Hi,
The previous patch didn't fully work due a mysterious valgrind issue
(something related to loading libssl multiple time through dl_open).
This patch is simply what has Robert suggested.
By the way, can someone explain me why some "uninitialized" static
variables are used create a random number ? At least, on some embedded
system, static variables are initialized to 0, therefore, can the keys
be weak on these system ? I just want to avoid the security hole
Debian&Co have suffered recently.
Best Regards,
Frederic Heem
______________________________________________________________________________
--- NOTICE ---
This email and any attachments are confidential and are intended for the
addressee only. If you have received this message by mistake, please contact
us immediately and then delete the message from your system. You must not
copy, distribute, disclose or act upon the contents of this email. Personal
and corporate data submitted will be used in a correct, transparent and lawful
manner. The data collected will be processed in paper or computerized form for
the performance of contractual and lawful obligations as well as for the
effective management of business relationship. The data processor is Telsey
S.p.A. The data subject may exercise all the rights set forth in art. 7 of
Law by Decree 30.06.2003 n. 196 as reported in the following url
http://www.telsey.com/privacy.asp.
______________________________________________________________________________
798t8RfNa6Dl8Ilf
--- openssl-0.9.8h-old/crypto/rand/md_rand.c 2007-01-21 13:16:36.000000000 +0000
+++ openssl-0.9.8h/crypto/rand/md_rand.c 2008-07-18 16:34:18.000000000 +0100
@@ -332,6 +332,13 @@
#endif
int do_stir_pool = 0;
+#ifdef PURIFY
+ /* !!!! DO NOT USE PURIFY FOR PRODUCTION SYSTEM !!!!
+ this makes valgrind and friends happy. */
+ memset(state, 0, STATE_SIZE + MD_DIGEST_LENGTH);
+ memset(md, 0, MD_DIGEST_LENGTH);
+ memset(buf, 0, num);
+#endif
#ifdef PREDICT
if (rand_predictable)
{
