On 04/14/2014 04:42 AM, Joshua Kinard wrote: > > So one of the side-discussions happening after Heartbleed was the fact that > OpenSSL has its own memory allocator code that effectively mitigates any C > library-provided exploit mitigations (as discussed on the openbsd-misc ML at > [1] and Ted Unangst's blogs at [2] and [3]). [snip good explanation]
> It basically provides a secure memory area protected by guard pages for > sensitive data, like RSA private keys, so that if another Heartbleed-like > event occurs, things won't be as bad. Hopefully... http://lekkertech.net/akamai.txt > Is this something we want to look at adding to our openssl copy via an > optional USE flag (default off)? At this point in time I'd say we better wait for the storm to settle down - apparently the akamai patches are only fixing a small part of the problem. I don't have a strong opinion as I haven't had to think about the internals of crypto software in a while, but hastily adding not-well-reviewed code might not be the best strategy. Have fun, Patrick
