From 62690aa0beaf181fb4ab9d650b6f056b5367dfcd Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Wed, 4 May 2016 21:27:18 +0200 Subject: [PATCH] deps: update comment about PURIFY define PURIFY makes OpenSSL zero out some buffers. It also stops RAND_bytes() from using the existing contents of the destination buffer as a source of entropy, which according to some papers, is a possible attack vector for reducing the overall entropy. PR-URL: https://github.com/nodejs/node/pull/6582 Reviewed-By: Anna Henningsen Reviewed-By: Fedor Indutny Reviewed-By: James M Snell --- deps/openssl/openssl.gypi | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/deps/openssl/openssl.gypi b/deps/openssl/openssl.gypi index 73aff917d792f6..3620e45c410746 100644 --- a/deps/openssl/openssl.gypi +++ b/deps/openssl/openssl.gypi @@ -1244,10 +1244,14 @@ 'openssl/include', ], 'openssl_default_defines_all': [ - # No clue what these are for. - 'PURIFY', '_REENTRANT', + # PURIFY makes OpenSSL zero out some buffers. It also stops RAND_bytes() + # from using the existing contents of the destination buffer as a source + # of entropy, which according to some papers, is a possible attack vector + # for reducing the overall entropy. + 'PURIFY', + # Compression is not used and considered insecure (CRIME.) 'OPENSSL_NO_COMP',