Nicholas Maniscalco wrote: > Can someone help me understand the motivation for why -DPURIFY isn't > the > default? I've read through the openssl-dev@ and openssl-users@ > archives > and have found several threads involving -DPURIFY, but I've been unable > to glean the motivation behind it being off by default. From what I > can > tell, the primary motivation is performance. Just looking for some > confirmation or to be corrected.
The primary motivation for -DPURIFY being off by default is that people only rarely use tools like Purify where it matters. Perhaps your real question is "why does OpenSSL contain some code that must be modified or disabled when -DPURIFY is specified?" In that case, the answer is that such code provides some upside and no downside. > Aside from a potential performance impact, are there other aspects I > should consider before running a -DPURIFY build in a production system? You should consider whether it makes any logical sense. If you don't use the tools for which '-DPURIFY' should be defined, why are you doing it? And if you do use such tools, then you should definitely define PURIFY -- that's what it's for. > I'm, of course, assuming that any gain in entropy by using memory > without first initializing it is negligible and in no way vital to the > security of OpenSSL routines. I do not believe it is negligible, but it is in no way vital. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
