| 1 |
On 04/13/2014 20:17, Patrick Lauer wrote: |
| 2 |
> On 04/14/2014 04:42 AM, Joshua Kinard wrote: |
| 3 |
>> |
| 4 |
>> So one of the side-discussions happening after Heartbleed was the fact that |
| 5 |
>> OpenSSL has its own memory allocator code that effectively mitigates any C |
| 6 |
>> library-provided exploit mitigations (as discussed on the openbsd-misc ML at |
| 7 |
>> [1] and Ted Unangst's blogs at [2] and [3]). |
| 8 |
> [snip good explanation] |
| 9 |
> |
| 10 |
>> It basically provides a secure memory area protected by guard pages for |
| 11 |
>> sensitive data, like RSA private keys, so that if another Heartbleed-like |
| 12 |
>> event occurs, things won't be as bad. Hopefully... |
| 13 |
> |
| 14 |
> http://lekkertech.net/akamai.txt |
| 15 |
|
| 16 |
I was not aware of that write up. Nice find! That effectively rules this |
| 17 |
patch out. |
| 18 |
|
| 19 |
|
| 20 |
>> Is this something we want to look at adding to our openssl copy via an |
| 21 |
>> optional USE flag (default off)? |
| 22 |
> |
| 23 |
> At this point in time I'd say we better wait for the storm to settle |
| 24 |
> down - apparently the akamai patches are only fixing a small part of the |
| 25 |
> problem. |
| 26 |
> |
| 27 |
> I don't have a strong opinion as I haven't had to think about the |
| 28 |
> internals of crypto software in a while, but hastily adding |
| 29 |
> not-well-reviewed code might not be the best strategy. |
| 30 |
|
| 31 |
Agreed. Crypto is not my strong suite, but I thought I'd see what others |
| 32 |
thought on the patch. Someone is either going to step up and really "fix" |
| 33 |
OpenSSL or the community will eventually nominate a replacement for it (ala |
| 34 |
XFree86 -> Xorg). |
| 35 |
|
| 36 |
-- |
| 37 |
Joshua Kinard |
| 38 |
Gentoo/MIPS |
| 39 |
kumba@g.o |
| 40 |
4096R/D25D95E3 2011-03-28 |
| 41 |
|
| 42 |
"The past tempts us, the present confuses us, the future frightens us. And |
| 43 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
| 44 |
|
| 45 |
--Emperor Turhan, Centauri Republic |
Archives