From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ig0-x244.google.com (mail-ig0-x244.google.com [IPv6:2607:f8b0:4001:c05::244]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Tue, 30 Dec 2014 14:58:19 +0100 (CET) Received: by mail-ig0-f196.google.com with SMTP id h15so3898116igd.11 for ; Tue, 30 Dec 2014 05:58:17 -0800 (PST) MIME-Version: 1.0 From: ".. ink .." Date: Tue, 30 Dec 2014 16:57:56 +0300 Message-ID: Content-Type: multipart/alternative; boundary=001a113fc302025c7a050b6f620a Subject: [dm-crypt] unsafe??? use of memset List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "dm-crypt@saout.de" --001a113fc302025c7a050b6f620a Content-Type: text/plain; charset=UTF-8 a lot of people like this one[2] advises against the use of memset to clear memory but crypsetup seems to ignore this advice and use memset a lot like in[1]. Any reason why cryptseup is ignoring this advice? [1] https://code.google.com/p/cryptsetup/source/browse/lib/tcrypt/tcrypt.c#272 [2] http://edc.tversu.ru/elib/inf/0088/0596003943_secureprgckbk-chp-13-sect-2.html --001a113fc302025c7a050b6f620a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

a lot of people like this one[2] advis= es against the use of memset to clear memory but crypsetup seems to
ignore this advice and use memset a lot like in[1].

Any reason why cryptseup is ignoring this advice?

