[tor-bugs] #2927 [Tor Relay]: Tor doesn't overwrite rotated keys
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Apr 15 19:22:25 UTC 2011
#2927: Tor doesn't overwrite rotated keys
-----------------------+----------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Tor doesn't zero out rotated onion keys, or rotated x509s and currently
leaves them into memory for anyone to have fun with them.
The fact that Tor uses PFS TLS ciphersuites saves the day, but still
sensitive stuff should be overwritten to be on the safe side.
Onion keys should get memsetted somewhere around the
crypto_free_pk_env(lastonionkey);
of rotate_onion_key()
and TLS certificates should get memsetted in:
tor_tls_context_decref().
OpenSSL has functions that clean keys correctly, iirc.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2927>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list