Hi, > I have "checked" the current source code of 'crpyto/mem.c' and I'm a > little bit suprised that no memset()-calls are made before the free_*() > functions are entered. I think a "zeroing" of the previous used memory > is a good solutions to beware for accessing old memory content.
Leaving aside the problem that just zeroing the memory simply doesn't work (for a start into that discussion see e.g. http://bytes.com/topic/c/answers/660296-memset-free), there is OPENSSL_cleanse which does something similar (actually, it overwrites the memory with "garbage", not just with zeros) in a way that works. Attempting to be faster at run time, this needs to be called explicitly, though (and it's called in a lot of places if you look into the source code). But it might in fact be a good idea to put that call simply in the free function and be done with it. With modern processors, the slowdown is probably hardly nocticeable anyway. Regards, Stefan ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
