Hi Kyotaro, > > And it seems to me that this is caused by the routines of OpenSSL. > > When building without --with-openssl, using the fallback > > implementations of SHA256 and RAND_bytes I see no warnings generated > > by scram_build_verifier... I think it makes most sense to discard that > > from the list of open items. > > FWIW a document of the function says that, > > https://www.openssl.org/docs/man1.0.1/crypto/RAND_bytes.html > > > The contents of buf is mixed into the entropy pool before > > retrieving the new pseudo-random bytes unless disabled at compile > > time (see FAQ). > > This isn't saying that RAND_bytes does the same thing but > something similar can be happening there.
OK, turned out that warnings regarding uninitialized values disappear after removing --with-openssl. That's a good thing. What about all these memory leak reports [1]? If I see them should I just ignore them or, if reports look false positive, suggest a patch that modifies a Valgrind suppression file? In other words what is current consensus in community regarding Valgrind and it's reports? [1] http://afiskon.ru/s/47/871f1e21ef_valgrind.txt.gz -- Best regards, Aleksander Alekseev
signature.asc
Description: PGP signature
