Skip to content

The private key may be leaked to the attacker #33

Description

@jmp0x7c00

Hello, sir

I found there maybe a security issue here and need your confirm.

related source code:

EVP_PKEY *SSL_get_privatekey(SSL *s) {
   if (global_eid == 0) {
   	initialize_library();
   }

   log_enter_ecall(__func__);
	sgx_status_t ret = SGX_ERROR_UNEXPECTED;
	ret = ecall_SSL_get_privatekey(global_eid, &my_evp_pkey, s); 
	if (ret != SGX_SUCCESS) {
		print_error_message(ret, __func__);
		return NULL;
	}
	log_exit_ecall(__func__);

	return &my_evp_pkey;
}

In ecall_SSL_get_privatekey, the private key is copied to the memory area pointed to by pkey, but since pkey is user_check, and points to untrusted memory outside the enclave, so an attacker can monitor its content to obtain the private key.

 /* Fix this function so that it takes an optional type parameter */
+void
+ecall_SSL_get_privatekey(EVP_PKEY* pkey, SSL *s) {
+#ifdef COMPILE_WITH_INTEL_SGX
+	const SSL* out_s = s;
+
+	hashmap* m = get_ssl_hardening();
+	SSL* in_s = (SSL*) hashmapGet(m, (unsigned long)out_s);
+
+	EVP_PKEY* enclave_pkey = SSL_get_privatekey(in_s);
+	memcpy(pkey, enclave_pkey, sizeof(*pkey)); //   An attacker can spy on the buffer pointed to by pkey
+#else
+	printf("Cannot call %s without SGX!!!\n", __func__);
+#endif
+}
+

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions