Zeroize on __m128i isn't supported on i386

[alexanderkjall]

This code: https://github.com/RustCrypto/universal-hashes/blob/master/polyval/src/backend/clmul.rs#L139

    fn drop(&mut self) {
        use zeroize::Zeroize;
        self.h.zeroize();
        self.y.zeroize();
    }

Results in this compilation error:

error[E0599]: the method `zeroize` exists for struct `__m128i`, but its trait bounds were not satisfied
   --> polyval/src/backend/clmul.rs:139:16
    |
139 |           self.h.zeroize();
    |                  ^^^^^^^ method cannot be called on `__m128i` due to unsatisfied trait bounds
   --> /usr/src/rustc-1.70.0/library/core/src/../../stdarch/crates/core_arch/src/x86/mod.rs:8:1
   ::: /usr/src/rustc-1.70.0/library/core/src/../../stdarch/crates/core_arch/src/x86/mod.rs:330:1
    |
    = note: doesn't satisfy `core::arch::x86::__m128i: DefaultIsZeroes`
    |
    = note: doesn't satisfy `core::arch::x86::__m128i: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `core::arch::x86::__m128i: DefaultIsZeroes`
            which is required by `core::arch::x86::__m128i: Zeroize`

error[E0599]: the method `zeroize` exists for struct `__m128i`, but its trait bounds were not satisfied
   --> polyval/src/backend/clmul.rs:140:16
    |
140 |           self.y.zeroize();
    |                  ^^^^^^^ method cannot be called on `__m128i` due to unsatisfied trait bounds
   --> /usr/src/rustc-1.70.0/library/core/src/../../stdarch/crates/core_arch/src/x86/mod.rs:8:1
   ::: /usr/src/rustc-1.70.0/library/core/src/../../stdarch/crates/core_arch/src/x86/mod.rs:330:1
    |
    = note: doesn't satisfy `core::arch::x86::__m128i: DefaultIsZeroes`
    |
    = note: doesn't satisfy `core::arch::x86::__m128i: Zeroize`
    |
    = note: the following trait bounds were not satisfied:
            `core::arch::x86::__m128i: DefaultIsZeroes`
            which is required by `core::arch::x86::__m128i: Zeroize`

I could imagine that something like this might work:

diff --git a/polyval/src/backend/clmul.rs b/polyval/src/backend/clmul.rs
index 1d6565f..831218f 100644
--- a/polyval/src/backend/clmul.rs
+++ b/polyval/src/backend/clmul.rs
@@ -135,9 +135,20 @@ impl Reset for Polyval {
 #[cfg(feature = "zeroize")]
 impl Drop for Polyval {
     fn drop(&mut self) {
-        use zeroize::Zeroize;
-        self.h.zeroize();
-        self.y.zeroize();
+        #[cfg(not(target_arch = "x86"))]
+       {
+            use zeroize::Zeroize;
+            self.h.zeroize();
+            self.y.zeroize();
+        }
+        #[cfg(target_arch = "x86")]
+        {
+           unsafe {
+               let zero = _mm_setzero_si128();
+                core::ptr::write_volatile(core::ptr::addr_of_mut!(self.h), zero);
+                core::ptr::write_volatile(core::ptr::addr_of_mut!(self.y), zero);
+            }
+        }
     }
 }

But I really out of my depth here, so would appreciate some opinions on this :)

[tarcieri]

i386 as in a literal i386-* target, or non-64-bit x86?

In theory zeroization should work on x86 targets: https://github.com/RustCrypto/utils/blob/master/zeroize/src/x86.rs

It's tested on i686 targets: https://github.com/RustCrypto/utils/blob/master/.github/workflows/zeroize.yml#L53

So is polyval: https://github.com/RustCrypto/universal-hashes/blob/master/.github/workflows/polyval.yml#L49

[alexanderkjall]

Here is the build error: https://ci.debian.net/data/autopkgtest/testing/i386/r/rust-polyval/39906221/log.gz

I installed a i386 debian vm and reproduced it on that.

[newpavlov]

@tarcieri
Cutting a new zeroize release with this change may resolve this issue.

[tarcieri]

Will do

[alexanderkjall]

I can verify that the issue is fixed with version 1.6.1 of zeroize