[1] https://code.google.com/p/cryptsetup/source/browse/lib/tcrypt/tcrypt.= c#272
[2] http://edc.tversu.ru/elib/inf/0088/0596003= 943_secureprgckbk-chp-13-sect-2.html
--001a113fc302025c7a050b6f620a-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x242.google.com (mail-wg0-x242.google.com [IPv6:2a00:1450:400c:c00::242]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Tue, 30 Dec 2014 15:26:06 +0100 (CET) Received: by mail-wg0-f66.google.com with SMTP id y19so6520697wgg.5 for ; Tue, 30 Dec 2014 06:26:05 -0800 (PST) Message-ID: <54A2B5FA.7040606@gmail.com> Date: Tue, 30 Dec 2014 15:26:02 +0100 From: Milan Broz MIME-Version: 1.0 References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] unsafe??? use of memset List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: ".. ink .." , "dm-crypt@saout.de" On 12/30/2014 02:57 PM, .. ink .. wrote: > > a lot of people like this one[2] advises against the use of memset to clear memory but crypsetup seems to > ignore this advice and use memset a lot like in[1]. > > Any reason why cryptseup is ignoring this advice? Why ignore? It worked with old compilers (and VC is not the issue here). This is opensource, so I usually respond with "send a patch" to these messages... But actually I have patch for that for weeks. I have just another issues which have unfortunately much higher priority in my life and I am not going commit half-baked patch. FYI: I fixed it is kernel dmcrypt, there we can use memzero_explicit() http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/md/dm-crypt.c?id=1a71d6ffe18c0d0f03fc8531949cc8ed41d702ee Cryptsetup will follow (hopefully soon with other fixes). And it is nothing critical. There is a nice description of problem https://cryptocoding.net/index.php/Coding_rules#Prevent_compiler_interference_with_security-critical_operations Actually I want to replace zero memset with zero it with code used in BLAKE2. It is simple and should work. static inline void secure_zero_memory(void *v, size_t n) { volatile uint8_t *p = (volatile uint8_t *)v; while(n--) *p++ = 0; } Milan > > [1] https://code.google.com/p/cryptsetup/source/browse/lib/tcrypt/tcrypt.c#272 > [2] http://edc.tversu.ru/elib/inf/0088/0596003943_secureprgckbk-chp-13-sect-2.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.server123.net (Postfix) with ESMTP for ; Tue, 30 Dec 2014 17:38:15 +0100 (CET) Received: from gatewagner.dyndns.org (77-57-49-177.dclient.hispeed.ch [77.57.49.177]) by v6.tansi.org (Postfix) with ESMTPA id 006C420DC23A for ; Tue, 30 Dec 2014 17:38:14 +0100 (CET) Date: Tue, 30 Dec 2014 17:38:14 +0100 From: Arno Wagner Message-ID: <20141230163814.GA18851@tansi.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] unsafe??? use of memset List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Interesting question. I think it is not relevant for most Linux scenarios, as memset() comes precompiled as part of a binary library, and the compiler has no clue what it does and hence cannot optimize it away. If memset is compiled together with the code using it, this would be a problem, but also one anybody writing secure code should be aware of. I am not aware of any normal Linux scenarios where that could happen. Still, soemthing low-priority to fix eventually, as it cannot be ruled out that it may some day be compiled in a dangerous fashion or memset() may be made a macro or some other bizarre circumstances. BTW, with GCC, there is also the possibility to locally prohibit optimization with something like: #pragma GCC push_options #pragma GCC optimize ("O0") code #pragma GCC pop_options I needed that some time ago, but do not remember for what. Anyways, this is an area where recipes do not cut it. For secure code you have to understand how it gets compiled on the specific target platform and what the issues there are. Arno On Tue, Dec 30, 2014 at 14:57:56 CET, .. ink .. wrote: > a lot of people like this one[2] advises against the use of memset to clear > memory but crypsetup seems to > ignore this advice and use memset a lot like in[1]. > > Any reason why cryptseup is ignoring this advice? > > [1] > https://code.google.com/p/cryptsetup/source/browse/lib/tcrypt/tcrypt.c#272 > [2] > http://edc.tversu.ru/elib/inf/0088/0596003943_secureprgckbk-chp-13-sect-2.html > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.server123.net (Postfix) with ESMTP for ; Tue, 30 Dec 2014 17:47:22 +0100 (CET) Received: from gatewagner.dyndns.org (77-57-49-177.dclient.hispeed.ch [77.57.49.177]) by v6.tansi.org (Postfix) with ESMTPA id C564620DC23A for ; Tue, 30 Dec 2014 17:47:21 +0100 (CET) Date: Tue, 30 Dec 2014 17:47:21 +0100 From: Arno Wagner Message-ID: <20141230164721.GB18851@tansi.org> References: <54A2B5FA.7040606@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54A2B5FA.7040606@gmail.com> Subject: Re: [dm-crypt] unsafe??? use of memset List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Tue, Dec 30, 2014 at 15:26:02 CET, Milan Broz wrote: > On 12/30/2014 02:57 PM, .. ink .. wrote: > > > > a lot of people like this one[2] advises against the use of memset to clear memory but crypsetup seems to > > ignore this advice and use memset a lot like in[1]. > > > > Any reason why cryptseup is ignoring this advice? > > Why ignore? It worked with old compilers (and VC is not the issue here). > > This is opensource, so I usually respond with "send a patch" to these messages... > > But actually I have patch for that for weeks. I have just another issues which have > unfortunately much higher priority in my life and I am not going commit half-baked patch. > > FYI: > I fixed it is kernel dmcrypt, there we can use memzero_explicit() > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/md/dm-crypt.c?id=1a71d6ffe18c0d0f03fc8531949cc8ed41d702ee > > Cryptsetup will follow (hopefully soon with other fixes). > > And it is nothing critical. > > There is a nice description of problem > https://cryptocoding.net/index.php/Coding_rules#Prevent_compiler_interference_with_security-critical_operations Interessting! So the problem is that memset() may not even be called. That would be bad. In that case the compiler would need to know that there are no volatile variables used inside memset(), which again, I think it should not be able to on Linux as gcc does not look at the libraries before linking. Apparently MS Visual C++ 2010 knows more about the libraries than is good for it. My take would be that this is a legal optimization (with regard to the C standard), but one that needs some hidden special treatment of memset(). Of course I could be wrong. Arno > Actually I want to replace zero memset with zero it with code used in BLAKE2. > It is simple and should work. > > static inline void secure_zero_memory(void *v, size_t n) > { > volatile uint8_t *p = (volatile uint8_t *)v; > while(n--) *p++ = 0; > } > > Milan > > > > > [1] https://code.google.com/p/cryptsetup/source/browse/lib/tcrypt/tcrypt.c#272 > > [2] http://edc.tversu.ru/elib/inf/0088/0596003943_secureprgckbk-chp-13-sect-2.html > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier