New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keystream buffers aren't zeroized in StreamCipherCore
#1494
Comments
We intentionally do not deal with stack spilling. Zeroizing stack-based variables can significantly hurt performance and not as useful as you may think, since compiler is free to create as many copies as it wants (and often does). Stack should be bleached separately after you finished working with secret data. |
Is there a safe, portable way to perform stack bleaching? I have looked into it a little, but I have only found some unresolved issues and some of your x86 assembly, and I am planning on using aarch64... and I don't fully understand the stack. But I think I have found a way to try to prevent stack spilling though, using the second solution. By removing temporary buffers from Adjusting |
Well, code like this more or less works in practice, but I would use it only as a fallback. There are issues with lack of exact guarantees for We probably should create an experimental crate for this.
I don't think this will work. The whole "backend" shenenigary is needed because algorithms core implementations may generate multiple blocks of data in parallel and we keep only one block in the core wrapper. In other words, temporary buffers are often several blocks long, so they will not fit into the buffer inside |
Here's an experimental crate which implements the idea: https://github.com/dsprenkels/eraser Ideally it would be nice to have first-class compiler support for this sort of thing instead. |
Thanks for the info. I was not aware of stack spilling, and I will definitely explore uses for that I did not want to change the way that the The main API change in that commit is that implementors of |
Closing this issue as wontfix for reasons outlined above. |
I noticed that
StreamCipherCoreWrapper
zeroizes its buffer on drop, but there are larger temporary buffers that are created instream_core.rs
that do not get zeroized. If the main buffer that contains a block of the keystream gets zeroized, then it would make sense for larger buffers containing the keystream to be zeroized as well.There are at least 2 solutions to add the zeroizing buffers for
stream_core.rs
.zeroize
is enabled.zeroize
call should only be called at most once perapply_keystream()
StreamCipherCoreWrapper
's buffer a variable-sized buffer, or sized to the maximum size for the given cipher.StreamCipherCoreWrapper
is done with.alloc
. Hybrid array might work if it is able to work with array sizes that aren't known at compile time. Otherwise, easiest solution is either solution 1, or picking the largest buffer for the cipher's backends, which would kind of defeat the purpose ofParBlocksSize
There may be more solutions, but I have a PR for solution 1 if that is acceptable.
The text was updated successfully, but these errors were encountered: