[exim-dev] Question on OpenSSL random/fork fix

Jeffrey Walton Sat, 26 Oct 2013 00:56:33 -0700

Hi All,

Forgive me for my ignorance here. I'm surveying methods to fix the
problems with OpenSSL's PRNG after a fork.


It looks like Exim calls RAND_cleanup after a fork.
https://lists.exim.org/lurker/message/20130402.171710.92f14a60.el.html
and 
http://git.exim.org/exim.git/blob/de6135a0cbbeb4fbae7233a40563a241de1c237b:/src/src/tls-openssl.c.

It also looks like OpenSSL's RAND_cleanup clears the state *and*
replaces the random method with NULL. From rand_lib.c:

void RAND_cleanup(void)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->cleanup)
        meth->cleanup();
    RAND_set_rand_method(NULL);
    }

That means the call to RAND_seed should that follows should fail:

void RAND_seed(const void *buf, int num)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->seed)
        meth->seed(buf,num);
    }

And believe subsequent calls to RAND_bytes or RAND_pseudo_bytes will also fail:

int RAND_bytes(unsigned char *buf, int num)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->bytes)
        return meth->bytes(buf,num);
    return(-1);
    }

int RAND_pseudo_bytes(unsigned char *buf, int num)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->pseudorand)
        return meth->pseudorand(buf,num);
    return(-1);
    }

Somewhat interesting in a morbid sort of way, it looks like the call
to RAND_status is useful because it returns 0:

int RAND_status(void)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->status)
        return meth->status();
    return 0;
    }

Sorry to bring this up. I'm probably missing something obvious.

Thanks in advance.

Jeffrey Walton

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Question on OpenSSL random/fork fix

Reply via email to