> The patch is only half undone. Oversight?
Unlikely. The original intent is quite defensible: if some data is not initialized, you don't
know whether it is coming from some attacker, so you shouldn't use it as part of the random
number to generate your key. I expect that is the part that is left alone, in the function
ssleay_rand_bytes. The "#ifndef PURIFY" macro probably is there because some tools detects
that it is using uninitialized data, and would die or produce other ugly result if the code is
allowed to run.
But the patch change another function ssleay_rand_add as well. I'm wondering whether the buf
being passed in is actually the data that it want to add to the random pool. If so, the
original removal of line 274 probably drops nearly all randomness that the random number
generator can ever obtain.