openpgp: Zero the stack after using RustCrypto's block ciphers.

- Zeroing the stack is not something that upstream necessarily considers their responsibility, hence we need to do it. In any case, there is a bug in current versions of the AES crate that spills the symmetric key into the stack when using AES-NI or the ARMv8 Cryptography Extensions. - See https://github.com/RustCrypto/block-ciphers/issues/385.
author: Justus Winter <justus@sequoia-pgp.org> 2023-09-25 11:56:54 +0200
committer: Justus Winter <justus@sequoia-pgp.org> 2023-09-26 13:39:58 +0200
commit: 42bc643075e9ec281432de0faed71fecfade5f1c (patch)
tree: 04926746ad71ccc9ddeea708b5f6b178cbd0df27 /openpgp
parent: 6251bc81f2db3a4a93a02cee3e0883f6a436d47b (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/openpgp/src/crypto/backend/rust/symmetric.rs b/openpgp/src/crypto/backend/rust/symmetric.rs
index b04f0fc9..1869f1b9 100644
--- a/openpgp/src/crypto/backend/rust/symmetric.rs
+++ b/openpgp/src/crypto/backend/rust/symmetric.rs
@@ -110,6 +110,7 @@ macro_rules! impl_enc_mode {
                 dst: &mut [u8],
                 src: &[u8],
             ) -> Result<()> {
+              zero_stack!(4096 bytes after running {
                 debug_assert_eq!(dst.len(), src.len());
                 let bs = self.block_size();
                 let missing = (bs - (dst.len() % bs)) % bs;
@@ -213,6 +214,7 @@ macro_rules! impl_enc_mode {
                     }
                 }
                 Ok(())
+              })
             }
 
             fn decrypt(
@@ -247,6 +249,7 @@ macro_rules! impl_dec_mode {
                 dst: &mut [u8],
                 src: &[u8],
             ) -> Result<()> {
+              zero_stack!(4096 bytes after running {
                 debug_assert_eq!(dst.len(), src.len());
                 let bs = self.block_size();
                 let missing = (bs - (dst.len() % bs)) % bs;
@@ -350,6 +353,7 @@ macro_rules! impl_dec_mode {
                     }
                 }
                 Ok(())
+              })
             }
         }
     }
@@ -375,6 +379,7 @@ where
 macro_rules! make_mode {
     ($fn:ident, $enum:ident, $mode:ident::$mode2:ident $(, $iv:ident:$ivt:ty)?) => {
         pub(crate) fn $fn(self, key: &[u8], $($iv: $ivt)?) -> Result<Box<dyn Mode>> {
+          zero_stack!(8192 bytes after running || -> Result<Box<dyn Mode>> {
             use cipher::generic_array::GenericArray as GA;
 
             use SymmetricAlgorithm::*;
@@ -459,6 +464,7 @@ macro_rules! make_mode {
                     Err(Error::UnsupportedSymmetricAlgorithm(self).into())
                 }
             }
+          })
         }
     }
 }
author	Justus Winter <justus@sequoia-pgp.org>	2023-09-25 11:56:54 +0200
committer	Justus Winter <justus@sequoia-pgp.org>	2023-09-26 13:39:58 +0200
commit	42bc643075e9ec281432de0faed71fecfade5f1c (patch)
tree	04926746ad71ccc9ddeea708b5f6b178cbd0df27 /openpgp
parent	6251bc81f2db3a4a93a02cee3e0883f6a436d47b (diff)