Adding OPENSSL_secure_zalloc and BIO_s_secmem (aws#1476)

### Description of changes: Added BIO_s_secmem and OPENSSL_secure_zalloc. These functions are related to Secure Heaps which aren't supported in AWS-LC. Therefore, these functions use their normal alternatives (BIO_s_mem and OPENSSL_zalloc). By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
justsmth · Apr 17, 2024 · ca72f77 · ca72f77
1 parent 638f696
commit ca72f77
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/crypto/bio/bio_mem.c b/crypto/bio/bio_mem.c
@@ -303,3 +303,7 @@ int BIO_set_mem_buf(BIO *bio, BUF_MEM *b, int take_ownership) {
 int BIO_set_mem_eof_return(BIO *bio, int eof_value) {
   return (int)BIO_ctrl(bio, BIO_C_SET_BUF_MEM_EOF_RETURN, eof_value, NULL);
 }
+
+const BIO_METHOD *BIO_s_secmem(void) {
+    return BIO_s_mem();
+}
diff --git a/crypto/mem.c b/crypto/mem.c
@@ -329,6 +329,8 @@ size_t CRYPTO_secure_used(void) { return 0; }
 
 void *OPENSSL_secure_malloc(size_t size) { return OPENSSL_malloc(size); }
 
+void *OPENSSL_secure_zalloc(size_t size) { return OPENSSL_zalloc(size); }
+
 void OPENSSL_secure_clear_free(void *ptr, size_t len) {
   OPENSSL_clear_free(ptr, len);
 }

diff --git a/include/openssl/bio.h b/include/openssl/bio.h
@@ -876,7 +876,11 @@ OPENSSL_EXPORT int BIO_meth_set_puts(BIO_METHOD *method,
 // BIO_meth_get_puts returns |puts| function of |method|.
 OPENSSL_EXPORT int (*BIO_meth_get_puts(const BIO_METHOD *method)) (BIO *, const char *);
 
+// BIO_s_secmem returns the normal BIO_METHOD |BIO_s_mem|. Deprecated since AWS-LC
+// does not support secure heaps.
+OPENSSL_EXPORT OPENSSL_DEPRECATED const BIO_METHOD *BIO_s_secmem(void);
 
+
 // General No-op Functions [Deprecated].
 
 // BIO_set_write_buffer_size returns zero.

diff --git a/include/openssl/mem.h b/include/openssl/mem.h
@@ -238,6 +238,14 @@ OPENSSL_EXPORT int CRYPTO_set_mem_functions(
   void *(*r)(void *, size_t, const char *, int),
   void (*f)(void *, const char *, int));
 
+// OPENSSL supports the concept of secure heaps to help protect applications from pointer overruns or underruns that
+// could return arbitrary data from the program's dynamic memory area where sensitive information may be stored.
+// AWS-LC does not support secure heaps. The initialization functions intentionally return zero to indicate that secure
+// heaps aren't supported. We return the regular malloc and zalloc versions when the secure_* counterparts are called,
+// which is what OPENSSL does when secure heap is not enabled.
+// If there is any interest in utilizing "secure heaps" with AWS-LC, cut us an issue at
+// https://github.com/aws/aws-lc/issues/new/choose
+
 // CRYPTO_secure_malloc_init returns zero.
 OPENSSL_EXPORT int CRYPTO_secure_malloc_init(size_t size, size_t min_size);
 
@@ -250,6 +258,9 @@ OPENSSL_EXPORT size_t CRYPTO_secure_used(void);
 // OPENSSL_secure_malloc calls |OPENSSL_malloc|.
 OPENSSL_EXPORT void *OPENSSL_secure_malloc(size_t size);
 
+// OPENSSL_secure_zalloc calls |OPENSSL_zalloc|.
+OPENSSL_EXPORT void *OPENSSL_secure_zalloc(size_t size);
+
 // OPENSSL_secure_clear_free calls |OPENSSL_clear_free|.
 OPENSSL_EXPORT void OPENSSL_secure_clear_free(void *ptr, size_t len);