[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys

To: undisclosed-recipients:;
Subject: [tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Fri, 15 Apr 2011 19:22:25 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 15 Apr 2011 15:22:34 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#2927: Tor doesn't overwrite rotated keys
-----------------------+----------------------------------------------------
 Reporter:  asn        |          Owner:     
     Type:  defect     |         Status:  new
 Priority:  normal     |      Milestone:     
Component:  Tor Relay  |        Version:     
 Keywords:             |         Parent:     
   Points:             |   Actualpoints:     
-----------------------+----------------------------------------------------
 Tor doesn't zero out rotated onion keys, or rotated x509s and currently
 leaves them into memory for anyone to have fun with them.

 The fact that Tor uses PFS TLS ciphersuites saves the day, but still
 sensitive stuff should be overwritten to be on the safe side.

 Onion keys should get memsetted somewhere around the
 crypto_free_pk_env(lastonionkey);
 of rotate_onion_key()

 and TLS certificates should get memsetted in:
 tor_tls_context_decref().

 OpenSSL has functions that clean keys correctly, iirc.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2927>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #1538 [Tor bundles/installation]: Pre-configured bridge relay for Windows
Next by Author: Re: [tor-bugs] #2355 [Tor Bridge]: change the meaning of UseBridges
Previous by thread: Re: [tor-bugs] #1538 [Tor bundles/installation]: Pre-configured bridge relay for Windows
Next by thread: Re: [tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys
Index(es):
- Author
- Thread