Debian &c suffered from simply removing all calls to seed the random number generator with enough entropy to make it secure.
When it comes to entropy, every little bit helps. The calls to add uninitialized static variable locations are never relied upon to seed the PRNG with enough entropy, but they are used to "stir the pot" just a little bit more. This is probably one of the most-frequently asked questions. http://openssl.org/support/faq.html#PROG14 (I think the 'answer' for that needs to be changed to include some of the prior discussion on the topic...) This is probably also one of the most-frequently answered questions. Look in the openssl-users and openssl-dev archives for the past year and you'll see people with much more knowledge of entropy than me discussing this topic, at length. -Kyle H On Fri, Jul 18, 2008 at 9:47 AM, Frederic Heem <[EMAIL PROTECTED]> wrote: > Hi, > The previous patch didn't fully work due a mysterious valgrind issue > (something related to loading libssl multiple time through dl_open). This > patch is simply what has Robert suggested. > By the way, can someone explain me why some "uninitialized" static variables > are used create a random number ? At least, on some embedded system, static > variables are initialized to 0, therefore, can the keys be weak on these > system ? I just want to avoid the security hole Debian&Co have suffered > recently. > Best Regards, > Frederic Heem > > > > ______________________________________________________________________________ > > --- NOTICE --- > > This email and any attachments are confidential and are intended for > the > addressee only. If you have received this message by mistake, please > contact > us immediately and then delete the message from your system. You must > not > copy, distribute, disclose or act upon the contents of this email. > Personal > and corporate data submitted will be used in a correct, transparent and > lawful > manner. The data collected will be processed in paper or computerized form > for > the performance of contractual and lawful obligations as well as for > the > effective management of business relationship. The data processor is > Telsey > S.p.A. The data subject may exercise all the rights set forth in art. 7 > of > Law by Decree 30.06.2003 n. 196 as reported in the following > url > http://www.telsey.com/privacy.asp. > > ______________________________________________________________________________ > 798t8RfNa6Dl8Ilf > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]