[tpop3d-discuss] Re: OpenSSL and POP3 Integration Question (fwd)

Ben Schumacher ben at blahr.com
Mon, 21 Jan 2002 09:15:00 -0700 (MST)

And the second:

---------- Forwarded message ----------
Date: Tue, 22 Jan 2002 01:23:16 +1300
From: Geoff Thorpe <geoff@openssl.org>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: OpenSSL and POP3 Integration Question

Hi there,

> * The OpenSSL API does not offer a call to remove the private key
>   information from memory as long as any TLS functionality is still
>   set up.
>   (-> reminder: check, whether the memory overwritten when performing
>   SSL_free()/SSL_CTX_free()..)
>   To be compliant with RFC2246 we do not the private key, as a
>   renegotiation may take place.

I assume you mean "we do need" rather than "we do not"? If so - it could be 
skipped if was known that the request in question wouldn't involve any 
renegotiations. Renegotiations are quite unlikely if the connection carries 
a single transaction and the fork()d process exit()s after that is dealt 
with. In that case, you don't even need to bother with SSL_free() or any 
such SSL API thing - just "BN_clear_free(rsa->[d|p|q|dmp1|...]); 
rsa->[d|p|...] = NULL;" will do. Ie. just zero out the key entries as they 
won't be called upon anyway - you're just protecting against scanning 
attacks on the memory (or core dump as the case may be). If you really want 
to be ruthless - edit every RSA_new() and RSA_free() function to 
(de)register each RSA pointer in a global list of some kind, then after the 
fork() and SSL handshake has taken place, just iterate through every living 
RSA structure and wipe out any private key components you find in them (not 
all with have them, eg. not those keys in the certificate objects!).

If you need persistence of the key because child processes handle multiple 
requests or renegotiations may take place in one request, then you'll need 
some other mechanism for doing the key operation outside the child process 
so the child-process doesn't need the key components, eg. dedicated 
hardware/smart-card, distinct crypto process, etc.

> * On the other hand, if your process started with root permissions
>   and later dropped privileges using setuid(), your kernel should protect
>   you from the user being able to attach to it.
>   (At least on HP-UX: I just tried to attach to an imapd process
>   and the kernel did not allow it.)

This is also true for Linux and Solaris IIRC. I suspect it's probably 
required by correct implementation of various aspects of POSIX etc, but 
whether various platforms implement them that accurately is another 
question of course.

Anyway, I doubt assuming protection against attaching to processes 
necessarily implies protection against key-scans ... core files, memory 
paging, etc can all be ways to get read access to the process memory (or 
record/copy of it). Better to ensure that the key data is simply not 
accessible in any sense at all before the process is running as that user 
*or* at least get rid of that data as early as possible (ie. lowering the 
window of time the process is running as that user with the key-data in 
memory). There's also the risk of "third-party" code binding in that could 
launch key-scans, eg. mail-filters, auto-responders, whatever. Some could 
be written deliberately by users to compromise the server keys of course 
(the threat model includes your users, I assume?). If you scrub the key 
data before any of those are loaded - that at least cuts out another avenue 
of attack even if you can't have the keys removed before the process is 
running as a non-root user in the first place.


OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org