[fpc-pascal] Processing passwords etc.

[Michael Van Canneyt]

On Fri, 11 Apr 2014, Mark Morgan Lloyd wrote:

> Michael Van Canneyt wrote:
>> On Fri, 11 Apr 2014, Mark Morgan Lloyd wrote:
>> 
>>> Is my understanding correct that when a string or a dynamic array is 
>>> extended it might result in its existing content being released to the 
>>> heap?
>>> 
>>> If so, is it possible to ensure that this is zeroed or randomised first, 
>>> without having to do it manually?
>> 
>> Currently not, although such behaviour could easile be introduced as an 
>> option.
>> 
>> Current HeartBleed frenzy getting you (or your bosses) scared ? :)
>
> :-) No, but I don't think enough people are focussing on the real problem 
> which is that the OpenSSL developers were letting sensitive data leak to the 
> freelist.
>
> If, when they wrote the code some years ago, they'd been rigorous in their 
> handling of passwords and private keys then the current bug- introduced in 
> 2012- would have been far less serious.

Correct.

Having looked at the openssl library, I can say it's a miracle it works at all.
Rarely seen such a mess of macros and whatnot, a good showcase of why I think 
C is not a good language choice. So, not surprised that it contains leaks :(

OTOH, I think people are hugely exaggerating the problem, considering it was 
introduced relatively recently and that I got my security update before it 
hit the newspapers.

That is of course not to say that it shouldn't be fixed and people shouldn't bother.
But the way it is presented is more about scaring people than anything else. 
Hysterics...


Michael.