Index: trunk/src/bignum.c
===================================================================
--- trunk/src/bignum.c	(revision 543)
+++ trunk/src/bignum.c	(revision 544)
@@ -425,4 +425,5 @@
 {
     DIGIT *a_ptr, *b_ptr;
+    int retval = 0;
 
     if (a->dgs_used  == b->dgs_used)
@@ -437,10 +438,12 @@
 	if (a_ptr < a->dp)
 	{
-	    return 0;
+	    return retval;
 	}
 	else
 	{
-	    return (*a_ptr > *b_ptr) ? 1 : -1;
-	}
+	    if (retval == 0)
+	        retval = (*a_ptr > *b_ptr) ? 1 : -1;
+	}
+	return retval;
     }
     return (a->dgs_used > b->dgs_used) ? 1 : -1;
Index: trunk/src/cutest_slib.c
===================================================================
--- trunk/src/cutest_slib.c	(revision 543)
+++ trunk/src/cutest_slib.c	(revision 544)
@@ -58,4 +58,25 @@
 }
 
+void Test_sl_ts_strncmp (CuTest *tc) {
+  char one[64], two[64];
+  int  res;
+
+  strcpy(one, "foo");
+  strcpy(two, "foo");
+  res = sl_ts_strncmp(one, two, 3);
+  CuAssertIntEquals(tc, 0, res);
+
+  strcpy(one, "fox");
+  strcpy(two, "foo");
+  res = sl_ts_strncmp(one, two, 2);
+  CuAssertIntEquals(tc, 0, res);
+  
+  strcpy(one, "f9o");
+  strcpy(two, "foo");
+  res = sl_ts_strncmp(one, two, 3);
+  CuAssertTrue(tc, 0 != res);
+
+}
+
 void Test_sl_strcasecmp (CuTest *tc) {
   char one[64], two[64];
Index: trunk/src/sh_calls.c
===================================================================
--- trunk/src/sh_calls.c	(revision 543)
+++ trunk/src/sh_calls.c	(revision 544)
@@ -51,5 +51,4 @@
 #include "samhain.h"
 #include "sh_error.h"
-#include "sh_calls.h"
 #include "sh_ipvx.h"
 #include "sh_sub.h"
Index: trunk/src/sh_srp.c
===================================================================
--- trunk/src/sh_srp.c	(revision 543)
+++ trunk/src/sh_srp.c	(revision 544)
@@ -48,5 +48,5 @@
 #define bignum MP_INT
 
-inline
+static
 int big_create (bignum * a)
 {
@@ -55,5 +55,5 @@
 }
 
-inline
+static
 int big_zerop (bignum * a)
 {
@@ -69,5 +69,5 @@
 }
 
-inline
+static
 int big_trunc (bignum * a, bignum * b, bignum * q, bignum *r)
 {
@@ -76,5 +76,5 @@
 }
 
-inline
+static
 int big_exptmod (bignum * a, bignum * b, bignum * c, bignum *d)
 {
@@ -136,5 +136,5 @@
 }
 
-inline 
+static 
 int big_add(bignum * a, bignum * b, bignum * c)
 {
@@ -143,5 +143,5 @@
 }
 
-inline 
+static 
 int big_sub(bignum * a, bignum * b, bignum * c)
 {
@@ -150,5 +150,5 @@
 }
 
-inline 
+static 
 int big_mul(bignum * a, bignum * b, bignum * c)
 {
@@ -157,5 +157,5 @@
 }
 
-inline 
+static 
 int big_greaterp(bignum * a, bignum * b)
 {
@@ -163,5 +163,5 @@
 }
 
-inline 
+static 
 int big_set_big(bignum * a, bignum * b)
 {
@@ -171,5 +171,5 @@
 
 
-inline 
+static 
 int big_set_string(const char * str, int base, bignum * a)
 {
Index: trunk/src/sh_xfer_client.c
===================================================================
--- trunk/src/sh_xfer_client.c	(revision 543)
+++ trunk/src/sh_xfer_client.c	(revision 544)
@@ -769,5 +769,5 @@
    */
   sh_passwd (nounce, NULL, NULL, temp);
-  if ( 0 != sl_strncmp(temp, answer, KEY_LEN))
+  if ( 0 != sl_ts_strncmp(temp, answer, KEY_LEN))
     flag_err = (-1);
   
@@ -1003,5 +1003,5 @@
 				    );
 		      if (M != NULL && 
-			  0 == sl_strncmp (answer, M, KEY_LEN+1))
+			  0 == sl_ts_strncmp (answer, M, KEY_LEN+1))
 			{
 			  sl_strlcpy (skey->session, 
@@ -1083,5 +1083,5 @@
 			pos+1);
       flag_err = 
-	sl_strncmp(&answer[KEY_LEN+pos],
+	sl_ts_strncmp(&answer[KEY_LEN+pos],
 		   sh_util_siggen(skey->session, 
 				  buffer,
@@ -1202,10 +1202,10 @@
       (void) sl_strlcpy(buffer, errmsg, len);
       (void) sl_strlcat(buffer, nsrv,   len);
-      flag_err = sl_strncmp(answer,
-			    sh_util_siggen(skey->session, 
-					   buffer,
-					   sl_strlen(buffer),
-					   sigbuf, sizeof(sigbuf)),
-			    KEY_LEN);
+      flag_err = sl_ts_strncmp(answer,
+			       sh_util_siggen(skey->session, 
+					      buffer,
+					      sl_strlen(buffer),
+					      sigbuf, sizeof(sigbuf)),
+			       KEY_LEN);
       TPT((0, FIL__, __LINE__, _("msg=<sign %s.>\n"),
 	   sh_util_siggen(skey->session, buffer, 
Index: trunk/src/sh_xfer_server.c
===================================================================
--- trunk/src/sh_xfer_server.c	(revision 543)
+++ trunk/src/sh_xfer_server.c	(revision 544)
@@ -1198,5 +1198,5 @@
 	      KEY_LEN+1);
   
