diff options
| author | Yann Ylavic <ylavic@apache.org> | 2018-06-12 07:51:40 +0000 |
|---|---|---|
| committer | Yann Ylavic <ylavic@apache.org> | 2018-06-12 07:51:40 +0000 |
| commit | af39a670ca00949536be1b3d615d2ec0392d63f3 (patch) | |
| tree | 7ec35e84a03a26a59502d7b6e62cea33d6884116 | |
| parent | 84435d92a26fee020f038b9dcc45d4ed380454c4 (diff) | |
| download | apr-af39a670ca00949536be1b3d615d2ec0392d63f3.tar.gz | |
Follow up to r1833359: apr_crypto_prng_after_fork() can now use a PID.
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1833382 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | crypto/apr_crypto_prng.c | 27 | ||||
| -rw-r--r-- | include/apr_crypto.h | 4 | ||||
| -rw-r--r-- | threadproc/unix/proc.c | 2 |
3 files changed, 29 insertions, 4 deletions
diff --git a/crypto/apr_crypto_prng.c b/crypto/apr_crypto_prng.c index 12f581a26..b136212c3 100644 --- a/crypto/apr_crypto_prng.c +++ b/crypto/apr_crypto_prng.c @@ -47,6 +47,7 @@ #if APU_HAVE_OPENSSL #include <openssl/evp.h> +#include <openssl/sha.h> #include <openssl/obj_mac.h> /* for NID_* */ #if !defined(NID_chacha20) && !defined(NID_aes_256_ctr) @@ -104,6 +105,17 @@ apr_status_t cprng_stream_ctx_mix(cprng_stream_ctx_t **pctx, return APR_SUCCESS; } +static apr_status_t cprng_hash_to_seed(pid_t pid, unsigned char seed[]) +{ + SHA256_CTX ctx; + + SHA256_Init(&ctx); + SHA256_Update(&ctx, &pid, sizeof(pid)); + SHA256_Final(seed, &ctx); + + return APR_SUCCESS; +} + #else /* APU_HAVE_OPENSSL */ /* XXX: APU_HAVE_CRYPTO_PRNG shoudn't be defined! */ @@ -178,13 +190,24 @@ APR_DECLARE(apr_status_t) apr_crypto_prng_term(void) return APR_SUCCESS; } -APR_DECLARE(apr_status_t) apr_crypto_prng_after_fork(void) +APR_DECLARE(apr_status_t) apr_crypto_prng_after_fork(apr_proc_t *proc) { + unsigned char seedb[APR_CRYPTO_PRNG_SEED_SIZE], *seed = NULL; + if (!cprng_global) { return APR_EINIT; } - return apr_crypto_prng_reseed(cprng_global, NULL); + if (proc) { + apr_status_t rv; + rv = cprng_hash_to_seed(proc->pid, seedb); + if (rv != APR_SUCCESS) { + return rv; + } + seed = seedb; + } + + return apr_crypto_prng_reseed(cprng_global, seed); } APR_DECLARE(apr_status_t) apr_crypto_random_bytes(void *buf, apr_size_t len) diff --git a/include/apr_crypto.h b/include/apr_crypto.h index 55ae4494e..f569cf0da 100644 --- a/include/apr_crypto.h +++ b/include/apr_crypto.h @@ -22,6 +22,7 @@ #include "apr_tables.h" #include "apr_hash.h" #include "apu_errno.h" +#include "apr_thread_proc.h" #ifdef __cplusplus extern "C" { @@ -554,9 +555,10 @@ APR_DECLARE(apr_status_t) apr_crypto_prng_term(void); * @brief Reseed global CPRNG after a process is fork()ed to avoid any * duplicated state. * + * @param proc The child process (including its PID). * @return Any system error (APR_ENOMEM, ...). */ -APR_DECLARE(apr_status_t) apr_crypto_prng_after_fork(void); +APR_DECLARE(apr_status_t) apr_crypto_prng_after_fork(apr_proc_t *proc); /** * @brief Generate cryptographically secure random bytes from the global CPRNG. diff --git a/threadproc/unix/proc.c b/threadproc/unix/proc.c index de9720045..f7d02d204 100644 --- a/threadproc/unix/proc.c +++ b/threadproc/unix/proc.c @@ -231,7 +231,7 @@ APR_DECLARE(apr_status_t) apr_proc_fork(apr_proc_t *proc, apr_pool_t *pool) apr_random_after_fork(proc); #if APU_HAVE_CRYPTO_PRNG - apr_crypto_prng_after_fork(); + apr_crypto_prng_after_fork(proc); #endif return APR_INCHILD; |