On Thu, May 15, 2008 at 11:09:46AM -0500, John Parker wrote:
> > change -DPURIFY to -DNO_UNINIT_DATA or something else which has a clearer
> > intention, so that debug packages (or even base packages that want to be
> > valgrind-friendly) have a straightforward mechanism to apply. Well, a
> > straightforward mechanism that doesn't kill the PRNG outright, I mean
> > (otherwise there is already a highly-publicised patch we could apply...)
>
> What I was hoping for was a -DNO_UNINIT_DATA that wouldn't be the
> default, but wouldn't reduce the keyspace either.
-DPURIFY *does* do what you want. It doesn't reduce the keyspace.
The problem was that what Debian did went far beyond -DPURIFY. The
Debian developer in question disabled one call that used uninitialized
memory, but then later on, removed another similar call that looked
the same, but in fact *was* using initialized data --- said
initialized data being real randomness critically necessary for
security.
- Ted
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
