1 |
On 04/13/2014 20:17, Patrick Lauer wrote: |
2 |
> On 04/14/2014 04:42 AM, Joshua Kinard wrote: |
3 |
>> |
4 |
>> So one of the side-discussions happening after Heartbleed was the fact that |
5 |
>> OpenSSL has its own memory allocator code that effectively mitigates any C |
6 |
>> library-provided exploit mitigations (as discussed on the openbsd-misc ML at |
7 |
>> [1] and Ted Unangst's blogs at [2] and [3]). |
8 |
> [snip good explanation] |
9 |
> |
10 |
>> It basically provides a secure memory area protected by guard pages for |
11 |
>> sensitive data, like RSA private keys, so that if another Heartbleed-like |
12 |
>> event occurs, things won't be as bad. Hopefully... |
13 |
> |
14 |
> http://lekkertech.net/akamai.txt |
15 |
|
16 |
I was not aware of that write up. Nice find! That effectively rules this |
17 |
patch out. |
18 |
|
19 |
|
20 |
>> Is this something we want to look at adding to our openssl copy via an |
21 |
>> optional USE flag (default off)? |
22 |
> |
23 |
> At this point in time I'd say we better wait for the storm to settle |
24 |
> down - apparently the akamai patches are only fixing a small part of the |
25 |
> problem. |
26 |
> |
27 |
> I don't have a strong opinion as I haven't had to think about the |
28 |
> internals of crypto software in a while, but hastily adding |
29 |
> not-well-reviewed code might not be the best strategy. |
30 |
|
31 |
Agreed. Crypto is not my strong suite, but I thought I'd see what others |
32 |
thought on the patch. Someone is either going to step up and really "fix" |
33 |
OpenSSL or the community will eventually nominate a replacement for it (ala |
34 |
XFree86 -> Xorg). |
35 |
|
36 |
-- |
37 |
Joshua Kinard |
38 |
Gentoo/MIPS |
39 |
kumba@g.o |
40 |
4096R/D25D95E3 2011-03-28 |
41 |
|
42 |
"The past tempts us, the present confuses us, the future frightens us. And |
43 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
44 |
|
45 |
--Emperor Turhan, Centauri Republic |