C代码来清理openssl EVP_PKEY私钥的内存 [英] C code to clean up memory for openssl EVP_PKEY private keys
问题描述
我开始学习C/C ++中的OpenSSL编程.我遇到的一个问题是,如何安全清除专用密钥的内存?
I'm starting learn OpenSSL programming in C/C++. An issue I encountered is, how could I safely wipe out the memory for private keys?
例如,我可能有代码:
EVP_PKEY *private_key = PEM_read_bio_PrivateKey( bio, ,,,)
RSA *r = EVP_PKEY_get1_RSA( private_key);
在使用EVP_PKEY_free()释放它之前,我想彻底清除内存中的private_key.
I'd like to wipe out private_key from memory cleanly before using EVP_PKEY_free() to free it.
感谢您的帮助和/或您的建议. 谢谢.
I'd appreciate for helps and/or your suggestions. Thanks.
推荐答案
EVP_PKEY *private_key = PEM_read_bio_PrivateKey( bio, ,,,)
在使用EVP_PKEY_free释放私钥之前,我想从内存中彻底清除private_key.
I'd like to wipe out private_key from memory cleanly before using EVP_PKEY_free to free it.
OpenSSL的EVP_PKEY_free为您擦除私钥.您不必做任何特别的事情.
OpenSSL's EVP_PKEY_free wipes the private key for you. You don't have to do anything special.
RSA *r = EVP_PKEY_get1_RSA( private_key);
get1表示引用计数增加,您实际上获得了自己的对象副本. get0表示您有一个指向现有对象的指针,并且您应该不对其调用free.由于get1,您必须对其调用RSA_free以确保将其删除.与EVP_PKEY_free一样,RSA_free会擦除键.
The get1 means the reference count was bumped and you effectively got your own copy of the object. A get0 means you got a pointer to an existing object, and you should not call free on it. Because of get1, you must call RSA_free on it to ensure it gets deleted. As with EVP_PKEY_free, RSA_free will wipe the key.
请不要致电memset.这些是不透明的结构,您必须遵循许多指针才能正确清除子对象. OpenSSL 1.1.0中隐藏了更多字段,因此遵循指针将变得更加困难(如果您愿意).另请参见错误:OpenSSL 1.1.0中的无效使用不完整类型'RSA {aka struct rsa_st}" , Visual Studio和错误C2027:在OpenSSL 1.1.0中使用未定义的类型'rsa_st' ,OpenSSL 1.1.0中的EVP_get_cipherbyname和"undefined struct/union evp_cipher_st"等
Please don't call memset. These are opaque structures, and you have to follow a number of pointers to correctly clear the sub-objects. A lot more fields have been hidden in OpenSSL 1.1.0, so its going to be more difficult to follow the pointers (if you wanted to). Also see Error: "invalid use of incomplete type ‘RSA {aka struct rsa_st}" in OpenSSL 1.1.0, Visual Studio and error C2027: use of undefined type 'rsa_st' in OpenSSL 1.1.0, EVP_get_cipherbyname and "undefined struct/union evp_cipher_st" in OpenSSL 1.1.0, etc.
以下是您可能感兴趣的其他阅读内容:
Here's some additional reading you might be interested in:
- Why does OPENSSL_cleanse look so complex and thread-unsafe?
- Removing OPENSSL_cleanse from OpenSSL-1.0.1r
当调用EVP_PKEY_free和RSA_free之类的函数时,它们最终以对OPENSSL_cleanse的调用结束,然后将内存返回给操作系统.对于RSA私钥,其至少调用了8次,以擦除与n,e,d,p,q,dp,dq,和invq.
When functions like EVP_PKEY_free and RSA_free are called, they eventually end in a call to OPENSSL_cleanse before memory is returned to the operating system. In the case of an RSA private key, its called at leats 8 times to wipe the byte arrays associated with n, e, d, p, q, dp, dq, and invq.
这篇关于C代码来清理openssl EVP_PKEY私钥的内存的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
