lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 28 Aug 2021 15:46:50 +0800
From:   Sandy Harris <sandyinchina@...il.com>
To:     Herbert Xu <herbert@...dor.apana.org.au>
Cc:     Lukas Bulwahn <lukas.bulwahn@...il.com>,
        "David S . Miller" <davem@...emloft.net>,
        Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        clang-built-linux@...glegroups.com,
        kernel-janitors@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] crypto: sha512: remove imaginary and mystifying clearing
 of variables

On Fri, Aug 27, 2021 at 4:40 PM Herbert Xu <herbert@...dor.apana.org.au> wrote:
>
> On Sun, Aug 22, 2021 at 12:31:07PM +0200, Lukas Bulwahn wrote:
> > The function sha512_transform() assigns all local variables to 0 before
> > returning to its caller with the intent to erase sensitive data.
> > ....
> >
> >   The assignments to clear a through h and t1/t2 are optimized out by the
> >   compiler because they are unused after the assignments.

Just no.

You are right, there is a problem here. I thank you for pointing it
out & I've already fixed it in some of my own code.

However, I think your solution is dead wrong. You are correct that
these assignments are useless because the compiler will optimise them
out, and that's a problem. However, it is not at all "mistiifying";
they are there for an obvious reason, to avoid leaving state that
might be useful to an enemy. That is quite a small risk, but then it
is a small mitigation, so worth doing.

The correct solution is not to just remove the assignments, but rather
to replace them with code that will not be optimised away, force the
compiler to do what we need. We already do that for operations that
clear various arrays and structures, using memzero_explicit() rather
than memset(). Similarly, we should replace the assignments with calls
to this macro:

/*
    clear a variable
    in a way the compiler will not optimise out
*/
#define clear(x)  memzero_explicit( &x, sizeof(x) )

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