Closed untoldwind closed 5 years ago
The modified version of the code is certainly cleaner, but I don't think it makes any difference regarding memory clearing: in either case, the array is kept only on the stack, and we don't explicitly wipe the stack, so while this prevents a redundant copy, it doesn't affect memory wiping.
Merged, thanks for submitting this patch!
Actually (and unluckily) you are right. I've taken a look at generate llvm code of both versions and while they are marginally different they both have have an @llvm.memcpy.p0i8.p0i8.i64
of the original array to somewhere further up the stack.
And on top of that the Scalar::from_bits
is doing another @llvm.memcpy.p0i8.p0i8.i64
(though from the previously memcpy
ed version down the stack)
I know this is kind of academic (since the stack is overwritten all the time), but I think the only way to ensure that there are no remains anywhere-ever would be to either
[u8;32]
-parameters with &mut [u8;32]
, doing the memcpy manually (e.g. with
copy_from_slice or so) and then zero out the original (https://crates.io/crates/secrets is doing it this way)
or[u8;32]
in a struct with a clear-on-drop just like the StaticSecret itself.
The
clone
insideclamp_scalar
seems to to have no use and might lead to a situation where the StaticSecret remains in memory after dropping it since the original byte-array is not cleared.