From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 29848138A1F for ; Mon, 14 Apr 2014 01:27:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 32442E0AC9; Mon, 14 Apr 2014 01:27:16 +0000 (UTC) Received: from qmta05.westchester.pa.mail.comcast.net (qmta05.westchester.pa.mail.comcast.net [76.96.62.48]) by pigeon.gentoo.org (Postfix) with ESMTP id 18A86E0ABE for ; Mon, 14 Apr 2014 01:27:14 +0000 (UTC) Received: from omta05.westchester.pa.mail.comcast.net ([76.96.62.43]) by qmta05.westchester.pa.mail.comcast.net with comcast id pdRB1n0030vyq2s55dTE1n; Mon, 14 Apr 2014 01:27:14 +0000 Received: from [192.168.1.13] ([50.190.84.14]) by omta05.westchester.pa.mail.comcast.net with comcast id pdTE1n00A0JZ7Re3RdTEHY; Mon, 14 Apr 2014 01:27:14 +0000 Message-ID: <534B3970.7020308@gentoo.org> Date: Sun, 13 Apr 2014 21:27:12 -0400 From: Joshua Kinard User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Akamai secure memory allocator for OpenSSL? References: <534AF6A8.6070001@gentoo.org> <534B2900.504@gentoo.org> In-Reply-To: <534B2900.504@gentoo.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1397438834; bh=+KE5YS7P6eLG8kNKVyWUSPUQ+WRw8cubscxnnKBJlJQ=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=S03T+v+ZlY9B0+6F/M0pZ9EvXT9/gnPU5HOWQV4ykzjMA1xBd85ykkt1GpuYI7Ha7 LyFAmT7GTYmMQYve//EChL4Vm8aWu6Bb/PnTcpjy10n2E/ToN3TEp9I+Lka30h4jpR rcXlsOBqnl9MEDi3wuYEqdjrsok/QLryeXOs0JzfK+JxTrXoAtcwUWN1HuT+4l+q00 D2oHfHQwSeKAkcDpC8dbo6HHbRZ86wQBnH2M7S7Ot6aQhvv4l9vxOAxUTrkgMsuALW oq+3c5/byMof2Bb9qgxR6s2x1BuLLNGmIsi1AJ92XkLdJZm2zOTtY3quH/Cd5NQZlJ 0cMj9ufpNXCzA== X-Archives-Salt: e10523fb-24a0-4ade-a6ab-c9287c102bc4 X-Archives-Hash: c1195bcc9c016af4b778ee7468cf839a On 04/13/2014 20:17, Patrick Lauer wrote: > On 04/14/2014 04:42 AM, Joshua Kinard wrote: >> >> So one of the side-discussions happening after Heartbleed was the fact that >> OpenSSL has its own memory allocator code that effectively mitigates any C >> library-provided exploit mitigations (as discussed on the openbsd-misc ML at >> [1] and Ted Unangst's blogs at [2] and [3]). > [snip good explanation] > >> It basically provides a secure memory area protected by guard pages for >> sensitive data, like RSA private keys, so that if another Heartbleed-like >> event occurs, things won't be as bad. Hopefully... > > http://lekkertech.net/akamai.txt I was not aware of that write up. Nice find! That effectively rules this patch out. >> Is this something we want to look at adding to our openssl copy via an >> optional USE flag (default off)? > > At this point in time I'd say we better wait for the storm to settle > down - apparently the akamai patches are only fixing a small part of the > problem. > > I don't have a strong opinion as I haven't had to think about the > internals of crypto software in a while, but hastily adding > not-well-reviewed code might not be the best strategy. Agreed. Crypto is not my strong suite, but I thought I'd see what others thought on the patch. Someone is either going to step up and really "fix" OpenSSL or the community will eventually nominate a replacement for it (ala XFree86 -> Xorg). -- Joshua Kinard Gentoo/MIPS kumba@gentoo.org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic