On Fri, Jun 12, 2015 at 11:24 AM, Olaf Till <[email protected]> wrote: > Dear all, > can someone tell me the reason why gnutls_global_set_mem_functions() > isn't supported anymore? I might be wrong, but as I see it such a > functionality is needed, at least in my application: > I've based a plugin for parallel command execution in a cluster on > gnutls with SRP. Both client and server machines hold a cleartext > password in memory allocated by gnutls. Since gnutls just uses free(), > the password is not zeroed before deallocation. To my understanding, > after the client or server program exits, other users on these > machines have a chance to have the password in memory they allocate > which was previously allocated and freed by gnutls.
In modern operating systems such as Linux pages are zeroized before they are passed to other applications so this is not really a threat. The threat remains however when you have bugs like heartbleed and arbitrary memory areas are exposed. For that, since gnutls 3.3.x sensitive memory areas are overwritten by gnutls itself when needed (the focus with that change was mostly the FIPS140-2 related algorithms so an audit in the SRP code may be needed). regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
