Usage of Secure C (memcpy_s, strcpy_s etc) functions on OpenSSL
Libor Chocholaty
ossl at mts.cz
Tue Nov 26 12:51:47 UTC 2019
Hello,
these _s functions are not so much safer than the standard ones. Using
them makes just MSVC happy.
Regards,
Libor
On 2019-11-26 12:07, Raja ashok wrote:
> Hi All,
>
> We are using OpenSSL in our projects and we found some of the C standard functions (like memcpy, strcpy) used in OpenSSL may induce security vulnerablities like buffer overflow. Currently we have not found any instances which causes such issues.
>
> But we feel better to change these calls to C11 standard's secure functions like memcpy_s, strcpy_s etc. By defining a secure calls method (list of func pointers) and allowing application to register the method. I understand that this affects performance because of return value check added for xxxx_s calls, but this will make sure it removes buffer overflow kind of issues completely from code. And also currently using secure c calls is a general industry practice.
>
> Please share your opinion on it, and if any discussion happened in OpenSSL coummunity to do this change in future.
>
> Thanks in advance.
>
> Raja Ashok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191126/0de55e80/attachment.html>
More information about the openssl-users
mailing list