pyca/pyopenssl

Add SSL_OP_CLEANSE_PLAINTEXT to exported set of options

evilaliv3 opened this issue · 0 comments

I think it could be valuable to export the SSL_OP_CLEANSE_PLAINTEXT option,introduced in OpenSSL 3 that enable to configure the library to perform secure clean of plaintext buffers

Reference: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_clear_options.html

By default TLS and QUIC SSL objects keep a copy of received plaintext application data in a static buffer until it is overwritten by the next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT deciphered application data is cleansed by calling OPENSSL_cleanse(3) after passing data to the application. Data is also cleansed when releasing the connection (e.g. SSL_free(3)).

Since OpenSSL only cleanses internal buffers, the application is still responsible for cleansing all other buffers. Most notably, this applies to buffers passed to functions like SSL_read(3), SSL_peek(3) but also like SSL_write(3).

TLS connections do not buffer data to be sent in plaintext. QUIC stream objects do buffer plaintext data to be sent and this option will also cause that data to be cleansed when it is discarded.

This option can be set differently on individual QUIC stream objects and has no effect on QUIC connection objects (except where a default stream is being used)