From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail-wg0-x242.google.com (mail-wg0-x242.google.com
 [IPv6:2a00:1450:400c:c00::242])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 30 Dec 2014 15:26:06 +0100 (CET)
Received: by mail-wg0-f66.google.com with SMTP id y19so6520697wgg.5
 for <dm-crypt@saout.de>; Tue, 30 Dec 2014 06:26:05 -0800 (PST)
Message-ID: <54A2B5FA.7040606@gmail.com>
Date: Tue, 30 Dec 2014 15:26:02 +0100
From: Milan Broz <gmazyland@gmail.com>
MIME-Version: 1.0
References: <CAFnMBaQZp63DCZB9f9K1tPia237OGWjVQ6c2oYM7VNSDWqk_Vw@mail.gmail.com>
In-Reply-To: <CAFnMBaQZp63DCZB9f9K1tPia237OGWjVQ6c2oYM7VNSDWqk_Vw@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] unsafe??? use of memset
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: ".. ink .." <mhogomchungu@gmail.com>, "dm-crypt@saout.de" <dm-crypt@saout.de>

On 12/30/2014 02:57 PM, .. ink .. wrote:
> 
> a lot of people like this one[2] advises against the use of memset to clear memory but crypsetup seems to
> ignore this advice and use memset a lot like in[1].
> 
> Any reason why cryptseup is ignoring this advice?

Why ignore? It worked with old compilers (and VC is not the issue here).

This is opensource, so I usually respond with "send a patch" to these messages...

But actually I have patch for that for weeks. I have just another issues which have
unfortunately much higher priority in my life and I am not going commit half-baked patch.

FYI:
I fixed it is kernel dmcrypt, there we can use memzero_explicit()
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/md/dm-crypt.c?id=1a71d6ffe18c0d0f03fc8531949cc8ed41d702ee

Cryptsetup will follow (hopefully soon with other fixes).

And it is nothing critical.

There is a nice description of problem
https://cryptocoding.net/index.php/Coding_rules#Prevent_compiler_interference_with_security-critical_operations

Actually I want to replace zero memset with zero it with code used in BLAKE2.
It is simple and should work.

static inline void secure_zero_memory(void *v, size_t n)
{
  volatile uint8_t *p = (volatile uint8_t *)v;
  while(n--) *p++ = 0;
}

Milan

> 
> [1] https://code.google.com/p/cryptsetup/source/browse/lib/tcrypt/tcrypt.c#272
> [2] http://edc.tversu.ru/elib/inf/0088/0596003943_secureprgckbk-chp-13-sect-2.html