[openssl.org #2451] [PATCH] Enhancement: Telnet START_TLS in s_client
Hi, I sent this patch to the developer list a while ago after I made it for a proof-of-concept in our network. It turns out we will need to support telnet's START_TLS connection method[1] in our mainframe environment, and it would make things easier for our testing/debugging if this was supported in OpenSSL by default. So, this is my enhancement request to add this functionality. The attached patch applies cleanly against the 1.0.0 releases. Let me know if there are any problems. Thanks [1] https://tools.ietf.org/html/draft-altman-telnet-starttls-02 openssl-telnet-starttls.patch Description: Binary data
[PATCH] Fix parallel build for shared library
When I tried to parallel make while enabling shared in Configure, the following error is encountered. | make: *** No rule to make target `libcrypto.a', needed by `libcrypto.so.0.9.8'. Stop. The attached patch adds the dependency rules for libcrypto.a and libssl.a, fixing the above error message. Signed-off-by: Qing He qing...@intel.com --- This is the version against 0.9.8o diff --git a/Makefile.org b/Makefile.org index e87d623..9fc8297 100644 --- a/Makefile.org +++ b/Makefile.org @@ -350,6 +350,9 @@ all_testapps: build_libs build_testapps build_testapps: @dir=crypto; target=testapps; $(BUILD_ONE_CMD) +libcrypto.a: build_crypto +libssl.a: build_ssl + build_shared: $(SHARED_LIBS) libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS) @if [ $(SHLIB_TARGET) != ]; then \ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
memory cleansing
The below snippet is from crypto/pem/pem_pkey.c EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u) { ...snip } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; X509_SIG *p8; int klen; char psbuf[PEM_BUFSIZE]; p8 = d2i_X509_SIG(NULL, p, len); if(!p8) goto p8err; if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u); else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u); if (klen = 0) { PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); goto err; } p8inf = PKCS8_decrypt(p8, psbuf, klen); X509_SIG_free(p8); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); if(x) { if(*x) EVP_PKEY_free((EVP_PKEY *)*x); *x = ret; } PKCS8_PRIV_KEY_INFO_free(p8inf); } else if ((slen = pem_check_suffix(nm, PRIVATE KEY)) 0) ...snip } What we have here is a stack-allocated password buffer psbuf populated by a password callback. It is scoped to this particular if-block. The psbuf is passed to PKCS8_decrypt, where it is const. It looks like the password is written to the stack, used, and then never cleansed using OPENSSL_cleanse. Should the psbuf be cleansed? What about p8inf? JKL __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org