|
From: Erik de C. L. <eri...@me...> - 2008-05-14 08:13:33
|
Christoph Bartoschek wrote: > The OpenSSL authors do the right thing: I disagree. Openssl is a prime example of a library which was poorly designed, a long time ago and has been badly maintained since. Its a pity that this is the most widely used SSL library available under a free license. > 1. They do not depend on the memory randomness. True. > It is just an additional > source to many other real random sources. Randomness of such poor quality that it may as well all be zero bytes. > 2. Uninitialized memory does not help for randomness but it also does not > hurt. True. > 3. OpenSSL offers a compilation macro (PURIFY) to disable usage of > uninitialized memory. This *only* works if you compile openssl yourself, from source. If I link my program against the openssl that comes with my Linux distribution and run it under valgrind I get errors from openssl. Erik -- ----------------------------------------------------------------- Erik de Castro Lopo ----------------------------------------------------------------- "He who writes the code gets to choose his license, and nobody else gets to complain" -- Linus Torvalds |