Sorry, my fingers banged out the message before my brain thought to look at the rest of the thread to see if anyone had suggested making the buffers volatile.
-----Original Message----- From: Jeffrey Altman [mailto:[EMAIL PROTECTED]] Sent: Friday, November 22, 2002 7:22 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: IMPORTANT: The release of 0.9.6h is postponed > I thought making a memset() look-alike (somewhere in the discussion, > "setmem()" was proposed) was enough to prevent it. No? There were three suggestions made that I had seen that appeared to work: . change all password buffers to volatile . replace memset() with your own function not called memset . use compiler specific command line options to turn off this optimization The problem with the first two is that they do have significant performance impacts. The problem with the last is that we do not want to need to know the command line options for each and every compiler. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]