On 04/13/2014 20:17, Patrick Lauer wrote: > On 04/14/2014 04:42 AM, Joshua Kinard wrote: >> >> So one of the side-discussions happening after Heartbleed was the fact that >> OpenSSL has its own memory allocator code that effectively mitigates any C >> library-provided exploit mitigations (as discussed on the openbsd-misc ML at >> [1] and Ted Unangst's blogs at [2] and [3]). > [snip good explanation] > >> It basically provides a secure memory area protected by guard pages for >> sensitive data, like RSA private keys, so that if another Heartbleed-like >> event occurs, things won't be as bad. Hopefully... > > http://lekkertech.net/akamai.txt
I was not aware of that write up. Nice find! That effectively rules this patch out. >> Is this something we want to look at adding to our openssl copy via an >> optional USE flag (default off)? > > At this point in time I'd say we better wait for the storm to settle > down - apparently the akamai patches are only fixing a small part of the > problem. > > I don't have a strong opinion as I haven't had to think about the > internals of crypto software in a while, but hastily adding > not-well-reviewed code might not be the best strategy. Agreed. Crypto is not my strong suite, but I thought I'd see what others thought on the patch. Someone is either going to step up and really "fix" OpenSSL or the community will eventually nominate a replacement for it (ala XFree86 -> Xorg). -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
