The reason why I repeat "System.Memory" is that if the Crypto (and similarly used modules like for instance Stdio) could use generic string objects, all that extra payload as well as functionality could be put in nice secure objects, separate from anything else in the Pike core and then not mess anything else up. Also, these objects are unique and destructive, not shared like strings.
Ponder:
non-crypto part: crypto part:
string s="apelsin"; string key=secure_my_string("apelsin"); ... ... werror("s=%O\n",s);
In this case, if the shared string "apelsin" is flagged, it will be obvious in the non-crypto part that it's a key or password somewhere.
/ Mirar
Previous text:
2003-01-29 09:05: Subject: Re: OpenSSL wrapper vs Pike's SSL (Was: Bz2)
And I feel it's not worth the effort to try to do anything fancy with "secure deletion", mlock etc.
mlock is pretty useless as it only works for root, and one don't want to encourage people to run their processes as root "for security reasons". (I'm sure not everybody agrees with that).
Clearing strings and other memory when they're deallocated is reasonable, if you want to pay the extra cycles. Only question is how configurable that should be. A flag to make a particular string not appear in backtraces (or more generally, by sprintf("%O", s)) seems a little obscure, but it might be useful. Anything more complex than that? I don't think that's a good idea.
/ Niels Möller ()