diff options
author | Martin Elshuber <martin.elshuber@theobroma-systems.com> | 2020-06-23 12:14:41 +0200 |
---|---|---|
committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2020-07-07 12:07:47 +0300 |
commit | 163b8016160f03558d8352b76fb594685cb39f7d (patch) | |
tree | 87d27b9a6e193b1c70365e44638c130807fb7430 /doc | |
parent | 1c9761d0b547d2d135037d215cd16feb4d0b698c (diff) |
Add support to zeroize plaintext in S3 record layer
Some applications want even all plaintext copies beeing
zeroized. However, currently plaintext residuals are kept in rbuf
within the s3 record layer.
This patch add the option SSL_OP_CLEANSE_PLAINTEXT to its friends to
optionally enable cleansing of decrypted plaintext data.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12251)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/SSL_CTX_set_options.pod | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 1bf19ecd23..adc646d72d 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -265,6 +265,20 @@ functionality is not required. Those applications can turn this feature off by setting this option. This is a server-side opton only. It is ignored by clients. +=item SSL_OP_CLEANSE_PLAINTEXT + +By default TLS connections keep a copy of received plaintext +application data in a static buffer until it is overwritten by the +next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT +deciphered application data is cleansed by calling OPENSSL_cleanse(3) +after passing data to the application. Data is also cleansed when +releasing the connection (eg. L<SSL_free(3)>). + +Since OpenSSL only cleanses internal buffers, the application is still +responsible for cleansing all other buffers. Most notably, this +applies to buffers passed to functions like L<SSL_read(3)>, +L<SSL_peek(3)> but also like L<SSL_write(3)>. + =back The following options no longer have any effect but their identifiers are |