From a4f94b427170bdef44a4c4ba45ff36664fab6597 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Wed, 4 May 2016 21:27:18 +0200
Subject: deps: update comment about PURIFY define

PURIFY makes OpenSSL zero out some buffers.  It also stops RAND_bytes()
from using the existing contents of the destination buffer as a source
of entropy, which according to some papers, is a possible attack vector
for reducing the overall entropy.

PR-URL: https://github.com/nodejs/node/pull/6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 deps/openssl/openssl.gypi | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'deps')

diff --git a/deps/openssl/openssl.gypi b/deps/openssl/openssl.gypi
index 73aff917d7..3620e45c41 100644
--- a/deps/openssl/openssl.gypi
+++ b/deps/openssl/openssl.gypi
@@ -1244,10 +1244,14 @@
       'openssl/include',
     ],
     'openssl_default_defines_all': [
-      # No clue what these are for.
-      'PURIFY',
       '_REENTRANT',
 
+      # PURIFY makes OpenSSL zero out some buffers.  It also stops RAND_bytes()
+      # from using the existing contents of the destination buffer as a source
+      # of entropy, which according to some papers, is a possible attack vector
+      # for reducing the overall entropy.
+      'PURIFY',
+
       # Compression is not used and considered insecure (CRIME.)
       'OPENSSL_NO_COMP',
 
-- 
cgit v1.2.3