Record Layer Buffers & Zeroization

[Matt Caswell]

On 23/06/2020 11:57, Martin Elshuber wrote:
> Thx for the answer,
> 
> than at least a can stop looking for this :).
> 
> And yes I can understand the performance hit and I agree that this
> should be optional and disabled by default.
> 
> I am thinking of adding a OPENSSL_cleanse just ofter the memcpy in
> ssl3_read_bytes. And probably replacing the OPENSSL_free by an
> OPENSSL_clear_free in SSL3_BUFFER_release. The later gets rid of data
> not yet deliverd to the application.
> 
> I am thinking to make both dependent on a flags such as
> SSL_OP_CLEANSE_PLAINTEXT. But I am not sure how to select a suitable
> bit, since all unused bits are currently stated to be reserved for
> openssl 1.2.

We don't allow features in stable branches, so this could only be
included in the forthcoming OpenSSL 3.0 (i.e the master branch). You can
use those reserved values there because we are not aiming for ABI
compatibility (only API).


> 
> Another option is to add a compiler option; Though I do not like this
> too much.
> 
> Did I forget any locations where to more cleanses? Any other suggestions?
> 
> If you are still interested, I am happy to prepare a PR and move the
> discussion there. I guess this is "CLA: trivial" patch anyways.

Please feel free to raise a PR - although this is unlikely to be CLA
trivial (we have a very high bar for something to be considered trivial).

Matt



> 
> Martin
> 
> Am 23.06.2020 um 12:19 schrieb Matt Caswell:
>>
>> On 22/06/2020 18:28, Martin Elshuber wrote:
>>> I might be blind, but I just cannot find the location where this
>>> plaintext data is
>>> zeroized, neither by OPENSSL_cleanse() nor memset().
>>>
>>> Am I blind, or is this just not done? Shouldn't there be a way to do
>>> this just like
>>> it is already done with keys?
>> We don't currently do this. There would likely be some significant
>> performance impacts for doing this with all plaintext. That said it
>> might be a nice optional feature to add.
>>
>> Matt
> 
>