Bug #116599 for Net-SSLeay: memset calls to zero memory can be optimized away

Sun Jul 31 08:14:24 2016 nanis [...] cpan.org - Ticket created

Subject:	memset calls to zero memory can be optimized away
Date:	Sun, 31 Jul 2016 08:14:12 -0400
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	"A. Sinan Unur" <nanis [...] cpan.org>

See https://cwe.mitre.org/data/definitions/14.html http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html http://www.daemonology.net/blog/2014-09-05-erratum.html C11 provides memset_s which may not be available on a lot of platforms. VC provides SecureZeroMemory (see <https://msdn.microsoft.com/en-us/library/windows/desktop/aa366877(v=vs.85).aspx>). OpenSSL provides a function OPENSSL_cleanse (see <https://www.openssl.org/docs/manmaster/crypto/OPENSSL_malloc.html>) among others. A search of the OpenSSL repo shows OPENSSL_cleans is used throughout the source. C:\Users\sinan\.cpanm\work\1469964982.3552\Net-SSLeay-1.76> findstr /ns memset *.xs SSLeay.xs:1315: memset(key_name, 0, sizeof(key_name)); SSLeay.xs:1320: memset(new_name, 0, sizeof(new_name)); SSLeay.xs:1367: memset(&t,0,sizeof(t));

Mon Nov 26 10:24:32 2018 RADIATOR [...] cpan.org - Correspondence added

On Sun 31.heinä 2016 08:14:24, nanis@cpan.org wrote: Show quoted text

> OpenSSL provides a function OPENSSL_cleanse (see > <https://www.openssl.org/docs/manmaster/crypto/OPENSSL_malloc.html>) > among others.

I chose OPENSSL_cleanse because it's available on all supported library versions. A patch is available at Github via issue 102: https://github.com/radiator-software/p5-net-ssleay/issues/102 Thanks! -- Heikki Vatiainen

Mon Nov 26 10:24:33 2018 The RT System itself - Status changed from 'new' to 'open'

Mon Nov 26 10:24:34 2018 RADIATOR [...] cpan.org - Status changed from 'open' to 'patched'

Sun Dec 16 11:34:28 2018 chrisn [...] cpan.org - Status changed from 'patched' to 'resolved'

Sun Dec 16 11:34:28 2018 chrisn [...] cpan.org - Given to RADIATOR

Sun Dec 16 11:34:29 2018 chrisn [...] cpan.org - Fixed in 1.86_07 added