Did you *really* zeroize that key?

Patrick Chkoreff patrick at loom.cc
Thu Nov 7 16:36:41 PST 2002

>From: "Trei, Peter" <ptrei at rsasecurity.com>
>[Moderator's note: FYI: no "pragma" is needed. This is what C's
>"volatile" keyword is for. Unfortunately, not everyone writing in C
>knows the language. --Perry]

Thanks for the reminder about "volatile."  It is an ancient and valuable 
feature of C and I suppose it's implemented correctly under gcc and some of 
the Windoze compilers even with high optimization options like -O2.

> >From RISKS:
>Those of us who write code need to be reminded of this
>now and then.

Everybody probably also knows about the gnupg trick, where they define a 
recursive routine called "burn_stack":

static void
burn_stack (int bytes)
     char buf[64];

     memset (buf, 0, sizeof buf);
     bytes -= sizeof buf;
     if (bytes > 0)
         burn_stack (bytes);

Then there's the vararg technique discussed in Michael Welschenbach's book 
"Cryptography in C and C++":

static void purgevars_l (int noofvars, ...)
   va_list ap;
   size_t size;
   va_start (ap, noofvars);
   for (; noofvars > 0; --noofvars)
       switch (size = va_arg (ap, size_t))
           case 1:  *va_arg (ap, char *) = 0;
           case 2:  *va_arg (ap, short *) = 0;
           case 4:  *va_arg (ap, long *) = 0;
                    memset (va_arg(ap, char *), 0, size);
   va_end (ap);

Here's an example of how you might call the routine:

   purgevars_l(2, sizeof (la), &la,
                    sizeof (lb), &lb);

But hey, if "volatile" keyword works then so much the better.  I would 
recommend examining the assembly language output of your compiler to verify 
that it honours "volatile."

-- Patrick

More information about the cypherpunks-legacy mailing list