On Mon Apr 14 21:53:00 2014, mar...@activezone.de wrote: > Hi! > > I have "checked" the current source code of 'crpyto/mem.c' and I'm a > little bit suprised that no memset()-calls are made before the free_*() > functions are entered. I think a "zeroing" of the previous used memory > is a good solutions to beware for accessing old memory content.
Closed as rejected. The API for using for sensitive information is OpenSSL_cleanse and in the malloc wrapping functions at the points you suggest in your proposed path the length of the allocate buffer simply is not available. The use of strlen assumes that the provide buffer is a valid NUL terminated string - and that is not a valid assumption to make. It is possible to register a set of replacement routines using the CRYPTO_set_mem_functions function and use those to track the allocated lengths and then elect to zeroise automatically if that is the behaviour you want to see used. Additionally some operating systems provided malloc libraries have options to control that sort of behaviour at runtime. Thanks, ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
