[Boost-bugs] [Boost C++ Libraries] #13312: boost::locale::conv and secure memory buffers

Subject: [Boost-bugs] [Boost C++ Libraries] #13312: boost::locale::conv and secure memory buffers
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2017-11-27 15:07:09


#13312: boost::locale::conv and secure memory buffers
-------------------------------------------------+-------------------------
 Reporter: Marcus Brinkmann | Owner: Artyom
  <marcus.brinkmann@…> | Beilis
     Type: Feature Requests | Status: new
Milestone: To Be Determined | Component: locale
  Version: Boost 1.63.0 | Severity: Problem
 Keywords: |
-------------------------------------------------+-------------------------
 Sometimes it is useful to convert passwords from one encoding to another
 to guess the right encoding (for example to import certificates which have
 been exported with broken software).

 For such (and maybe other cases) it would be nice if from_utf and to_utf
 had an option to specify the output memory buffer. I guess this would be
 best done via a template specialization.

 I realize that this is a somewhat obscure concern. The benefit of trying
 to keep a password in secure memory is discussed even among experts.
 There are many other places higher (pipes, keyboard buffers) and lower
 (cpu caches) in the stack where password traces can remain. On the other
 hand, scanning the swap space for key material and passwords in the clear
 is a basic security check. For me, this is something that should be fixed
 if it is easy to do.

 Right now, I am using this pattern, which at best relies on RVO and leaves
 a small race:

 {{{
   std::string convertedpw_ =
       boost::locale::conv::from_utf<char>(password, charset);
   Botan::secure_vector<uint8_t> convertedpw(convertedpw_.size());
   memcpy(convertedpw.data(), convertedpw_.data(), convertedpw_.size());
   /* Best effort. */
   Botan::secure_scrub_memory((void *)convertedpw_.data(),
 convertedpw_.size());
 }}}

 Anyway, thanks a lot for a great library!

-- 
Ticket URL: <https://svn.boost.org/trac10/boost/ticket/13312>
Boost C++ Libraries <http://www.boost.org/>
Boost provides free peer-reviewed portable C++ source libraries.

This archive was generated by hypermail 2.1.7 : 2017-11-27 15:13:11 UTC