On Thu, Jul 8, 2021 at 11:43 PM Niels Möller nisse@lysator.liu.se wrote:
Maamoun TK maamoun.tk@googlemail.com writes:
I'm thinking it's also worth it to wipe the authentication tag and the leftover bytes of input data from the stack. Leaving out the output authentication tag in the stack is never a good idea and in case of processing AAD the input data is left in the clear so leaving leftover bytes in the stack may reveal potential secret data. I've pushed another commit to wipe the whole parameter block content (authentication tag and hash subkey) and the leftover bytes of input data.
Other nettle functions don't do that, it's generally assumed that the running program is trustworthy, and that the operating system protects the data from non-trustworthy processes. I think using encrypted swap (using an ephemeral key destroyed on shutdown) is a good idea.
To me, it makes some sense for nettle to wipe the copy of the key (since the application might wipe the context struct and expect no copies to remain), but probably overkill for the other data. But it shouldn't hurt either.
S390x's GHASH implementation needs to copy the key and input tail data to the stack, I just instructed the function to wipe that data from the stack once the cipher operation is completed, I don't do any kind of data wiping from the input buffer or cipher context. My concern is if the program terminates then the operation system will deallocate the program's stack without clearing its content so that leftover data will remain somewhere at the RAM which could be a subject for a memory allocation or dumbing by other programs.
regards, Mamone