Re: [PATCH] lib/crypto: chacha - Zeroize permuted_state before it leaves scope

Next message: Ard Biesheuvel: "Re: [PATCH] lib/crypto: mips: Drop optimized MD5 code"
Previous message: Dmitry Ilvokhin: "[PATCH v2 1/8] mm: use zone lock guard in reserve_highatomic_pageblock()"
In reply to: Eric Biggers: "[PATCH] lib/crypto: chacha - Zeroize permuted_state before it leaves scope"
Next in thread: Eric Biggers: "Re: [PATCH] lib/crypto: chacha - Zeroize permuted_state before it leaves scope"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ard Biesheuvel

Date: Fri Mar 27 2026 - 12:25:16 EST

On Thu, 26 Mar 2026, at 04:29, Eric Biggers wrote:
> Since the ChaCha permutation is invertible, the local variable
> 'permuted_state' is sufficient to compute the original 'state', and thus
> the key, even after the permutation has been done.
>
> While the kernel is quite inconsistent about zeroizing secrets on the
> stack (and some prominent userspace crypto libraries don't bother at all
> since it's not guaranteed to work anyway), the kernel does try to do it
> as a best practice, especially in cases involving the RNG.
>
> Thus, explicitly zeroize 'permuted_state' before it goes out of scope.
>
> Fixes: c08d0e647305 ("crypto: chacha20 - Add a generic ChaCha20 stream
> cipher implementation")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
>
> This patch is targeting libcrypto-fixes
>
> lib/crypto/chacha-block-generic.c | 4 ++++
> 1 file changed, 4 insertions(+)
>

Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx>