diff options
author | Rich Salz <rsalz@akamai.com> | 2015-04-24 16:39:40 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2015-06-23 17:09:35 -0400 |
commit | 74924dcb3802640d7e2ae2e80ca6515d0a53de7a (patch) | |
tree | 6de4138b01d5f649bdaa32d858bd5fa20e9ad4b6 /crypto/mem.c | |
parent | ce7e647bc2c328404b1e3cdac6211773afdefe07 (diff) | |
download | openssl-74924dcb3802640d7e2ae2e80ca6515d0a53de7a.tar.gz |
More secure storage of key material.
Add secure heap for storage of private keys (when possible).
Add BIO_s_secmem(), CBIGNUM, etc.
Add BIO_CTX_secure_new so all BIGNUM's in the context are secure.
Contributed by Akamai Technologies under the Corporate CLA.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/mem.c')
-rw-r--r-- | crypto/mem.c | 73 |
1 files changed, 72 insertions, 1 deletions
diff --git a/crypto/mem.c b/crypto/mem.c index b98e44fc5a..56c3585865 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -94,6 +94,15 @@ static void *(*realloc_ex_func) (void *, size_t, const char *file, int line) static void (*free_func) (void *) = free; +static void *(*malloc_secure_func)(size_t) = malloc; +static void *default_malloc_secure_ex(size_t num, const char *file, int line) +{ + return malloc_secure_func(num); +} +static void *(*malloc_secure_ex_func)(size_t, const char *file, int line) + = default_malloc_secure_ex; +static void (*free_secure_func)(void *) = free; + static void *(*malloc_locked_func) (size_t) = malloc; static void *default_malloc_locked_ex(size_t num, const char *file, int line) { @@ -145,6 +154,11 @@ int CRYPTO_set_mem_functions(void *(*m) (size_t), void *(*r) (void *, size_t), realloc_func = r; realloc_ex_func = default_realloc_ex; free_func = f; + /* If user wants to intercept the secure or locked functions, do it + * after the basic functions. */ + malloc_secure_func = m; + malloc_secure_ex_func = default_malloc_secure_ex; + free_secure_func = f; malloc_locked_func = m; malloc_locked_ex_func = default_malloc_locked_ex; free_locked_func = f; @@ -164,6 +178,44 @@ int CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), realloc_func = 0; realloc_ex_func = r; free_func = f; + malloc_secure_func = 0; + malloc_secure_ex_func = m; + free_secure_func = f; + malloc_locked_func = 0; + malloc_locked_ex_func = m; + free_locked_func = f; + return 1; +} + +int CRYPTO_set_secure_mem_functions(void *(*m)(size_t), void (*f)(void *)) +{ + /* Dummy call just to ensure OPENSSL_init() gets linked in */ + OPENSSL_init(); + if (!allow_customize) + return 0; + if ((m == 0) || (f == 0)) + return 0; + malloc_secure_func = m; + malloc_secure_ex_func = default_malloc_secure_ex; + free_secure_func = f; + /* If user wants to intercept the locked functions, do it after + * the secure functions. */ + malloc_locked_func = m; + malloc_locked_ex_func = default_malloc_secure_ex; + free_locked_func = f; + return 1; +} + +int CRYPTO_set_secure_mem_ex_functions(void *(*m)(size_t, const char *, int), + void (*f)(void *)) +{ + if (!allow_customize) + return 0; + if ((m == NULL) || (f == NULL)) + return 0; + malloc_secure_func = 0; + malloc_secure_ex_func = m; + free_secure_func = f; malloc_locked_func = 0; malloc_locked_ex_func = m; free_locked_func = f; @@ -191,7 +243,7 @@ int CRYPTO_set_locked_mem_ex_functions(void *(*m) (size_t, const char *, int), return 0; malloc_locked_func = 0; malloc_locked_ex_func = m; - free_func = f; + free_locked_func = f; return 1; } @@ -236,6 +288,25 @@ void CRYPTO_get_mem_ex_functions(void *(**m) (size_t, const char *, int), *f = free_func; } +void CRYPTO_get_secure_mem_functions(void *(**m)(size_t), void (**f)(void *)) +{ + if (m != NULL) + *m = (malloc_secure_ex_func == default_malloc_secure_ex) ? + malloc_secure_func : 0; + if (f != NULL) + *f=free_secure_func; + } + +void CRYPTO_get_secure_mem_ex_functions(void *(**m)(size_t,const char *,int), + void (**f)(void *)) +{ + if (m != NULL) + *m = (malloc_secure_ex_func != default_malloc_secure_ex) ? + malloc_secure_ex_func : 0; + if (f != NULL) + *f=free_secure_func; +} + void CRYPTO_get_locked_mem_functions(void *(**m) (size_t), void (**f) (void *)) { |