-
Notifications
You must be signed in to change notification settings - Fork 486
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use OPENSSL_cleanse if OpenSSL is used #1773
Conversation
Thanks for the PR! Yes, we could use A couple of minor things to make our CI checks pass:
|
Hi @bencemali, thanks for the PR. It's correct that |
Following up on this more concretely: could you please rework the logic so that we only use |
OpenSSL guarantees that |
a5b1ee2
to
7016369
Compare
For our "peace of mind", do you have a pointer documenting this guarantee, @bencemali ? https://www.openssl.org/docs/manmaster/man3/OPENSSL_cleanse.html seems a bit non-committal. What is true is that the |
My two cents:
I understand that OpenSSL is a ubiquitous, trusted library. However,
I agree that we could rely on OpenSSL here and wash our hands of the matter, but to me it seems like a regression: our fallback code is, as far as I can tell, implemented in exactly the same way as I'm open to the idea to defaulting to IMO, what we decide here sets precedent for common (especially OpenSSL-related) code decisions across the project, and we should be able to consistently apply whatever rationale we use for future decisions. |
Good points. This indeed then feels like a regression, particularly considering
First, might it be worth while getting the OpenSSLs team's opinion on your "non-OpenSSL" cleansing code? Second, this of course implies we accepted This argument does not sound as strong, though:
Well, there's been a reason for that and I hope it's not "just" what's documented (?):
This kind of seems to imply OQS values performance over security. This may be intended but should be clearly documented. |
OpenSSL API docs about
As this function is in OpenSSL's publicly available API and says that it will fill the buffer with zeros, I'd assume it's a good enough that it works. If it would not, it would be treated as a large security issue within OpenSSL itself. |
ACK. It's also the reason why OQS apparently also bases its implementation on this as per the statements above. So we're down to deciding the question by @SWilson4 :
--> Do we want to follow the OpenSSL approach throughout? Who's going to change the code "in the rest of" Assuming this is the way we go, I approve. |
Just because we use OpenSSL for some things, doesn't mean we have to use them for everything nor agree with every choice they make. As far as I know, there are good reasons to use the dedicated functions
I don't understand what the "rest of" is referring to here. |
If this is an issue with no clear "best" solution, it could be added as a choice for users. There is an option whether to use OpenSSL for SHA3 called |
Doing this would a) create more (too much?) configurability and b) make us shirk a decision on a good default -- that I think a trustworthy security software library should be able to make for its users -- that by and large (should be allowed to) know less than the developers of the library.
Can you please elaborate on them & particularly why they are apparently not used by OpenSSL?
I meant all code requiring secure memory clearing in the absence of OpenSSL. If there is none or if the macro is already used throughout the code base, I agree this may be the empty set. |
I agree, I don't think this level of configurability is necessary.
For these specific functions, the compilers promise that they will not optimize the call away. As far as I know, the volatile trick that we use as a backup (and that OpenSSL uses as a default) is just that -- a trick, which we think that compilers will not optimize away, but there's no formal guarantee that compilers won't optimize it away.
This should be the only place that the change is needed in our code base -- the rest of the code in liboqs is meant to be calling |
OK, I just took a closer look through the OpenSSL repo and found what appear to be assembly implementations of With this knowledge, I'm OK with this PR as-is. What I said above about it being a regression does not apply, as the OpenSSL implementation apparently does not simply default to the approach that we use as a fallback. I'll approve once CI is green (a rebase on |
7016369
to
89c845a
Compare
Thanks @dstebila . @bencemali Please note the CI failure: It seems to be relevant. |
Signed-off-by: Bence Mali <bence.mali@tresorit.com>
89c845a
to
15fd0cf
Compare
Thanks @bencemali for the fix in the latest commit! CI passes. Now a second review/approval please @SWilson4 @dstebila so we can merge this finally. |
Thanks for the changes @bencemali! |
The OPENSSL_cleanse function could be used when OQS_USE_OPENSSL is set.