> It does seem a little weird: if that was the only source of randomness,
> then it's not a very good source & needs fixing!
Only if that part is really to "add uninitialised data"! Note that the comment is added by
the original Debian patch, not in the original SSL library. The "buf" argument is actually
passed by a call to the "add" function of the rand_meth_st interface, the interface defining
how to collect random data for various pluggable methods. My thinking is that it might
actually not be uninitialized data at all, but is instead the content handed over by a part of
the interface for SSL random number pool that actually accept random data and add them to the
pool, i.e., most of the "real" randomness available.