client private key is leaked.
jmp0x7c00 opened this issue · comments
hi,sir
I think there is a securty issue here:
in file Enclave/TorSGX/rendservice.c
:
- Create private key for client
if (client->client_key) {
char *client_key_out = NULL;
if (crypto_pk_write_private_key_to_string(client->client_key,
&client_key_out, &len) != 0) {
log_warn(LD_BUG, "Internal error: "
"crypto_pk_write_private_key_to_string() failed.");
goto err;
}
if (rend_get_service_id(client->client_key, service_id)<0) {
log_warn(LD_BUG, "Internal error: couldn't encode service ID.");
/*
* len is string length, not buffer length, but last byte is NUL
* anyway.
*/
memwipe(client_key_out, 0, len);
tor_free(client_key_out);
goto err;
}
written = tor_snprintf(buf + written, sizeof(buf) - written,
"client-key\n%s", client_key_out); // ===========>1. the private is written into buf
memwipe(client_key_out, 0, len);
tor_free(client_key_out);
if (written < 0) {
log_warn(LD_BUG, "Could not write client entry.");
goto err;
}
}
if (sgx_fputs(buf, cfile) < 0) { // ===========>2. buf is passed to function sgx_fputs
log_warn(LD_FS, "Could not append client entry to file: %s",
strerror(errno));
goto err;
}
in file Enclave/TorSGX/TorSGX.cpp
:
int sgx_fputs(const char *str, sgx_file *f)
{
if(f == NULL || str == NULL) {
printf("sgx_fputs: Error! sgx_fputs: wrong arguments (NULL)\n");
return -1;
}
int retv = -1;
long seek = f->seek;
long content_len = f->content_len;
long n = strlen(str);
long mem_size = f->content_len > n + seek ? f->content_len : n + seek;
char *new_cont = (char *)sgx_calloc(1, mem_size); // // ===========>3. calloc memory , HOWEVER, the memory new_cont points to is UNTRUSTED.
if (f->content != NULL) {
int remain = content_len - seek - n;
remain = remain > 0 ? remain : 0;
memcpy(new_cont, f->content, seek);
memcpy(new_cont+seek, str, n); //===========>4. client private key is copied to memory outside Enclave.
memcpy(new_cont+seek+n, f->content, remain);
f->content_len = seek+n+remain;
f->seek = seek+n;
sgx_free(f->content);
f->content = new_cont;
}
else {
memcpy(new_cont, str, n);
f->content_len = n;
f->seek = n;
f->content = new_cont;
}
f->mtime = time(NULL);
retv = n;
return retv;
}