On Fri, Jun 12, 2015 at 04:36:23PM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, Jun 12, 2015 at 11:24 AM, Olaf Till <[email protected]> wrote: > > Dear all, > > can someone tell me the reason why gnutls_global_set_mem_functions() > > isn't supported anymore? I might be wrong, but as I see it such a > > functionality is needed, at least in my application: > > I've based a plugin for parallel command execution in a cluster on > > gnutls with SRP. Both client and server machines hold a cleartext > > password in memory allocated by gnutls. Since gnutls just uses free(), > > the password is not zeroed before deallocation. To my understanding, > > after the client or server program exits, other users on these > > machines have a chance to have the password in memory they allocate > > which was previously allocated and freed by gnutls. > > In modern operating systems such as Linux pages are zeroized before they > are passed to other applications so this is not really a threat. The > threat remains > however when you have bugs like heartbleed and arbitrary memory areas are > exposed. For that, since gnutls 3.3.x sensitive memory areas are overwritten > by > gnutls itself when needed (the focus with that change was mostly the FIPS140-2 > related algorithms so an audit in the SRP code may be needed).
Ok, thanks for the information. In particular I wasn't aware that Linux zeroizes passed pages. Regards, Olaf -- public key id EAFE0591, e.g. on x-hkp://pool.sks-keyservers.net
signature.asc
Description: Digital signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
