Debian considers switching curl to use libssh instead of libssh2
Will Cosgrove
will at panic.com
Wed Jan 5 18:18:30 CET 2022
Yes, we use SecureZeroMemory() and memset_s().
Will
> On Jan 5, 2022, at 7:05 AM, Andreas Schneider <asn at cryptomilk.org> wrote:
>
> On Tuesday, January 4, 2022 6:05:05 PM CET Will Cosgrove via libssh2-devel
> wrote:
>> We do zero some sensitive data, but could be reviewed for completeness.
>
> I don't know how you exactly zero sensitive data, but be aware that if you do:
>
> memset()
> free()
>
> The optimizer will optimize away the memset(). You either use explicit_bzero()
> or protect the memset() with additional assembler code. There is also
> memset_s() or memset_secure() on some platforms.
>
>
> Andreas
>
> --
> Andreas Schneider asn at cryptomilk.org
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>
>
More information about the libssh2-devel
mailing list