Usage of Secure C (memcpy_s, strcpy_s etc) functions on OpenSSL

Raja ashok raja.ashok at huawei.com
Tue Nov 26 11:07:25 UTC 2019


Hi All,

We are using OpenSSL in our projects and we found some of the C standard functions (like memcpy, strcpy) used in OpenSSL may induce security vulnerablities like buffer overflow. Currently we have not found any instances which causes such issues.

But we feel better to change these calls to C11 standard's secure functions like memcpy_s, strcpy_s etc. By defining a secure calls method (list of func pointers) and allowing application to register the method. I understand that this affects performance because of return value check added for xxxx_s calls, but this will make sure it removes buffer overflow kind of issues completely from code. And also currently using secure c calls is a general industry practice.

Please share your opinion on it, and if any discussion happened in OpenSSL coummunity to do this change in future.

Thanks in advance.
Raja Ashok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191126/602c1db0/attachment.html>


More information about the openssl-users mailing list