[PATCH] memset_s() and talloc_set_secure()
slow at samba.org
Thu Oct 11 13:58:44 UTC 2018
On Thu, Oct 11, 2018 at 03:26:33PM +0200, Andreas Schneider via samba-technical wrote:
>On Thursday, 11 October 2018 13:15:17 CEST Stefan Metzmacher wrote:
>> Am 11.10.2018 um 13:07 schrieb Andrew Bartlett via samba-technical:
>> > On Thu, 2018-10-11 at 12:17 +0200, Andreas Schneider via samba-
>> > technical wrote:
>> >> Hello,
>> >> the attached patch adds memset_s()  and talloc_set_secure(). It will
>> >> make sure that memory is zeroed/erased before freeing to not keep
>> >> secrets around.>
>> > Stepping back a moment, how do you handle talloc_realloc()?
>> > That either needs to be banned or handled to ensure the old memory is
>> > wiped after a memcpy() to new memory (with performance losss).
>> > (And that will all need tests).
>> > Sorry this is turning into a can of worms, but if we do this we need to
>> > do it completely.
>> Yes, I also discussed privately with Andreas that we need to make sure
>> talloc_report() doesn't leak the content.
>> The current idea is:
>> #define talloc_keep_secret(ptr) _talloc_keep_secret(ptr, #ptr);
>> void _talloc_keep_secret(const void *ptr, const char *name);
>> While I may prefer to pass name explicit.
>> I guess talloc_asprintf_append* also needs special handling.
>> We need to decide what to do with talloc_strdup() and even more complex
>> talloc_asprintf(..., "%s", secret_talloc_string).
>What do you mean? That in case we pass a pointer to such a function it should
>I think if you do that you should do it like:
>char *password = talloc_strdup(talloc_secret_string);
>And not magically to it. I think explicitly calling it is better.
>> Do we force the caller to reuse talloc_keep_secret() or do we want to
>> somehow inherit the secret state.
>I would not inherit it, only talloc_realloc() should inherit it.
>The current state is here:
still misses the things I mentioned.
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG Key Fingerprint: FAE2 C608 8A24 2520 51C5
59E4 AA1E 9B71 2639 9E46
More information about the samba-technical