Hi, I've built OpenSSL 1.1.1c locally on my 64 bit CentOS 7 server. My application links with the libraries contained in this build. When running tests for my application under valgrind I'm seeing lots of errors like the below: Use of uninitialised value of size 8 at 0x4C30DDF: memset (vg_replace_strmem.c:1252) by 0xB389872: CRYPTO_zalloc (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2C3BDA: bn_expand2 (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2CACFD: bn_lshift_fixed_top (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2BCC61: bn_div_fixed_top (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2BD081: BN_div (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2C054E: int_bn_mod_inverse (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2BC0B5: BN_BLINDING_create_param (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB3BDAB0: RSA_setup_blinding (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB3C276A: rsa_ossl_private_encrypt (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB3C4FE2: pkey_rsa_sign (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB37A716: EVP_DigestSignFinal (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xAFC4413: tls_construct_cert_verify (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAFBB526: state_machine (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAFA6937: SSL_do_handshake (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAD64C2C: sncr_tls_negotiation_ex (tls_openssl.c:1766) by 0xAD64D84: sncr_tls_negotiation (tls_openssl.c:1846) by 0x5A890E: run_smtp_server (receiver.c:1367) by 0x5A55A2: smtp_recv_thread (receiver.c:326) by 0x73158F: generic_worker_thread (threads.c:301) by 0x546BDD4: start_thread (in /usr/lib64/libpthread-2.17.so) by 0x61A502C: clone (in /usr/lib64/libc-2.17.so) Uninitialised value was created by a stack allocation at 0xB3B5000: rand_drbg_get_nonce (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) Conditional jump or move depends on uninitialised value(s) at 0x4C30DE5: memset (vg_replace_strmem.c:1252) by 0xB389872: CRYPTO_zalloc (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2C3BDA: bn_expand2 (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2CACFD: bn_lshift_fixed_top (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2BCC61: bn_div_fixed_top (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2BD081: BN_div (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2C054E: int_bn_mod_inverse (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2BC0B5: BN_BLINDING_create_param (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB3BDAB0: RSA_setup_blinding (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB3C276A: rsa_ossl_private_encrypt (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB3C4FE2: pkey_rsa_sign (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB37A716: EVP_DigestSignFinal (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xAFC4413: tls_construct_cert_verify (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAFBB526: state_machine (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAFA6937: SSL_do_handshake (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAD64C2C: sncr_tls_negotiation_ex (tls_openssl.c:1766) by 0xAD64D84: sncr_tls_negotiation (tls_openssl.c:1846) by 0x5A890E: run_smtp_server (receiver.c:1367) by 0x5A55A2: smtp_recv_thread (receiver.c:326) by 0x73158F: generic_worker_thread (threads.c:301) by 0x546BDD4: start_thread (in /usr/lib64/libpthread-2.17.so) by 0x61A502C: clone (in /usr/lib64/libc-2.17.so) Uninitialised value was created by a stack allocation at 0xB3B5000: rand_drbg_get_nonce (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) Conditional jump or move depends on uninitialised value(s) at 0xB2C4070: bn_correct_top (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB2C5397: BN_mod_mul_montgomery (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB3C2704: rsa_ossl_private_encrypt (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB3C4FE2: pkey_rsa_sign (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xB37A716: EVP_DigestSignFinal (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) by 0xAFC4413: tls_construct_cert_verify (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAFBB526: state_machine (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAFA6937: SSL_do_handshake (in /opt/openssl/1.1.1/lib/libssl.so.1.1) by 0xAD64C2C: sncr_tls_negotiation_ex (tls_openssl.c:1766) by 0xAD64D84: sncr_tls_negotiation (tls_openssl.c:1846) by 0x5A890E: run_smtp_server (receiver.c:1367) by 0x5A55A2: smtp_recv_thread (receiver.c:326) by 0x73158F: generic_worker_thread (threads.c:301) by 0x546BDD4: start_thread (in /usr/lib64/libpthread-2.17.so) by 0x61A502C: clone (in /usr/lib64/libc-2.17.so) Uninitialised value was created by a stack allocation at 0xB3E2363: sha256_block_data_order_avx2 (in /opt/openssl/1.1.1/lib/libcrypto.so.1.1) There are many, many of these errors with varying backtraces shown. But the common function seems to be either sha256_block_data_order_avx2 or rand_drbg_get_nonce I've read somewhere that compiling OpenSSL with -DPURIFY would help remove these errors. However, looking at the CHANGES document which comes with the source I see the below change in 1.1.0: *) Always DPURIFY. Remove the use of uninitialized memory in the RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op. [Emilia Käsper] So does this mean that -DPURIFY is enabled by default? If so, why am I seeing these valgrind errors? I've shown the output of my openssl version -a below. I could put in suppressions for these valgrind errors but there are so many and affect so many areas that it would almost make my valgrind tests useless. Looking forward to any help, Tim OpenSSL 1.1.1c 28 May 2019 platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPE NSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_A SM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG OPENSSLDIR: "/opt/openssl/1.1.1" ENGINESDIR: "/opt/openssl/1.1.1/lib/engines-1.1" Seeding source: os-specific