netbsd-bugs: lib/32778: Sensitive parameter clearing code in sha1 will be removed by optimizer

Subject: lib/32778: Sensitive parameter clearing code in sha1 will be removed by optimizer
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <john@johnrshannon.com>
List: netbsd-bugs
Date: 02/08/2006 22:35:00

>Number:         32778
>Category:       lib
>Synopsis:       Sensitive parameter clearing code in sha1 will be removed by optimizer
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 08 22:35:00 +0000 2006
>Originator:     shannonjr@NetBSD.org
>Release:        NetBSD 3.99.15
>Organization:
	NetBSD.org
>Environment:
System: NetBSD colleen.internal.johnrshannon.com 3.99.15 NetBSD 3.99.15 (KERNEL.MPACPI.COLLEEN) #0: Sun Feb 5 06:41:34 MST 2006 build@colleen.internal.johnrshannon.com:/usr/obj/import/CURRENT/src/sys/arch/i386/compile/KERNEL.MPACPI.COLLEEN i386
Architecture: i386
Machine: i386
>Description:
	src/common/lib/libc/hash/sha1/sha1.c contains the following:

	   /* Wipe variables */
           a = b = c = d = e = 0;

       as the last lines in SHA1Transform() to ensure that sensitive
       intermediate values are not left on the stack. The problem is
       that most optimizing compilers will optimize these statements
       away.

>How-To-Repeat:
	Identified in code review.
>Fix:
	Use mset() to clear variables.