memory cleansing
The below snippet is from crypto/pem/pem_pkey.c
EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb
*cb, void *u) {
...snip
} else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
PKCS8_PRIV_KEY_INFO *p8inf;
X509_SIG *p8;
int klen;
char psbuf[PEM_BUFSIZE];
p8 = d2i_X509_SIG(NULL, &p, len);
if(!p8) goto p8err;
if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
if (klen <= 0) {
PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY,
PEM_R_BAD_PASSWORD_READ);
X509_SIG_free(p8);
goto err;
}
p8inf = PKCS8_decrypt(p8, psbuf, klen);
X509_SIG_free(p8);
if(!p8inf) goto p8err;
ret = EVP_PKCS82PKEY(p8inf);
if(x) {
if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
*x = ret;
}
PKCS8_PRIV_KEY_INFO_free(p8inf);
} else if ((slen = pem_check_suffix(nm, "PRIVATE KEY")) > 0)
...snip
}
What we have here is a stack-allocated password buffer psbuf populated
by a password callback. It is scoped to this particular if-block. The
psbuf is passed to PKCS8_decrypt, where it is const. It looks like the
password is written to the stack, used, and then never cleansed using
OPENSSL_cleanse.
Should the psbuf be cleansed? What about p8inf?
JKL
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
[openssl.org #2452] error at make test
I have done make and make test 2 times. The ourput of make report is as follows: I am running Mac OS X 10.6.6. Checking compiler... Running make... + rm -f libcrypto + rm -f libssl making all in crypto... making all in crypto/md2... make[3]: Nothing to be done for `all'. making all in crypto/md4... make[3]: Nothing to be done for `all'. making all in crypto/md5... make[3]: Nothing to be done for `all'. making all in crypto/sha... make[3]: Nothing to be done for `all'. making all in crypto/mdc2... make[3]: Nothing to be done for `all'. making all in crypto/hmac... make[3]: Nothing to be done for `all'. making all in crypto/ripemd... make[3]: Nothing to be done for `all'. making all in crypto/des... make[3]: Nothing to be done for `all'. making all in crypto/rc2... make[3]: Nothing to be done for `all'. making all in crypto/rc4... make[3]: Nothing to be done for `all'. making all in crypto/rc5... make[3]: Nothing to be done for `all'. making all in crypto/idea... make[3]: Nothing to be done for `all'. making all in crypto/bf... make[3]: Nothing to be done for `all'. making all in crypto/cast... make[3]: Nothing to be done for `all'. making all in crypto/bn... make[3]: Nothing to be done for `all'. making all in crypto/rsa... make[3]: Nothing to be done for `all'. making all in crypto/dsa... make[3]: Nothing to be done for `all'. making all in crypto/dh... make[3]: Nothing to be done for `all'. making all in crypto/dso... make[3]: Nothing to be done for `all'. making all in crypto/buffer... make[3]: Nothing to be done for `all'. making all in crypto/bio... make[3]: Nothing to be done for `all'. making all in crypto/stack... make[3]: Nothing to be done for `all'. making all in crypto/lhash... make[3]: Nothing to be done for `all'. making all in crypto/rand... make[3]: Nothing to be done for `all'. making all in crypto/err... make[3]: Nothing to be done for `all'. making all in crypto/objects... make[3]: Nothing to be done for `all'. making all in crypto/evp... make[3]: Nothing to be done for `all'. making all in crypto/asn1... make[3]: Nothing to be done for `all'. making all in crypto/pem... make[3]: Nothing to be done for `all'. making all in crypto/x509... make[3]: Nothing to be done for `all'. making all in crypto/x509v3... make[3]: Nothing to be done for `all'. making all in crypto/conf... make[3]: Nothing to be done for `all'. making all in crypto/txt_db... make[3]: