[Dovecot] Re: password generation tool and additional hashes
Alexander Sabourenkov
screwdriver at lxnt.info
Tue Jul 27 10:04:22 EEST 2004
Timo Sirainen wrote:
> On 27.7.2004, at 09:27, Alexander Sabourenkov wrote:
>
>>> safe_memset() exists pretty much for this reason. Compilers may sooner
>>> or later optimize out this kind of code because it seems useless to it.
>>> Microsoft's compilers already do in some cases.
>>
>>
>> That's called bzero() on *nix (POSIX.1).
>
>
> Nope:
>
> CONFORMING TO
> 4.3BSD. This function is deprecated -- use memset in new programs.
May be so in glibc, but (freebsd 5.2.1):
HISTORY
A bzero() function appeared in 4.3BSD. Its prototype existed previously
in <string.h> before it was moved to <strings.h> for IEEE Std 1003.1-2001
(``POSIX.1'') compliance.
and nothing on deprecation. Though I made a mistake of mentioning POSIX.1
here, seems like it was moved out of string.h to make string.h posix-compliant.
> Also I just tested how gcc 3.3.3 works. In a function like:
>
> void test(void)
> {
> char arr[4];
>
> scanf("%3s", arr);
> printf("your secure password: %s\n", arr);
> bzero(arr, sizeof(arr));
> memset(arr, 0, sizeof(arr));
> }
>
> Both bzero() and memset() are optimized away if optimizations are turned
> on.
Note I haven' said it should not ever be optimized away.
Anyway I really prefer the way strings are handled in exim MTA, complete with
pool memory allocation. Second preferable is APR, taking subversion as an
example. That's much cleaner than the (more) traditional methods, IMHO.
--
./lxnt
More information about the dovecot
mailing list