More secure storage of key material.

Add secure heap for storage of private keys (when possible).
Add BIO_s_secmem(), CBIGNUM, etc.
Add BIO_CTX_secure_new so all BIGNUM's in the context are secure.
Contributed by Akamai Technologies under the Corporate CLA.

Reviewed-by: Richard Levitte <levitte@openssl.org>

1 files changed, 13 insertions, 1 deletions

diff --git a/doc/crypto/buffer.pod b/doc/crypto/buffer.pod
index 781f5b11ee..3804c5649b 100644
--- a/doc/crypto/buffer.pod
+++ b/doc/crypto/buffer.pod
@@ -11,6 +11,10 @@ character arrays structure
 
  BUF_MEM *BUF_MEM_new(void);
 
+ #define BUF_MEM_FLAG_SECURE
+
+ BUF_MEM * BUF_MEM_new_ex(unsigned long flags);
+
  void	BUF_MEM_free(BUF_MEM *a);
 
  int	BUF_MEM_grow(BUF_MEM *str, int len);
@@ -37,6 +41,10 @@ and one "miscellaneous" function.
 
 BUF_MEM_new() allocates a new buffer of zero size.
 
+BUF_MEM_new_ex() allocates a buffer with the specified flags.
+The flag B<BUF_MEM_FLAG_SECURE> specifies that the B<data> pointer
+should be allocated on the secure heap; see L<CRYPTO_secure_malloc(3)>.
+
 BUF_MEM_free() frees up an already existing buffer. The data is zeroed
 before freeing up in case the buffer contains sensitive data.
 
@@ -63,11 +71,15 @@ BUF_MEM_grow() returns zero on error or the new size (i.e. B<len>).
 
 =head1 SEE ALSO
 
-L<bio(3)|bio(3)>
+L<bio(3)|bio(3)>,
+L<CRYPTO_secure_malloc(3)>.
 
 =head1 HISTORY
 
 BUF_MEM_new(), BUF_MEM_free() and BUF_MEM_grow() are available in all
 versions of SSLeay and OpenSSL. BUF_strdup() was added in SSLeay 0.8.
 
+BUF_MEM_new_ex() was contributed to OpenSSL by Akamai Technologies
+in May, 2014.
+
 =cut