Gentoo Archives: gentoo-dev

From: Patrick Lauer <patrick@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Akamai secure memory allocator for OpenSSL?
Date: Mon, 14 Apr 2014 00:11:47
In Reply to: [gentoo-dev] Akamai secure memory allocator for OpenSSL? by Joshua Kinard
1 On 04/14/2014 04:42 AM, Joshua Kinard wrote:
2 >
3 > So one of the side-discussions happening after Heartbleed was the fact that
4 > OpenSSL has its own memory allocator code that effectively mitigates any C
5 > library-provided exploit mitigations (as discussed on the openbsd-misc ML at
6 > [1] and Ted Unangst's blogs at [2] and [3]).
7 [snip good explanation]
9 > It basically provides a secure memory area protected by guard pages for
10 > sensitive data, like RSA private keys, so that if another Heartbleed-like
11 > event occurs, things won't be as bad. Hopefully...
15 > Is this something we want to look at adding to our openssl copy via an
16 > optional USE flag (default off)?
18 At this point in time I'd say we better wait for the storm to settle
19 down - apparently the akamai patches are only fixing a small part of the
20 problem.
22 I don't have a strong opinion as I haven't had to think about the
23 internals of crypto software in a while, but hastily adding
24 not-well-reviewed code might not be the best strategy.
26 Have fun,
28 Patrick


Subject Author
Re: [gentoo-dev] Akamai secure memory allocator for OpenSSL? Joshua Kinard <kumba@g.o>