[Cryptography] Heartbleed and fundamental crypto programming practices
danimoth
danimoth at cryptolab.net
Tue Apr 15 16:36:25 EDT 2014
On 10/04/14 at 03:49pm, Bear wrote:
> "Doesn't affect program output: therefore is a waste of work"
> is the underlying assumption, correct for most software, which
> is utterly, utterly wrong for crypto.
>
> In C and C++, variable locations are stable (and mostly have to
> be because those languages use explicit pointers) but you have
> to declare them 'volatile' to be absolutely sure that the compiler
> will never move them (without zeroing the old location) and that
> writes to them prior to deallocation will happen as the code
> commands.
>
> In most languages, there is absolutely no standard way to be sure
> of getting an optimizing compiler to leave final writes alone.
[cut]
If I understood correctly, all crypto software should be compiled with
-O0 flag...
More information about the cryptography
mailing list