Thread (7 messages) 7 messages, 3 authors, 2021-08-25

Re: [PATCH ima-evm-utils v3] Use secure heap for private keys and passwords

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2021-08-25 20:45:07 

On Wed, 2021-08-25 at 21:41 +0300, Vitaly Chikunov wrote:
Mimi,

On Wed, Aug 25, 2021 at 07:39:30AM -0400, Mimi Zohar wrote:
quoted
Hi Vitaly,

On Sun, 2021-08-22 at 03:10 +0300, Vitaly Chikunov wrote:
quoted
After CRYPTO_secure_malloc_init OpenSSL will store private keys 
^and passwords
No, it meant openssl automatically will handle private keys (and other
internal private data) in secure heap.

Handling of passwords in openssl's secure heap we do ourselves. I can
extend commit message about this.
Ah, nice!   Please expand the patch description, adding what you said
here.

Also, you might want to include that since OPENSSL_secure_malloc_init()
is called from evmctl.c, any application linking with libimaevm would
not be using secure heap.

quoted
quoted
in
secure heap. This facility is only available since OpenSSL_1_1_0-pre1.

Signed-off-by: Vitaly Chikunov <redacted>
Initially we started out discussing ways of protecting passwords, which
this patch does.  Thank you!  I'm not sure, however, it is protecting
the private keys.  Does read_priv_pkey()  also use the secure heap or
is PEM_read_PrivateKey() already safe?
After CRYPTO_secure_malloc_init call all openssl API functions that
handle private keys and passwords should use secure heap. So, in that
regard we don't need to add anything.
Ok

quoted
quoted
---
 src/evmctl.c | 148 +++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 121 insertions(+), 27 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c

@@ -188,7 +207,9 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data
 	return err;
 }

-static unsigned char *file2bin(const char *file, const char *ext, int *size)
+/* Return data in OpenSSL secure heap if 'secure' is true. */
+static unsigned char *file2bin(const char *file, const char *ext, int *size,
+			       int secure)
 {
The only caller of file2bin() that sets "secure" is evm_calc_hmac(),
but evm_calc_hmac() is a debugging tool, not meant for setting the real
security.evm xattr.
I can undo file2bin change if you wish, but for uniformity I would have
it changed. We can add comment that it is handling only test & debugging
data, thus not using security measures. May also output some warning at
runtime.
Either way is fine, but somehow please document it.

thanks,

Mimi

  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help