CODEWITHSUNDEEP
securitymemoryopenssl
SkypeMeSM
SkypeMeSM

Reputation: 3287

Secure memory block in openssl

Is there any method in OpenSSL which is an equivalent of Crypto++'s SecByteBlock?

Something that clears the memory before freeing it among other things of securing the memory block with sensitive information. Is there any way of securing the RSA struct in memory?

Upvotes: 1

Views: 947

Answers (1)

jww
jww

Reputation: 102215

Is there any method in OpenSSL which is an equivalent of Crypto++'s SecByteBlock?

A SecByteBlock is a class that takes advantage of OOP by combining data with the operations to act on the data (lots of hand waiving). OpenSSL is a C library, and it does not have most of the goodies related to OOP.

In OpenSSL, you would use OPENSSL_cleanse. Here are some one-liner uses of it in OpenSSL:

$ grep -R cleanse * | grep -v doc
...
apps/apps.c:            OPENSSL_cleanse(buff, (unsigned int)bufsiz);
apps/apps.c:            OPENSSL_cleanse(buf, (unsigned int)bufsiz);
apps/apps.c:            OPENSSL_cleanse(buf, (unsigned int)bufsiz);
apps/ca.c:        OPENSSL_cleanse(key, strlen(key));
apps/dgst.c:        OPENSSL_cleanse(buf, BUFSIZE);
apps/enc.c:                OPENSSL_cleanse(str, SIZE);
apps/enc.c:                OPENSSL_cleanse(str, strlen(str));
...

Is there any way of securing the RSA struct in memory?

RSA_free calls OPENSSL_cleanse internally. So the structure is zeroized when its discarded. According to the OpenSSL man page on RSA_new and RSA_free:

RSA_free() frees the RSA structure and its components. The key is erased before the memory is returned to the system.

But you should probably to define your requirements for "secure in memory." If your requirements include wrapping, then no, OpenSSL does not provide it. But neither does Crypto++.

Upvotes: 2

Related Questions