Re: firefox and electronic national identity card

Wed, 27 May 2020 04:32:24 -0700 

On Wed, May 27, 2020 at 07:59:09AM +0200, Landry Breuil wrote:
> 
> Maybe opensc upstream have valid reasons for calling mlock() or not, i'm
> not in a position to judge that.
> 
> Anyway, the corresponding code is probably there:
> https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc.c#L895
> 
> Which was added 2 years ago in this PR, with subject 'Added memory
> locking for secrets': https://github.com/OpenSC/OpenSC/pull/1491/files
> 
> And fwiw, i recently had exchanges with someone else trying to use an
> estonian id card, so it seems this usecase is 'common'. Maybe
> fixing/looking at opensc is the way to go.
> 

Here a diff for security/opensc.

>From the PR description, the uses of mlock() is specially to avoid leaking
secrets to swap.

The diff switchs the function sc_mem_secure_alloc() to uses mmap(2) with
MAP_CONCEAL as we do for secrets (it excludes this chunk of memory from core
dumps), and to not uses mlock(2). And changes sc_mem_secure_free() too.

Could you try it (firefox with pledge(2) activated, and unveil still disabled) ?

Thanks.
-- 
Sebastien Marie


diff 753d46e2c6f99e4a69ce571e41ff1e16e4b9e615 /data/semarie/repos/openbsd/ports
blob - 8f081d8b44e2c20e9bed3b6786cf6069e8147ea3
file + security/opensc/Makefile
--- security/opensc/Makefile
+++ security/opensc/Makefile
@@ -3,7 +3,7 @@
 COMMENT=       set of libraries and utilities to access smart cards
 
 V=             0.20.0
-REVISION =     0
+REVISION =     1
 DISTNAME=      opensc-${V}
 SUBST_VARS +=  V
 
blob - /dev/null
file + security/opensc/patches/patch-src_libopensc_sc_c
--- security/opensc/patches/patch-src_libopensc_sc_c
+++ security/opensc/patches/patch-src_libopensc_sc_c
@@ -0,0 +1,42 @@
+$OpenBSD$
+use MAP_CONCEAL and avoid mlock(2)
+Index: src/libopensc/sc.c
+--- src/libopensc/sc.c.orig
++++ src/libopensc/sc.c
+@@ -892,6 +892,12 @@ void *sc_mem_secure_alloc(size_t len)
+               len = pages * page_size;
+       }
+ 
++#ifdef _OPENBSD_
++      p = mmap(NULL, len, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANON|MAP_CONCEAL, -1, 0);
++      if (p == MAP_FAILED) {
++              return NULL;
++      }
++#else
+       p = malloc(len);
+       if (p == NULL) {
+               return NULL;
+@@ -901,18 +907,23 @@ void *sc_mem_secure_alloc(size_t len)
+ #else
+       mlock(p, len);
+ #endif
++#endif
+ 
+       return p;
+ }
+ 
+ void sc_mem_secure_free(void *ptr, size_t len)
+ {
++#ifdef _OPENBSD_
++      munmap(ptr, len);
++#else
+ #ifdef _WIN32
+       VirtualUnlock(ptr, len);
+ #else
+       munlock(ptr, len);
+ #endif
+       free(ptr);
++#endif
+ }
+ 
+ void sc_mem_clear(void *ptr, size_t len)

Reply via email to