From: Simon Josefsson via Gnulib discussion list <bug-gnulib@gnu.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: bug-gnulib@gnu.org
Subject: Re: [PROPOSED 0/4] memset_explicit patches
Date: Mon, 28 Nov 2022 11:15:07 +0100 [thread overview]
Message-ID: <87edtn2xn8.fsf@latte> (raw)
In-Reply-To: <20221128045543.1355731-1-eggert@cs.ucla.edu> (Paul Eggert's message of "Sun, 27 Nov 2022 20:55:39 -0800")
[-- Attachment #1: Type: text/plain, Size: 1288 bytes --]
Paul Eggert <eggert@cs.ucla.edu> writes:
> Here's a proposed set of patches to add support for C23's
> memset_explicit function, along with the corresponding fallout in
> Gnulib. The idea is to prefer memset_explicit, but continue to
> support explicit_bzero (which is not marked as obsolescent, as it's
> too soon for that). Comments welcome.
Thanks -- I did a brief code review and it looks fine, and thanks for
adding a test-case for this -- it will be interesting to see in what
environments it will fail, indicating problematic compiler optimizations
(or bugs).
A general observation is that I'm mixed about offering replacement of
security-relevant APIs which do not offer the same guarantees as a
secure implementation. In these situations, it may actually be
preferrably to crash or to refuse to build the application, at least by
default. Compare with gnulib's getrandom(). On platforms we care
about, things should be secure, but it is just a small bug away from
gnulib deciding to replace a system/compiler-provided secure
memset_explicit with our less secure memset_explicit.
OTOH, this would create a lot of problems: libtasn1's use of read_file()
never uses the sensitive flag, and thus will never call explicit_bzero.
Refusing to build would be excessive.
/Simon
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]
next prev parent reply other threads:[~2022-11-28 10:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-28 4:55 [PROPOSED 0/4] memset_explicit patches Paul Eggert
2022-11-28 4:55 ` [PROPOSED 1/4] memset_explicit: new module Paul Eggert
2022-11-28 16:17 ` Bruno Haible
2022-11-28 4:55 ` [PROPOSED 2/4] read-file: use memset_explicit Paul Eggert
2022-11-28 4:55 ` [PROPOSED 3/4] explicit_bzero: memset_explicit is standard Paul Eggert
2022-11-28 4:55 ` [PROPOSED 4/4] explicit_bzero: implement via memset_explicit Paul Eggert
2022-11-28 16:17 ` Bruno Haible
2022-11-29 6:06 ` Paul Eggert
2022-11-29 8:09 ` Bruno Haible
2022-11-28 10:15 ` Simon Josefsson via Gnulib discussion list [this message]
2022-11-28 16:04 ` [PROPOSED 0/4] memset_explicit patches Bruno Haible
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.gnu.org/mailman/listinfo/bug-gnulib
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87edtn2xn8.fsf@latte \
--to=bug-gnulib@gnu.org \
--cc=eggert@cs.ucla.edu \
--cc=simon@josefsson.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).