[openssl.org #2451] [PATCH] Enhancement: Telnet START_TLS in s_client

[David Michael via RT]

Hi,

  I sent this patch to the developer list a while ago after I made it
for a proof-of-concept in our network.  It turns out we will need to
support telnet's START_TLS connection method[1] in our mainframe
environment, and it would make things easier for our testing/debugging
if this was supported in OpenSSL by default.  So, this is my
enhancement request to add this functionality.

  The attached patch applies cleanly against the 1.0.0 releases.  Let
me know if there are any problems.

  Thanks

[1] https://tools.ietf.org/html/draft-altman-telnet-starttls-02



openssl-telnet-starttls.patch
Description: Binary data

[PATCH] Fix parallel build for shared library

[Qing He]

When I tried to parallel make while enabling shared in Configure,
the following error is encountered.

| make: *** No rule to make target `libcrypto.a', needed by 
`libcrypto.so.0.9.8'.  Stop.

The attached patch adds the dependency rules for libcrypto.a and
libssl.a, fixing the above error message.

Signed-off-by: Qing He qing...@intel.com
---

This is the version against 0.9.8o

diff --git a/Makefile.org b/Makefile.org
index e87d623..9fc8297 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -350,6 +350,9 @@ all_testapps: build_libs build_testapps
 build_testapps:
@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
 
+libcrypto.a: build_crypto
+libssl.a: build_ssl
+
 build_shared:  $(SHARED_LIBS)
 libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
@if [ $(SHLIB_TARGET) !=  ]; then \
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

memory cleansing

[Jonathan Landis]

The below snippet is from crypto/pem/pem_pkey.c

EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb
*cb, void *u) {

...snip
} else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
PKCS8_PRIV_KEY_INFO *p8inf;
X509_SIG *p8;
int klen;
char psbuf[PEM_BUFSIZE];
p8 = d2i_X509_SIG(NULL, p, len);
if(!p8) goto p8err;
if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
if (klen = 0) {
PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY,
PEM_R_BAD_PASSWORD_READ);
X509_SIG_free(p8);
goto err;
}
p8inf = PKCS8_decrypt(p8, psbuf, klen);
X509_SIG_free(p8);
if(!p8inf) goto p8err;
ret = EVP_PKCS82PKEY(p8inf);
if(x) {
if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
*x = ret;
}
PKCS8_PRIV_KEY_INFO_free(p8inf);
} else if ((slen = pem_check_suffix(nm, PRIVATE KEY))  0)
...snip
}

What we have here is a stack-allocated password buffer psbuf populated
by a password callback. It is scoped to this particular if-block. The
psbuf is passed to PKCS8_decrypt, where it is const. It looks like the
password is written to the stack, used, and then never cleansed using
OPENSSL_cleanse.

Should the psbuf be cleansed? What about p8inf?

JKL


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org