[PATCH] Wipe potentially sensitive stack memory.

Ben Kibbey bjk at luxsci.net
Sat Jun 12 05:25:43 CEST 2021


On Fri, Jun 11, 2021 at 07:56:57AM +0200, Werner Koch wrote:
> Hi Ben,
> 
> On Tue,  8 Jun 2021 20:51, Ben Kibbey said:
> > * src/data.c (_gpgme_data_inbound_handler): Wipe buffer before return.
> 
> Is that intended for passphrase callbacks or secret key export?  Would a
> flag flagging such a data object holding sensitive data not be better?

It is used for gpg IO during gpgme_op_decrypt_*() and other app
engines. Although normally not key material, what remains in the buffer is
decrypted data which could be anything including key material for some
other purpose. I didn't push the patch because I wasn't sure what you or
others thought about the cost/overhead of wipememory() on every call.
But I think (I'm not an ASM or CPU expert) most CPU's have a register
(MMX, SSE, etc) to help with zeroing things out and the overhead of
doing so is not very much, if any. Although it may all depend on the
libc implementation, too.

> BTW, I plan to allow for lager buffers in this function to reduce the
> overhead for certain callers which don't work well with small data
> blocks.  Thus a new data object flag will anyway be added.

OK cool.

-- 
Ben Kibbey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20210611/cc7b2fd6/attachment.sig>


More information about the Gnupg-devel mailing list