andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[#5218] Zero out private key copied to ByteBuf before release.

Browse Source 
Motivation:

We should zero-out the private key as soon as possible when we not need it anymore.

Modifications:

zero out the private key before release the buffer.

Result:

Limit the time the private key resist in memory.
This commit is contained in:
Norman Maurer 2016-05-06 16:40:56 +02:00
parent 2472d8c3cf
commit b39c53ce17
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
View File

@ -517,18 +517,24 @@ public abstract class OpenSslContext extends SslContext {
try { try {
buffer.writeBytes(encodedBuf); buffer.writeBytes(encodedBuf);
} finally { } finally {
encodedBuf.release(); zerooutAndRelease(encodedBuf);
} }
} finally { } finally {
wrappedBuf.release(); zerooutAndRelease(wrappedBuf);
} }
buffer.writeBytes(END_PRIVATE_KEY); buffer.writeBytes(END_PRIVATE_KEY);
return newBIO(buffer); return newBIO(buffer);
} finally { } finally {
buffer.release(); // Zero out the buffer and so the private key it held.
zerooutAndRelease(buffer);
} }
} }
private static void zerooutAndRelease(ByteBuf buffer) {
buffer.setZero(0, buffer.capacity());
buffer.release();
}
/** /**
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a> * Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
* or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}. * or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.