Kaydet (Commit) fb6b44e8 authored tarafından Christian Heimes's avatar Christian Heimes

Issue #19227 / Issue #18747: Remove pthread_atfork() handler to remove OpenSSL re-seeding

It is causing trouble like e.g. hanging processes.
üst 3d596fa9
......@@ -19,9 +19,6 @@
#ifdef WITH_THREAD
#include "pythread.h"
#ifdef HAVE_PTHREAD_ATFORK
# include <pthread.h>
#endif
#define PySSL_BEGIN_ALLOW_THREADS_S(save) \
do { if (_ssl_locks_count>0) { (save) = PyEval_SaveThread(); } } while (0)
......@@ -2584,65 +2581,6 @@ Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
Returns number of bytes read. Raises SSLError if connection to EGD\n\
fails or if it does not provide enough data to seed PRNG.");
/* Seed OpenSSL's PRNG at fork(), http://bugs.python.org/issue18747
*
* The prepare handler seeds the PRNG from pseudo-random data like pid, the
* current time (miliseconds or seconds) and an uninitialized array.
* The array contains stack variables that are impossible to predict
* on most systems, e.g. function return address (subject to ASLR), the
* stack protection canary and automatic variables.
* The code is inspired by Apache's ssl_rand_seed() function.
*
* Note:
* The code uses pthread_atfork() until Python has a proper atfork API. The
* handlers are not removed from the child process. A prepare handler is used
* instead of a child handler because fork() is supposed to be async-signal
* safe but the handler calls unsafe functions. A parent handler has caused
* other problems, see issue #19227.
*/
#if defined(HAVE_PTHREAD_ATFORK) && defined(WITH_THREAD)
#define PYSSL_RAND_ATFORK 1
static void
PySSL_RAND_atfork_prepare(void)
{
struct {
char stack[128]; /* uninitialized (!) stack data, 128 is an
arbitrary number. */
pid_t pid; /* current pid */
_PyTime_timeval tp; /* current time */
} seed;
#ifdef WITH_VALGRIND
VALGRIND_MAKE_MEM_DEFINED(seed.stack, sizeof(seed.stack));
#endif
seed.pid = getpid();
_PyTime_gettimeofday(&(seed.tp));
RAND_add((unsigned char *)&seed, sizeof(seed), 0.0);
}
static int
PySSL_RAND_atfork(void)
{
static int registered = 0;
int retval;
if (registered)
return 0;
retval = pthread_atfork(PySSL_RAND_atfork_prepare, /* prepare */
NULL, /* parent */
NULL); /* child */
if (retval != 0) {
PyErr_SetFromErrno(PyExc_OSError);
return -1;
}
registered = 1;
return 0;
}
#endif /* HAVE_PTHREAD_ATFORK */
#endif /* HAVE_OPENSSL_RAND */
......@@ -3022,10 +2960,5 @@ PyInit__ssl(void)
if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
return NULL;
#ifdef PYSSL_RAND_ATFORK
if (PySSL_RAND_atfork() == -1)
return NULL;
#endif
return m;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment