Import the #'clear-string API from GNU, use it in tls.c src/ChangeLog addition: 2015-04-18 Aidan Kehoe <kehoea@parhasard.net> * sequence.c (Fclear_string): New, API from GNU. Zero a string's contents, making sure the text is not kept around even when the string's data is reallocated because of a changed character length. * sequence.c (syms_of_sequence): Make it available to Lisp. * lisp.h: Make it available to C code. * tls.c (nss_pk11_password): Use it. * tls.c (gnutls_pk11_password): Use it. * tls.c (openssl_password): Use it. tests/ChangeLog addition: 2015-04-18 Aidan Kehoe <kehoea@parhasard.net> * automated/lisp-tests.el: Test #'clear-string, just added. Unfortunately there's no way to be certain from Lisp that the old password data has been erased after realloc; it may be worth adding a test to tests.c, but *we'll be reading memory we shouldn't be*, so that gives me pause.

--- a/src/ChangeLog	Thu Apr 09 14:54:37 2015 +0100
+++ b/src/ChangeLog	Sat Apr 18 23:00:14 2015 +0100
@@ -1,3 +1,15 @@
+2015-04-18  Aidan Kehoe  <kehoea@parhasard.net>
+
+	* sequence.c (Fclear_string): New, API from GNU.  Zero a string's
+	contents, making sure the text is not kept around even when the
+	string's data is reallocated because of a changed character
+	length.
+	* sequence.c (syms_of_sequence): Make it available to Lisp.
+	* lisp.h: Make it available to C code.
+	* tls.c (nss_pk11_password): Use it.
+	* tls.c (gnutls_pk11_password): Use it.
+	* tls.c (openssl_password): Use it.
+
 2015-04-09  Aidan Kehoe  <kehoea@parhasard.net>
 
 	* tls.c (nss_pk11_password):