1. Debian dev on the openssl mailing list if he can remove the code causing errors in Valgrind: http://marc.info/?l=openssl-dev&m=114651085826293&w=2
2. Developer with a @openssl.org email address giving him the green light: http://marc.info/?l=openssl-dev&m=114652287210110&w=2
1. The commit introducing the bug: "Don't add uninitialised data to the random number generator. This stop valgrind from giving error messages in unrelated code." http://anonscm.debian.org/viewvc/pkg-openssl/openssl/trunk/r...
2. The commit fixing the bug: "ssleay_rand_add() really needs to call MD_Update() for buf." http://anonscm.debian.org/viewvc/pkg-openssl/openssl/trunk/c...
(I'd post the diffs but viewvc is throwing exceptions for them)
By the way, does anyone know of a certified SSL stack (a la compcert)?
Edit: also, the Debian developer didn't actually identify himself as such on the mailing list, or I have a feeling people would've scrutinized what he was suggesting a lot more closely.
"Random numbers are used everywhere in cryptography, for both short- and long-term security. And, as we've seen here, security flaws in random number generators are really easy to accidently create and really hard to discover after the fact. Back when the NSA was routinely weakening commercial cryptography, their favorite technique was reducing the entropy of the random number generator."
Consider that the article is from 2008 and correlate it to the current revelations about NSA.
PS Just noticed this is from 2008 (whew, I was afraid it had happened again).
As a more serious note, people who are not cryptographers should refrain from touching crypto code, especially something as important as pseudo random number generators. In addition, it's not a very good idea be doing significant modifications "downstream" from the actual project.