Is using OpenSSL built with the PURIFY flag considered "secure"?
I ask because I came across this comment, in md_rand.c:
#ifndef PURIFY /* purify complains */
/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
if (!MD_Update(&m,buf,j))
goto err;
/* We know that line may cause programs such as
purify and valgrind to complain about use of
uninitialized data. */
#endif
Building with PURIFY essentially removes the call to MD_Update and the
strong wording of the comment makes me think that this call is vital to
correctness. I'm looking for confirmation that using an OpenSSL built with
PURIFY is considered secure. That has been my understanding up until I
saw this comment. Now I'm not so sure.
For reference, the comment was introduced in this change,
http://cvs.openssl.org/chngview?cn=17761
Is this something worth adding to the FAQ?
Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
