From http://www.openssl.org/support/faq.html#PROG14 : "When OpenSSL's PRNG routines are called to generate random numbers the supplied buffer contents are mixed into the entropy pool: so it technically does not matter whether the buffer is initialized at this point or not. Valgrind (and other test tools) will complain about this. When using Valgrind, make sure the OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY) to get rid of these warnings." Basically it is impossible to check with valgrind a program that is linked with openssl, because of the countless warnings. To filter those require big suppresion lists or excluding the whole libcrypto.so. That is bad in my opinion, since programs can expose bugs to the underlying linked library due to misuse or other reasons. (it helped me find a bug in libcurl few months ago https://github.com/falconindy/pkgfile/issues/12#issuecomment-23513794) So, i suggest adding a USE flag (disabled by default) that enables -DPURIFY in configure step. Please not that this is not the same as the debian openssl fiasco back in the 2008 http://research.swtch.com/openssl. We don't change anything in the source code, just a flag that upstream provides. The only downside i see (without much researching) is slightly less entropy for the rand() functions in openssl. Reproducible: Always
If you don't want to add a whole USE flag for that, maybe make the ebuild use EXTRA_ECONF, so we can add it on package.env :)
this is not something we want to support or let people accidentally enable. you can already do this by adding -DPURIFY in your CPPFLAGS in the per-package env file. that's all the purify configure option does.