I valgrind'ed OpenSSL as follows: I compiled OpenSSL (0.9.8g) with my own random number engine - in order to generate pseudo random numbers that are not based on unitialized values (if you run openssl without doing this you get infinite warnings - of course).
The results are as follows ==26139== Conditional jump or move depends on uninitialised value(s) ==26139== at 0x81095FF: BN_mod_inverse (bn_gcd.c:215) ==26139== by 0x810D29F: BN_MONT_CTX_set (bn_mont.c:406) ==26139== by 0x8103E8F: BN_mod_exp_mont (bn_exp.c:417) ==26139== by 0x81036E9: BN_mod_exp (bn_exp.c:223) ==26139== by 0x81090FD: BN_BLINDING_create_param (bn_blind.c:352) ==26139== by 0x80C9844: RSA_setup_blinding (rsa_lib.c:413) ==26139== ==26139== Conditional jump or move depends on uninitialised value(s) ==26139== at 0x8128F5A: BN_div (bn_div.c:190) ==26139== by 0x810D318: BN_MONT_CTX_set (bn_mont.c:417) ==26139== by 0x8103E8F: BN_mod_exp_mont (bn_exp.c:417) ==26139== by 0x81036E9: BN_mod_exp (bn_exp.c:223) ==26139== by 0x81090FD: BN_BLINDING_create_param (bn_blind.c:352) ==26139== by 0x80C9844: RSA_setup_blinding (rsa_lib.c:413) ...above repeated several times. The code that gives the error is the BN_get_flags() macro (see bn_div.c extract about line 190 below): Could this be highlighting a bug in OpenSSL????? Kind regards -paul static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_CTX *ctx); int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_CTX *ctx) { int norm_shift,i,loop; BIGNUM *tmp,wnum,*snum,*sdiv,*res; BN_ULONG *resp,*wnump; BN_ULONG d0,d1; int num_n,div_n; ==HERE==> if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) { return BN_div_no_branch(dv, rm, num, divisor, ctx); } ...and so on