[exim-dev] Question on OpenSSL random/fork fix

Top Page

Reply to this message
Author: Jeffrey Walton
Date:  
To: exim-dev
Subject: [exim-dev] Question on OpenSSL random/fork fix
Hi All,

Forgive me for my ignorance here. I'm surveying methods to fix the
problems with OpenSSL's PRNG after a fork.

It looks like Exim calls RAND_cleanup after a fork.
https://lists.exim.org/lurker/message/20130402.171710.92f14a60.el.html
and http://git.exim.org/exim.git/blob/de6135a0cbbeb4fbae7233a40563a241de1c237b:/src/src/tls-openssl.c.

It also looks like OpenSSL's RAND_cleanup clears the state *and*
replaces the random method with NULL. From rand_lib.c:

void RAND_cleanup(void)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->cleanup)
        meth->cleanup();
    RAND_set_rand_method(NULL);
    }


That means the call to RAND_seed should that follows should fail:

void RAND_seed(const void *buf, int num)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->seed)
        meth->seed(buf,num);
    }


And believe subsequent calls to RAND_bytes or RAND_pseudo_bytes will also fail:

int RAND_bytes(unsigned char *buf, int num)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->bytes)
        return meth->bytes(buf,num);
    return(-1);
    }


int RAND_pseudo_bytes(unsigned char *buf, int num)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->pseudorand)
        return meth->pseudorand(buf,num);
    return(-1);
    }


Somewhat interesting in a morbid sort of way, it looks like the call
to RAND_status is useful because it returns 0:

int RAND_status(void)
    {
    const RAND_METHOD *meth = RAND_get_rand_method();
    if (meth && meth->status)
        return meth->status();
    return 0;
    }


Sorry to bring this up. I'm probably missing something obvious.

Thanks in advance.

Jeffrey Walton