-  if (0 != sl_strncmp(conn->K, conn->buf, KEY_LEN))
+  if (0 != sl_ts_strncmp(conn->K, conn->buf, KEY_LEN))
     {
       TPT((0, FIL__, __LINE__, _("msg=<clt %s>\n"), conn->buf));
@@ -1664,10 +1664,10 @@
 	   */
 	  buffer = sh_util_strconcat(conn->buf, conn->challenge, NULL);
-	  i =  sl_strncmp(hash, 
-			  sh_util_siggen(conn->client_entry->session_key,
-					 buffer,
-					 sl_strlen(buffer),
-					 sigbuf, sizeof(sigbuf)),
-			  KEY_LEN);
+	  i =  sl_ts_strncmp(hash, 
+			     sh_util_siggen(conn->client_entry->session_key,
+					    buffer,
+					    sl_strlen(buffer),
+					    sigbuf, sizeof(sigbuf)),
+			     KEY_LEN);
 	  TPT((0, FIL__, __LINE__, _("msg=<sign %s.>\n"),
 	       sh_util_siggen(conn->client_entry->session_key,
@@ -2088,5 +2088,5 @@
       TPT((0, FIL__, __LINE__, _("msg=<c/r: P = %s>\n"), conn->M1));
       
-      if ( 0 != sl_strncmp(conn->M1, conn->buf, KEY_LEN))
+      if ( 0 != sl_ts_strncmp(conn->M1, conn->buf, KEY_LEN))
 	{
 	  sh_error_handle((-1), FIL__, __LINE__, 0, MSG_TCP_BADCONN,
@@ -2414,5 +2414,5 @@
        */
       if (conn->buf != NULL && 
-	  sl_strncmp(conn->buf, conn->M1, KEY_LEN) == 0)
+	  sl_ts_strncmp(conn->buf, conn->M1, KEY_LEN) == 0)
 	{
 	  /*
Index: trunk/src/slib.c
===================================================================
--- trunk/src/slib.c	(revision 543)
+++ trunk/src/slib.c	(revision 544)
@@ -588,9 +588,35 @@
 /*
  * Have memset in a different translation unit (i.e. this) to prevent 
- * it to get optimized away
+ * it to get optimized away ...not safe with link-time optimisation...
  */
-void *sl_memset(void *s, int c, size_t n)
-{
-  return memset(s, c,n);
+void * sl_memset(void *s, int c, size_t n)
+{
+  /* See:
+   * https://www.usenix.org/sites/default/files/conference/protected-files/usenixsecurity17_slides_zhaomo_yang.pdf
+   */
+#if defined(HAVE_EXPLICIT_MEMSET)
+  return explicit_memset(s, c, n);
+#elif defined(HAVE_EXPLICIT_BZERO)
+  if (c == 0) {
+    explicit_bzero(s, n);
+    return s;
+  } else {
+    return memset(s, c, n);
+  }
+#elif defined(__GNUC__)
+  memset(s, c, n);
+  __asm__  __volatile__ ("" ::"r"(s): "memory"); /* compiler barrier */
+  return s;
+#else
+  if (c == 0) {
+    size_t i;
+    volatile unsigned char * t_s = (volatile unsigned char *)s;
+    for (i=0; i<n; ++i)
+      t_s[i] = 0;
+    return s;
+  } else {
+    return memset(s, c, n);
+  }
+#endif  
 }
 
@@ -1071,4 +1097,38 @@
   if (a != NULL && b != NULL)
     return (strcmp(a, b));
+  else if (a == NULL && b != NULL)
+    return (-1);
+  else if (a != NULL && b == NULL)
+    return (1);
+  else
+    return (-7); /* default to not equal */
+}
+
+/* Does not report sign. */
+int sl_ts_strncmp(const char * a, const char * b, size_t n)
+{
+#ifdef SL_FAIL_ON_ERROR
+  SL_REQUIRE (a != NULL, _("a != NULL"));
+  SL_REQUIRE (b != NULL, _("b != NULL"));
+  SL_REQUIRE (n > 0, _("n > 0"));
+#endif
+
+  if (a != NULL && b != NULL)
+    {
+      const unsigned char *a1 = (const unsigned char *)a;
+      const unsigned char *b1 = (const unsigned char *)b;
+      size_t i;
+      int  retval=0;
+      /* The simple index based access is optimized best by the
+       * compiler (tested with gcc 7.3.0). */
+      for (i = 0; i < n; ++i)
+	{
+	  if (a1[i] == '\0' || b1[i] == '\0')
+	    break;
+	  retval |= (a1[i] ^ b1[i]);
+	}
+      /* if (retval == 0) --> false (0) */ 
+      return (retval != 0);
+    }
   else if (a == NULL && b != NULL)
     return (-1);