I am concerned about the performance impact of the use of 'volatile' memory access because it means that all access to the memory region must be performed without use of memory caches.
> You are worried about a performance impact of clearing a small password buffer? I > would think the idea of changing memset() to a more secure function is an excellent > idea and well worth a couple of days of delay. Heck, I have been waiting for >release > 0.9.7 for a couple of years! > > Ken > > > I thought making a memset() look-alike (somewhere in the discussion, > > "setmem()" was proposed) was enough to prevent it. No? > > There were three suggestions made that I had seen that appeared to > work: > > . change all password buffers to volatile > > . replace memset() with your own function not called memset > > . use compiler specific command line options to turn off this > optimization > > The problem with the first two is that they do have significant > performance impacts. > > The problem with the last is that we do not want to need to know the > command line options for each and every compiler. > > > Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! > The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP > http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and > [EMAIL PROTECTED] OpenSSL. > ___________________________________________________________________ > ___ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > ___ > Support > InterSoft International, Inc. > Voice: 888-823-1541, International 281-398-7060 > Fax: 888-823-1542, International 281-398-0221 > [EMAIL PROTECTED] > http://www.securenetterm.com > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
