Message195247
A couple of reports and check-in messages like
Postgres / pgcrypto CVE-2013-1900
http://bugs.ruby-lang.org/issues/4579
http://www.exim.org/lurker/message/20130402.171710.92f14a60.fi.html
suggests that OpenSSL's PRNG should be reset or re-seeded after fork(). Otherwise child processes can generate the same or similar pseudo random values.
Python doesn't have an API to run code before and after fork yet. The patch uses pthread_atfork() for the task. It's available on all pthread platforms -- which are all official supported platforms that have fork(), too.
The patch doesn't use RAND_cleanup() like Postgres because child process would hav to initial the PRNG again by opening and reading from /dev/urandom. The atfork prepare hook pulls from random bytes from the PRNG and stores them in a static buffer. The child handler seeds the PRNG from that buffer + pid + current time. PID and current time are mixed into the state to extenuate race conditions. |
|
Date |
User |
Action |
Args |
2013-08-15 12:35:01 | christian.heimes | set | recipients:
+ christian.heimes, vstinner |
2013-08-15 12:35:01 | christian.heimes | set | messageid: <1376570101.71.0.249202475923.issue18747@psf.upfronthosting.co.za> |
2013-08-15 12:35:01 | christian.heimes | link | issue18747 messages |
2013-08-15 12:35:01 | christian.heimes | create | |
|