In our haste to help, the secure memory allocation patch we posted last week 
had two issues. First, it wasn’t easy to use. We knew that, and tried to set 
expectations accordingly. Second, it wasn’t really secure enough. We didn’t 
know that, and we thank everyone who brought it to our attention. For example, 
it only protected keys that came in via ASN.1 (which addressed our use-case but 
wasn’t made explicit) and, much worse, it failed to protect all the necessary 
key parameters and values used in intermediate calculations.
We are working on new code that will  address both issues, and hope to post the 
next revision in a couple of days.  The heap is more like OpenSSL coding style, 
and protects all BIGNUM's.  If you are interested and able to help out before 
we post it, please contact me directly.

Principal Security Engineer
Akamai Technology
Cambridge, MA

Reply via email to