[issue18747] Re-seed OpenSSL's PRNG after fork
STINNER Victor
report at bugs.python.org
Sat Aug 17 23:54:28 CEST 2013
STINNER Victor added the comment:
openssl_prng_atfork3.patch: Why not using seconds (only micro or
nanoseconds) in the seed? Add a few more bits should not reduce the
entropy. OpenSSL does hash all these bytes anyway.
+#if 1
+ fprintf(stderr, "PySSL_RAND_atfork_child() seeds %i bytes in %i\n",
+ (int)sizeof(seed), seed.pid);
+#endif
This should be removed from the final patch ;-)
The patch is specific to pthread. Do we need something similar on
Windows. Windows has no fork, but I don't know if OpenSSL CPRNG state
can be inherited somehow? Does Python support other platforms (other
than pthread or Windows)?
Instead of using pthread_atfork(), we can add an hook in the Python
binding of OpenSSL checking the pid. I don't know which functions
should be modified. ssl.RAND_bytes() is probably not enough :-)
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue18747>
_______________________________________
More information about the Python-bugs-list
mailing list