[strongSwan-dev] Memwipe of loaded secrets through VICI
jean-francois.hren at stormshield.eu
Fri Oct 1 11:40:30 CEST 2021
Thank you for your answer. I tested the branch and it works for me.
For the mmap, I'm not expert and I use Strongswan under FreeBSD so I'm not sure the behavior is the same.
However since decrypted private key blobs are written in the mmap chunk, memory should be allocated somewhere. This memory can be read by some other rogue processes later if not wiped properly.
In src/swanctl/commands/load_creds.c:load_containers(), a call to chunk_unmap_clear() should be done too maybe ?
The static buffer returned by getpass() calls in swanctl should be wiped too after use.
De: "Tobias Brunner" <tobias at strongswan.org>
À: "jean-francois hren" <jean-francois.hren at stormshield.eu>, "dev" <dev at lists.strongswan.org>
Envoyé: Jeudi 30 Septembre 2021 15:42:18
Objet: Re: [strongSwan-dev] Memwipe of loaded secrets through VICI
Thanks for the report and patch. I pushed several of these fixes (some
with modifications) to the wipe-secrets branch, plus also added code to
wipe the swanctl.conf file from memory in swanctl.
I'm not entirely sure about the chunk_map() changes, though. As far as
I can tell, after munmap() has been called, the process can't access
that memory anymore (causes a segmentation fault). And mapping the same
memory with MAP_ANONYMOUS and MAP_UNINITIALIZED (to prevent the
initialization of the non-file backed area to zero) doesn't seem
possible on generic kernels as it requires the
CONFIG_MMAP_ALLOW_UNINITIALIZED kernel option, which is usually not
enabled for security reasons. But since it's useful on platform that
don't provide mmap() (e.g. Windows), I still pushed patches.
Let me know what you think.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev