openssl: fix not clearing big numbers after computations
Checks
Commit Message
After performing mod exp and mod inv big numbers (BIGNUM) should
be cleared as data already is copied into op fields and this BNs would
very likely contain private information for unspecified amount of time
(duration of the session).
Fixes: 3e9d6bd447fb ("crypto/openssl: add RSA and mod asym operations")
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
drivers/crypto/openssl/rte_openssl_pmd.c | 6 ++++++
1 file changed, 6 insertions(+)
Comments
> -----Original Message-----
> From: Kusztal, ArkadiuszX
> Sent: Thursday, February 7, 2019 10:55 AM
> To: dev@dpdk.org
> Cc: akhil.goyal@nxp.com; Trahe, Fiona <fiona.trahe@intel.com>; shally.verma@caviumnetworks.com;
> sunila.sahu@caviumnetworks.com; ashish.gupta@caviumnetworks.com; Kusztal, ArkadiuszX
> <arkadiuszx.kusztal@intel.com>
> Subject: [PATCH] openssl: fix not clearing big numbers after computations
>
> After performing mod exp and mod inv big numbers (BIGNUM) should
> be cleared as data already is copied into op fields and this BNs would
> very likely contain private information for unspecified amount of time
> (duration of the session).
>
> Fixes: 3e9d6bd447fb ("crypto/openssl: add RSA and mod asym operations")
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
>-----Original Message-----
>From: dev <dev-bounces@dpdk.org> On Behalf Of Arek Kusztal
>Sent: 07 February 2019 16:25
>To: dev@dpdk.org
>Cc: akhil.goyal@nxp.com; fiona.trahe@intel.com; shally.verma@caviumnetworks.com; sunila.sahu@caviumnetworks.com;
>ashish.gupta@caviumnetworks.com; Arek Kusztal <arkadiuszx.kusztal@intel.com>
>Subject: [dpdk-dev] [PATCH] openssl: fix not clearing big numbers after computations
>
>After performing mod exp and mod inv big numbers (BIGNUM) should
>be cleared as data already is copied into op fields and this BNs would
>very likely contain private information for unspecified amount of time
>(duration of the session).
>
>Fixes: 3e9d6bd447fb ("crypto/openssl: add RSA and mod asym operations")
>
>Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
>---
Acked-by: Shally Verma <shallyv@marvell.com>
> drivers/crypto/openssl/rte_openssl_pmd.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
>index ea5aac6..4ecc3c4 100644
>--- a/drivers/crypto/openssl/rte_openssl_pmd.c
>+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
>@@ -1795,6 +1795,9 @@ process_openssl_modinv_op(struct rte_crypto_op *cop,
> cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
> }
>
>+ BN_clear(res);
>+ BN_clear(base);
>+
> return 0;
> }
>
>@@ -1825,6 +1828,9 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
> cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
> }
>
>+ BN_clear(res);
>+ BN_clear(base);
>+
> return 0;
> }
>
>--
>2.1.0
On 2/12/2019 4:31 PM, Shally Verma wrote:
>
>> -----Original Message-----
>> From: dev <dev-bounces@dpdk.org> On Behalf Of Arek Kusztal
>> Sent: 07 February 2019 16:25
>> To: dev@dpdk.org
>> Cc: akhil.goyal@nxp.com; fiona.trahe@intel.com; shally.verma@caviumnetworks.com; sunila.sahu@caviumnetworks.com;
>> ashish.gupta@caviumnetworks.com; Arek Kusztal <arkadiuszx.kusztal@intel.com>
>> Subject: [dpdk-dev] [PATCH] openssl: fix not clearing big numbers after computations
>>
>> After performing mod exp and mod inv big numbers (BIGNUM) should
>> be cleared as data already is copied into op fields and this BNs would
>> very likely contain private information for unspecified amount of time
>> (duration of the session).
>>
>> Fixes: 3e9d6bd447fb ("crypto/openssl: add RSA and mod asym operations")
>>
>> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
>> ---
> Acked-by: Shally Verma <shallyv@marvell.com>
>
>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
title changed to "crypto/openssl: fix big numbers after computations"
Applied to dpdk-next-crypto
Thanks
@@ -1795,6 +1795,9 @@ process_openssl_modinv_op(struct rte_crypto_op *cop,
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
}
+ BN_clear(res);
+ BN_clear(base);
+
return 0;
}
@@ -1825,6 +1828,9 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
}
+ BN_clear(res);
+ BN_clear(base);
+
return 0;
}