[openssl-dev] Proper explicit zeroing in VIA PadLock engine
Richard Levitte
levitte at openssl.org
Mon Apr 4 15:02:33 UTC 2016
In message <20160404.164942.868027325565615626.levitte at openssl.org> on Mon, 04 Apr 2016 16:49:42 +0200 (CEST), Richard Levitte <levitte at openssl.org> said:
levitte> In message <20160404144408.GA75125 at thinkpad.swarthmore.edu> on Mon, 4 Apr 2016 10:44:09 -0400, Michael McConville <mmcco at mykolab.com> said:
levitte>
levitte> mmcco> Richard Levitte wrote:
levitte> mmcco> > That being said, engines/e_padlock.c has changed quite a bit since, so
levitte> mmcco> > if patching is still needed, it needs to be reworked with somewhat
levitte> mmcco> > more modern code (that libressl patch applies to OpenSSL 0.9.8, which
levitte> mmcco> > is past EOL).
levitte> mmcco>
levitte> mmcco> True, but it's still the same one line that needs to be changed.
levitte> mmcco> engines/e_padlock.c:779:
levitte> mmcco>
levitte> mmcco> > *(volatile unsigned int *)&buf = 0;
levitte> mmcco>
levitte> mmcco> I've never worked with OpenSSL before, but the below is what I was
levitte> mmcco> imagining.
levitte> mmcco>
levitte> mmcco>
levitte> mmcco> diff --git a/engines/e_padlock.c b/engines/e_padlock.c
levitte> mmcco> index 96e7483..709c4de 100644
levitte> mmcco> --- a/engines/e_padlock.c
levitte> mmcco> +++ b/engines/e_padlock.c
levitte> mmcco> @@ -776,7 +776,8 @@ static int padlock_rand_bytes(unsigned char *output, int count)
levitte> mmcco> *output++ = (unsigned char)buf;
levitte> mmcco> count--;
levitte> mmcco> }
levitte> mmcco> - *(volatile unsigned int *)&buf = 0;
levitte> mmcco> +
levitte> mmcco> + OPENSSL_cleanse(&buf, sizeof(buf));
levitte> mmcco>
levitte> mmcco> return 1;
levitte> mmcco> }
levitte>
levitte> That looks good enough, I'll see to it being inserted.
And pushed. Thank you!
commit 6c13488c4e75ef839bc07a3ce428289aef4bd267
Author: Richard Levitte <levitte at openssl.org>
Date: Mon Apr 4 16:55:12 2016 +0200
Make sure the rand_byte buffer in padlock engine is cleansed.
Submitted by Michael McConville <mmcco at mykolab.com>
Reviewed-by: Rich Salz <rsalz at openssl.org>
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-dev
mailing list