Nothing to be done for `all'. making all in crypto/pkcs7... make[3]: Nothing to be done for `all'. making all in crypto/pkcs12... make[3]: Nothing to be done for `all'. making all in crypto/comp... make[3]: Nothing to be done for `all'. making all in ssl... make[2]: Nothing to be done for `all'. making all in rsaref... make[2]: Nothing to be done for `all'. making all in apps... rm -f openssl cc -o openssl -DMONOLITH -I../include -O3 -DB_ENDIAN openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.. -lssl -L.. -lcrypto Undefined symbols: "_des_set_key_unchecked", referenced from: _speed_main in speed.o _speed_main in speed.o _speed_main in speed.o "_des_ede3_cbc_encrypt", referenced from: _speed_main in speed.o "_idea_options", referenced from: _speed_main in speed.o _version_main in version.o "_des_options", referenced from: _speed_main in speed.o _version_main in version.o "_des_crypt", referenced from: _do_passwd in passwd.o "_EVP_idea_cbc", referenced from: _genrsa_main in genrsa.o _gendsa_main in gendsa.o _pkcs12_main in pkcs12.o "_PKCS12_pack_safebag", referenced from: _pkcs12_main in pkcs12.o "_idea_cbc_encrypt", referenced from: _speed_main in speed.o "_PKCS12_decrypt_d2i", referenced from: _dump_certs_pkeys_bag in pkcs12.o _dump_certs_keys_p12 in pkcs12.o _pkcs8_main in pkcs8.o "_OpenSSL_add_all_algorithms", referenced from: _main in openssl.o _rsautl_main in rsautl.o _pkcs8_main in pkcs8.o "_des_ncbc_encrypt", referenced from: _speed_main in speed.o "_idea_set_encrypt_key", referenced from: _speed_main in speed.o ld: symbol(s) not found collect2: ld returned 1 exit status make[2]: *** [openssl] Error 1 make[1]: *** [sub_all] Error 1 Running make test... testing... cc -o bntest -I../include -O3 -DB_ENDIAN bntest.o -L.. -lcrypto Undefined symbols: "_BN_mod", referenced from: _test_mod in bntest.o _test_mod in bntest.o _test_mod in bntest.o _test_mod in bntest.o (maybe you meant: _BN_mod_mul, _BN_mod_exp , _BN_mod_mul_montgomery ) ld: symbol(s) not found collect2: ld returned 1 exit status make[2]: *** [bntest] Error 1 make[1]: *** [tests] Error 2 OpenSSL self-test report: O
[PATCH] Fix parallel build for shared library
When I tried to parallel make while enabling shared in Configure, the following error is encountered. | make: *** No rule to make target `libcrypto.a', needed by `libcrypto.so.0.9.8'. Stop. The attached patch adds the dependency rules for libcrypto.a and libssl.a, fixing the above error message. Signed-off-by: Qing He --- This is the version against 0.9.8o diff --git a/Makefile.org b/Makefile.org index e87d623..9fc8297 100644 --- a/Makefile.org +++ b/Makefile.org @@ -350,6 +350,9 @@ all_testapps: build_libs build_testapps build_testapps: @dir=crypto; target=testapps; $(BUILD_ONE_CMD) +libcrypto.a: build_crypto +libssl.a: build_ssl + build_shared: $(SHARED_LIBS) libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS) @if [ "$(SHLIB_TARGET)" != "" ]; then \ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2451] [PATCH] Enhancement: Telnet START_TLS in s_client
Hi, I sent this patch to the developer list a while ago after I made it for a proof-of-concept in our network. It turns out we will need to support telnet's START_TLS connection method[1] in our mainframe environment, and it would make things easier for our testing/debugging if this was supported in OpenSSL by default. So, this is my enhancement request to add this functionality. The attached patch applies cleanly against the 1.0.0 releases. Let me know if there are any problems. Thanks [1] https://tools.ietf.org/html/draft-altman-telnet-starttls-02 openssl-telnet-starttls.patch Description: Binary data
