Date sent:              Fri, 22 Nov 2002 10:21:30 EST
From:                   Jeffrey Altman <[EMAIL PROTECTED]>
To:                     [EMAIL PROTECTED]
Copies to:              [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED]
Subject:                Re: IMPORTANT: The release of 0.9.6h is postponed
Send reply to:          [EMAIL PROTECTED]

You are worried about a performance impact of clearing a small password buffer?  I 
would think the idea of changing memset() to a more secure function is an excellent 
idea and well worth a couple of days of delay.  Heck, I have been waiting for release 
0.9.7 for a couple of years!

Ken

> I thought making a memset() look-alike (somewhere in the discussion,
> "setmem()" was proposed) was enough to prevent it.  No?

There were three suggestions made that I had seen that appeared to
work:

 . change all password buffers to volatile

 . replace memset() with your own function not called memset

 . use compiler specific command line options to turn off this
   optimization

The problem with the first two is that they do have significant
performance impacts.

The problem with the last is that we do not want to need to know the
command line options for each and every compiler.


 Jeffrey Altman * Sr.Software Designer     Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/            Secured with MIT Kerberos, SRP, and 
 [EMAIL PROTECTED]               OpenSSL.
___________________________________________________________________
___
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           
[EMAIL PROTECTED]
___
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-398-0221
[EMAIL PROTECTED]
http://www.securenetterm.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to