[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys
#2927: Tor doesn't overwrite rotated keys
-----------------------+----------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Tor doesn't zero out rotated onion keys, or rotated x509s and currently
leaves them into memory for anyone to have fun with them.
The fact that Tor uses PFS TLS ciphersuites saves the day, but still
sensitive stuff should be overwritten to be on the safe side.
Onion keys should get memsetted somewhere around the
crypto_free_pk_env(lastonionkey);
of rotate_onion_key()
and TLS certificates should get memsetted in:
tor_tls_context_decref().
OpenSSL has functions that clean keys correctly, iirc.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2927>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs