Add support to zeroize plaintext in S3 record layer

Some applications want even all plaintext copies beeing zeroized. However, currently plaintext residuals are kept in rbuf within the s3 record layer. This patch add the option SSL_OP_CLEANSE_PLAINTEXT to its friends to optionally enable cleansing of decrypted plaintext data. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12251)
author: Martin Elshuber <martin.elshuber@theobroma-systems.com> 2020-06-23 12:14:41 +0200
committer: Dmitry Belyavskiy <beldmit@gmail.com> 2020-07-07 12:07:47 +0300
commit: 163b8016160f03558d8352b76fb594685cb39f7d (patch)
tree: 87d27b9a6e193b1c70365e44638c130807fb7430 /CHANGES.md
parent: 1c9761d0b547d2d135037d215cd16feb4d0b698c (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 2cb73985a3..4e0002f668 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1100,6 +1100,14 @@ OpenSSL 3.0
 
    *Boris Pismenny*
 
+ * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. If that
+   option is set, openssl cleanses (zeroize) plaintext bytes from
+   internal buffers after delivering them to the application. Note,
+   the application is still responsible for cleansing other copies
+   (e.g.: data received by SSL_read(3)).
+
+   *Martin Elshuber*
+
 OpenSSL 1.1.1
 -------------
author	Martin Elshuber <martin.elshuber@theobroma-systems.com>	2020-06-23 12:14:41 +0200
committer	Dmitry Belyavskiy <beldmit@gmail.com>	2020-07-07 12:07:47 +0300
commit	163b8016160f03558d8352b76fb594685cb39f7d (patch)
tree	87d27b9a6e193b1c70365e44638c130807fb7430 /CHANGES.md
parent	1c9761d0b547d2d135037d215cd16feb4d0b698c (diff)