openpgp: Zero the stack after signing using ed25519-dalek.

author: Justus Winter <justus@sequoia-pgp.org> 2023-09-22 12:17:16 +0200
committer: Justus Winter <justus@sequoia-pgp.org> 2023-09-22 15:32:46 +0200
commit: f05cddce877f2b36993a180cdf044172e6e3801b (patch)
tree: 9e746bf130920801d3edc0d730569414f5f8a415
parent: 03deb1e127ece52bab798dd128addca5948e0d91 (diff)
3 files changed, 15 insertions, 4 deletions
diff --git a/openpgp/src/crypto/backend/cng/asymmetric.rs b/openpgp/src/crypto/backend/cng/asymmetric.rs
index debddac5..a681b2a5 100644
--- a/openpgp/src/crypto/backend/cng/asymmetric.rs
+++ b/openpgp/src/crypto/backend/cng/asymmetric.rs
@@ -8,7 +8,7 @@ use crate::{Error, Result};
 
 use crate::crypto::asymmetric::KeyPair;
 use crate::crypto::backend::interface::Asymmetric;
-use crate::crypto::mem::Protected;
+use crate::crypto::mem::{Protected, zero_stack};
 use crate::crypto::mpi::{self, MPI, ProtectedMPI};
 use crate::crypto::SessionKey;
 use crate::crypto::{pad, pad_at_least, pad_truncating};
@@ -131,7 +131,7 @@ impl Asymmetric for super::Backend {
                     -> Result<[u8; 64]> {
         use ed25519_dalek::{SigningKey, Signer};
         let pair: SigningKey = secret.try_into()?;
-        Ok(pair.sign(digest).to_bytes().try_into()?)
+        Ok(zero_stack::<256, _>(pair.sign(digest)).to_bytes().try_into()?)
     }
 
     fn ed25519_verify(public: &[u8; 32], digest: &[u8], signature: &[u8; 64])
diff --git a/openpgp/src/crypto/backend/rust/asymmetric.rs b/openpgp/src/crypto/backend/rust/asymmetric.rs
index 6ed97575..d0d199f5 100644
--- a/openpgp/src/crypto/backend/rust/asymmetric.rs
+++ b/openpgp/src/crypto/backend/rust/asymmetric.rs
@@ -14,7 +14,7 @@ use rsa::{Pkcs1v15Encrypt, RsaPublicKey, RsaPrivateKey, Pkcs1v15Sign};
 use crate::{Error, Result};
 use crate::crypto::asymmetric::KeyPair;
 use crate::crypto::backend::interface::Asymmetric;
-use crate::crypto::mem::Protected;
+use crate::crypto::mem::{Protected, zero_stack};
 use crate::crypto::mpi::{self, MPI, ProtectedMPI};
 use crate::crypto::SessionKey;
 use crate::crypto::pad_truncating;
@@ -119,7 +119,7 @@ impl Asymmetric for super::Backend {
                     -> Result<[u8; 64]> {
         use ed25519_dalek::{SigningKey, Signer};
         let pair: SigningKey = secret.try_into()?;
-        Ok(pair.sign(digest).to_bytes().try_into()?)
+        Ok(zero_stack::<256, _>(pair.sign(digest)).to_bytes().try_into()?)
     }
 
     fn ed25519_verify(public: &[u8; 32], digest: &[u8], signature: &[u8; 64])
diff --git a/openpgp/src/crypto/mem.rs b/openpgp/src/crypto/mem.rs
index c795c7e1..8540776b 100644
--- a/openpgp/src/crypto/mem.rs
+++ b/openpgp/src/crypto/mem.rs
@@ -152,6 +152,17 @@ impl From<Vec<u8>> for Protected {
     }
 }
 
+/// Zeros N bytes on the stack, returning the given value.
+#[allow(dead_code)]
+pub(crate) fn zero_stack<const N: usize, T>(v: T) -> T {
+    let mut a = [0xffu8; N];
+    unsafe {
+        memsec::memzero(a.as_mut_ptr(), a.len());
+    }
+    std::hint::black_box(a);
+    v
+}
+
 impl From<Box<[u8]>> for Protected {
     fn from(v: Box<[u8]>) -> Self {
         Protected(Box::leak(v))
author	Justus Winter <justus@sequoia-pgp.org>	2023-09-22 12:17:16 +0200
committer	Justus Winter <justus@sequoia-pgp.org>	2023-09-22 15:32:46 +0200
commit	f05cddce877f2b36993a180cdf044172e6e3801b (patch)
tree	9e746bf130920801d3edc0d730569414f5f8a415
parent	03deb1e127ece52bab798dd128addca5948e0d91 (diff)