The problems occur on Red Hat 5.1 server x86_64. For what it's worth,
I don't get errors on (updated :) Ubuntu 7.10.
I do get errors even with Bodo's addition to randfile.c. I'd be happy
to post the valgrind output if that would be helpful.
If this is environment/OS-specific, then it's
On Mon, May 19, 2008 at 10:48 PM, dean gaudet [EMAIL PROTECTED] wrote:
On Thu, 15 May 2008, Bodo Moeller wrote:
On Thu, May 15, 2008 at 11:41 PM, Erik de Castro Lopo
[EMAIL PROTECTED] wrote:
Goetz Babin-Ebell wrote:
But here the use of this uninitialized data is intentional
and the
In the wake of the issues with Debian, is it possible to modify the
source so that it is possible to use valgrind with openssl without
reducing the key space?
Are we really relying on uninitialized memory for randomness?
-JP
__
It is already possible to use openssl and valgrind - just build OpenSSL
with -DPURIFY, and it is quite clean.
(we do it all the time here with WvStreams and Pathfinder, and it works like a
charm).
The problem is that this may reduce the keyspace so that keys are guessable.
All of this is independent of proper entropy seeding to the PRNG, which is
what the debian patch crushed and which in turn led to the high seismic
reading in the blogosphere. But it may help explain why I do *not* want us to
unilaterally remove the use of uninitialised data in the PRNG. That
It is already possible to use openssl and valgrind - just build OpenSSL
with -DPURIFY, and it is quite clean.
Actually on my system, just -DPURIFY doesn't satisfy valgrind. What
I'm asking for is something that both satisfies valgrind and doesn't
reduce the keyspace.
(we do it all the
On Thu, May 15, 2008 at 12:29 PM, Geoff Thorpe [EMAIL PROTECTED] wrote:
I forgot to mention something;
On Thursday 15 May 2008 12:38:24 John Parker wrote:
It is already possible to use openssl and valgrind - just build
OpenSSL with -DPURIFY, and it is quite clean.
Actually on my
On Thu, May 15, 2008 at 4:41 PM, Erik de Castro Lopo
[EMAIL PROTECTED] wrote:
Goetz Babin-Ebell wrote:
But here the use of this uninitialized data is intentional
and the programmer are very well aware of what they did.
The use of unititialized data in this case is stupid because the
entropy