Closed untoldwind closed 5 years ago
hdevalence
commented
5 years ago The modified version of the code is certainly cleaner, but I don't think it makes any difference regarding memory clearing: in either case, the array is kept only on the stack, and we don't explicitly wipe the stack, so while this prevents a redundant copy, it doesn't affect memory wiping.
hdevalence
commented
5 years ago Merged, thanks for submitting this patch!
untoldwind
commented
5 years ago Actually (and unluckily) you are right. I've taken a look at generate llvm code of both versions and while they are marginally different they both have have an @llvm.memcpy.p0i8.p0i8.i64 of the original array to somewhere further up the stack.
And on top of that the Scalar::from_bits is doing another @llvm.memcpy.p0i8.p0i8.i64 (though from the previously memcpyed version down the stack)
I know this is kind of academic (since the stack is overwritten all the time), but I think the only way to ensure that there are no remains anywhere-ever would be to either
[u8;32]-parameters with &mut [u8;32], doing the memcpy manually (e.g. with
copy_from_slice or so) and then zero out the original (https://crates.io/crates/secrets is doing it this way)
or[u8;32] in a struct with a clear-on-drop just like the StaticSecret itself.
The
cloneinsideclamp_scalarseems to to have no use and might lead to a situation where the StaticSecret remains in memory after dropping it since the original byte-array is not cleared.