From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH ima-evm-utils v2] Use secure heap for private keys and passwords
Date: Fri, 20 Aug 2021 00:20:12 +0300 [thread overview]
Message-ID: <20210819212012.uoi4aaxzv4egirkd@altlinux.org> (raw)
In-Reply-To: <20210819021136.664597-1-vt@altlinux.org>
On Thu, Aug 19, 2021 at 05:11:36AM +0300, Vitaly Chikunov wrote:
> After CRYPTO_secure_malloc_init OpenSSL will store private keys in
> secure heap. This facility is only available since OpenSSL_1_1_0-pre1.
>
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
> Change from v1:
> - Do not use setfbuf to disable buffering as this is not proven to be
> meaningful.
> - Use secure heap for passwords too as suggested by Mimi Zohar.
> - Fallback to OPENSSL_malloc for old OpenSSL as suggested by Mimi Zohar.
> - Simplify logic of calling CRYPTO_secure_malloc_init (call it always on
> OpenSSL init.)
> - Should be applied after Bruno Meneguele's "evmctl: fix memory leak in
> get_password" patch v2.
>
> src/evmctl.c | 143 ++++++++++++++++++++++++++++++++++++++++++---------
> 1 file changed, 118 insertions(+), 25 deletions(-)
>
> @@ -2651,6 +2721,16 @@ int main(int argc, char *argv[])
> #endif
> OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
> #endif
> +#if OPENSSL_VERSION_NUMBER > 0x10100000
> + /*
> + * This facility is available since OpenSSL_1_1_0-pre1.
> + * 'Heap size' 8192 is chosen to be big enough, so that any single key
> + * data could fit. 'Heap minsize' 64 is just to be efficient for small
> + * buffers.
> + */
> + CRYPTO_secure_malloc_init(8192, 64);
> +#endif
Forgot to check return value of this.
Thanks,
next prev parent reply other threads:[~2021-08-19 21:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-19 2:11 [PATCH ima-evm-utils v2] Use secure heap for private keys and passwords Vitaly Chikunov
2021-08-19 18:06 ` Mimi Zohar
2021-08-19 18:12 ` Vitaly Chikunov
2021-08-19 18:27 ` Bruno Meneguele
2021-08-19 20:11 ` Mimi Zohar
2021-08-19 20:10 ` Mimi Zohar
2021-08-19 18:28 ` Bruno Meneguele
2021-08-19 22:04 ` Vitaly Chikunov
2021-08-20 13:08 ` Bruno Meneguele
2021-08-19 21:20 ` Vitaly Chikunov [this message]
2021-08-19 21:42 ` Vitaly Chikunov
2021-08-19 22:21 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210819212012.uoi4aaxzv4egirkd@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox