Hi Kyotaro,
> > And it seems to me that this is caused by the routines of OpenSSL.
> > When building without --with-openssl, using the fallback
> > implementations of SHA256 and RAND_bytes I see no warnings generated
> > by scram_build_verifier... I think it makes most sense to discard that
> > from the list of open items.
>
> FWIW a document of the function says that,
>
> https://www.openssl.org/docs/man1.0.1/crypto/RAND_bytes.html
>
> > The contents of buf is mixed into the entropy pool before
> > retrieving the new pseudo-random bytes unless disabled at compile
> > time (see FAQ).
>
> This isn't saying that RAND_bytes does the same thing but
> something similar can be happening there.
OK, turned out that warnings regarding uninitialized values disappear
after removing --with-openssl. That's a good thing.
What about all these memory leak reports [1]? If I see them should I just
ignore them or, if reports look false positive, suggest a patch that
modifies a Valgrind suppression file? In other words what is current
consensus in community regarding Valgrind and it's reports?
[1] http://afiskon.ru/s/47/871f1e21ef_valgrind.txt.gz
--
Best regards,
Aleksander Alekseev
