More secure storage of key material.

Add secure heap for storage of private keys (when possible). Add BIO_s_secmem(), CBIGNUM, etc. Add BIO_CTX_secure_new so all BIGNUM's in the context are secure. Contributed by Akamai Technologies under the Corporate CLA. Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Rich Salz <rsalz@akamai.com> 2015-04-24 16:39:40 -0400
committer: Rich Salz <rsalz@openssl.org> 2015-06-23 17:09:35 -0400
commit: 74924dcb3802640d7e2ae2e80ca6515d0a53de7a (patch)
tree: 6de4138b01d5f649bdaa32d858bd5fa20e9ad4b6 /crypto/dsa
parent: ce7e647bc2c328404b1e3cdac6211773afdefe07 (diff)
download: openssl-74924dcb3802640d7e2ae2e80ca6515d0a53de7a.tar.gz
3 files changed, 4 insertions, 3 deletions
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 01b3497552..73dd158cee 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -245,7 +245,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
     if ((dsa = d2i_DSAparams(NULL, &pm, pmlen)) == NULL)
         goto decerr;
     /* We have parameters now set private key */
-    if ((dsa->priv_key = ASN1_INTEGER_to_BN(privkey, NULL)) == NULL) {
+    if ((dsa->priv_key = BN_secure_new()) == NULL
+        || !ASN1_INTEGER_to_BN(privkey, dsa->priv_key)) {
         DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);
         goto dsaerr;
     }
diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c
index bb2434e20e..85db147822 100644
--- a/crypto/dsa/dsa_asn1.c
+++ b/crypto/dsa/dsa_asn1.c
@@ -113,7 +113,7 @@ ASN1_SEQUENCE_cb(DSAPrivateKey, dsa_cb) = {
         ASN1_SIMPLE(DSA, q, BIGNUM),
         ASN1_SIMPLE(DSA, g, BIGNUM),
         ASN1_SIMPLE(DSA, pub_key, BIGNUM),
-        ASN1_SIMPLE(DSA, priv_key, BIGNUM)
+        ASN1_SIMPLE(DSA, priv_key, CBIGNUM)
 } ASN1_SEQUENCE_END_cb(DSA, DSAPrivateKey)
 
 IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAPrivateKey, DSAPrivateKey)
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index 01a83e0018..19d21eacf7 100644
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -82,7 +82,7 @@ static int dsa_builtin_keygen(DSA *dsa)
         goto err;
 
     if (dsa->priv_key == NULL) {
-        if ((priv_key = BN_new()) == NULL)
+        if ((priv_key = BN_secure_new()) == NULL)
             goto err;
     } else
         priv_key = dsa->priv_key;
author	Rich Salz <rsalz@akamai.com>	2015-04-24 16:39:40 -0400
committer	Rich Salz <rsalz@openssl.org>	2015-06-23 17:09:35 -0400
commit	74924dcb3802640d7e2ae2e80ca6515d0a53de7a (patch)
tree	6de4138b01d5f649bdaa32d858bd5fa20e9ad4b6 /crypto/dsa
parent	ce7e647bc2c328404b1e3cdac6211773afdefe07 (diff)
download	openssl-74924dcb3802640d7e2ae2e80ca6515d0a53de7a.tar.gz