[patch] wipe secure memory after iconv failure

Werner Koch wk at gnupg.org
Mon Jan 26 17:59:18 CET 2015


On Wed, 21 Jan 2015 05:49, dkg at fifthhorseman.net said:

> From: Eygene Ryabinkin <rea at codelabs.ru>
> Date: Mon, 5 Jan 2015 02:38:11 +0300
> Subject: [PATCH] Apply secure wipe after iconv failure
>
> Iconv conversion can fail in the middle of operation, so "pwbuf"
> can have some parts of the password, so it is safer to clean it

Right; but ...


>            log_error ("error converting passphrase to"
>                       " requested charset '%s': %s\n",
>                       charset, strerror (errno));
> -          gcry_free (pwbuf);
> -          pwbuf = NULL;

PWBUF has been allocated using 

      pwbuf = gcry_malloc_secure (pwbufsize);

and thus it has been allocated in secure memory.  Even if it is
questionable whether that mlock()ed memory area is still useful, it has
the property that gcry_free  will overwrite the allocated memory.  The
secure memory allocator knows about the size and thus there is no need
to for the application to keep track of it.

The wipememory at 

  if (pwbuf)
    {
      wipememory (pwbuf, pwbufsize);
      gcry_free (pwbuf);
    }

is just a failsafe method in case the code is being used with an
improper memory allocator.  We could just remove that wipememory.

However your fix removes code which is is a good idea anyway and thus I
will use that (commit 6c87d1c).  Thanks.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list