = nil return config, nil }, -- 2.52.0