shawn wilson ag4ve.us at gmail.com
Sat Apr 12 07:01:17 UTC 2014

But it doesn't really matter if you zero out freed memory. Maybe it'll
prevent you from gaining some stale session info and the like. But even if
that were the case, this would still be a serious bug - you're not going to
reread your private key before encrypting each bit of data after all -
that'd just be wasteful.

In other words, this is kind of moot.
On Apr 12, 2014 2:24 AM, "Mark Andrews" <marka at isc.org> wrote:

> Don't think for one second that using malloc directly would have
> saved OpenSSL here.  By default malloc does not zero freed memory
> it returns.  It is a feature that needs to be enabled.  If OpenSSL
> wanted to zero memory it was returning could have done that itself.
> The only difference is that *some* malloc implementations examine
> the envionment and change their behaviour based on that.
> That OpenSSL used its own memory allocator was a problem does not
> stand up to rigourous analysis.
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the NANOG mailing list