Message195521
openssl_prng_atfork3.patch: Why not using seconds (only micro or
nanoseconds) in the seed? Add a few more bits should not reduce the
entropy. OpenSSL does hash all these bytes anyway.
+#if 1
+ fprintf(stderr, "PySSL_RAND_atfork_child() seeds %i bytes in %i\n",
+ (int)sizeof(seed), seed.pid);
+#endif
This should be removed from the final patch ;-)
The patch is specific to pthread. Do we need something similar on
Windows. Windows has no fork, but I don't know if OpenSSL CPRNG state
can be inherited somehow? Does Python support other platforms (other
than pthread or Windows)?
Instead of using pthread_atfork(), we can add an hook in the Python
binding of OpenSSL checking the pid. I don't know which functions
should be modified. ssl.RAND_bytes() is probably not enough :-) |
|
Date |
User |
Action |
Args |
2013-08-17 21:54:28 | vstinner | set | recipients:
+ vstinner, pitrou, christian.heimes, neologix, sbt |
2013-08-17 21:54:28 | vstinner | link | issue18747 messages |
2013-08-17 21:54:28 | vstinner | create | |
|