On 4/15/2011 12:59 PM, Eric Wong wrote:
I'm not very knowledgeable about OpenSSL internals, but it appears RAND_bytes() is seeded with the pid of each process, and since pids get recycled, it's possible for two processes sharing a common parent to get the same random sequence over time if the common parent used the PRNG.
Yep. It is an error to call 'fork' and then have both processes go on to use the PRNG. This is not an error specific to OpenSSL or specific to the PRNG. It is true of most resources provided by most libraries.
This could arguably be a bug in every program using fork() + RAND_*() and they could use pthread_atfork() to call RAND_cleanup(),
Correct.
OpenSSL should deal with it internally to make life easier for application authors :)
The only thing OpenSSL can do is provide a handler that you can call, which it already does. There are two reasons OpenSSL can't solve this problem all by itself.
First, there's no way OpenSSL can know which process is going to use the PRNG or both. Arbitrarily clearing the PRNG in the parent or child could lead to problems in the more common case where the other process is going to go away. Some code that currently works perfectly would be broken by losing the PRNG state.
Second, there's no way OpenSSL can know when a process has been bifurcated. OpenSSL is, by deliberate design, threading model and process model agnostic. There is no law that says that 'fork' is the only way to bifurcate a process. The platform, or libraries in use, can have other checkpointing or save/restore functions.
However, a warning is definitely in order. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
