using explicit_bzero
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-06-21T07:25:43Z
Lists: pgsql-hackers
Attachments
- 0001-Use-explicit_bzero.patch (text/plain) patch 0001
In a recent thread[0], the existence of explicit_bzero() was mentioned. I went to look where we could use that to clear sensitive information from memory and found a few candidates: - In be-secure-common.c, clear the entered SSL passphrase in the error path. (In the non-error path, the buffer belongs to OpenSSL.) - In libpq, clean up after reading .pgpass. Otherwise, the entire file including all passwords potentially remains in memory. - In libpq, clear the password after a connection is closed (freePGconn/part of PQfinish). - pg_hba.conf could potentially contain passwords for LDAP, so that should maybe also be cleared, but the structure of that code would make that more involved, so I skipped that for now. Efforts are probably better directed at providing facilities to avoid having to do that.[1] Any other ones? A patch that implements the first three is attached. [0]: https://www.postgresql.org/message-id/043403c2-f04d-3a69-aa8a-9bb7b9ce8e5b@iki.fi [1]: https://www.postgresql.org/message-id/flat/CA%2BhUKGJ44ssWhcKP1KYK2Dm9_XXk1_b629_qSDUhH1fWfuAvXg%40mail.gmail.com -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Use explicit_bzero
- 74a308cf5221 13.0 landed