zero-on-drop

[mcginty]

clear out sensitive key material from the stack when they're dropped

https://github.com/isislovecruft/curve25519-dalek/issues/11 for some options

[Ryman]

Updated link: dalek-cryptography/curve25519-dalek#11

[gedigi]

I was looking at implementing zeroize for the Keypair struct. However, it will affect callers as they'd not be able to move that struct (and members) anymore. What do you suggest? Would this be a major version change?

Also, for non-default resolver, the cleanest approach would be to zero memory as part of their library (similar to what Dalek does) and not at the snow layer.

Ref:

• Implement custom Drop trait for all private keys to zero memory briansmith/ring#566

[fogti]

Can callers wrap that struct themselves in a Zeroizing (without restricting the usage in common cases)?

[tarcieri]

If one of the existing impls Zeroize provides works on them yes. However, if the underlying types can be moved/copied, they will still leave copies in memory.

[mcginty]

@gedigi (one year later) I think that this seems like a pretty reasonable way to go, and people that want a less secure keypair struct can simply make their own and convert to snow's keypair type as needed.

Maybe a good way to start that's not even a breaking change is simply to use Zeroize to clear out sensitive material that's no longer used during the transition from HandshakeState to TransportState.