Usage of Secure C (memcpy_s, strcpy_s etc) functions on OpenSSL

Matthias St. Pierre Matthias.St.Pierre at
Tue Nov 26 13:38:56 UTC 2019

Hello Raja,

according to our policy, the OpenSSL C source code needs to conform to ISO C90, which makes it
impossible to adopt C11 features.

                 Chapter 20:  Portability

To maximise portability the version of C defined in ISO/IEC 9899:1990
should be used. This is more commonly referred to as C90. ISO/IEC 9899:1999
(also known as C99) is not supported on some platforms that OpenSSL is
used on and therefore should be avoided.



On 26.11.19 12:07, Raja ashok wrote:
> Hi All,
> We are using OpenSSL in our projects and we found some of the C standard functions (like memcpy, strcpy) used in OpenSSL may induce security vulnerablities like buffer overflow. Currently we have not found any instances which causes such issues.
> But we feel better to change these calls to C11 standard's secure functions like memcpy_s, strcpy_s etc. By defining a secure calls method (list of func pointers) and allowing application to register the method. I understand that this affects performance because of return value check added for xxxx_s calls, but this will make sure it removes buffer overflow kind of issues completely from code. And also currently using secure c calls is a general industry practice.
> Please share your opinion on it, and if any discussion happened in OpenSSL coummunity to do this change in future.
> Thanks in advance.
> Raja Ashok

More information about the openssl-users mailing list