Date sent: Fri, 22 Nov 2002 10:21:30 EST From: Jeffrey Altman <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: IMPORTANT: The release of 0.9.6h is postponed Send reply to: [EMAIL PROTECTED]
You are worried about a performance impact of clearing a small password buffer? I would think the idea of changing memset() to a more secure function is an excellent idea and well worth a couple of days of delay. Heck, I have been waiting for release 0.9.7 for a couple of years! Ken > I thought making a memset() look-alike (somewhere in the discussion, > "setmem()" was proposed) was enough to prevent it. No? There were three suggestions made that I had seen that appeared to work: . change all password buffers to volatile . replace memset() with your own function not called memset . use compiler specific command line options to turn off this optimization The problem with the first two is that they do have significant performance impacts. The problem with the last is that we do not want to need to know the command line options for each and every compiler. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ___________________________________________________________________ ___ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ___ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-398-0221 [EMAIL PROTECTED] http://www.securenetterm.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]