It is causing trouble like e.g. hanging processes.
This commit is contained in:
Christian Heimes
commit
ee0bac66b2
|
|
@ -2637,6 +2637,10 @@ written in Python, such as a mail server's external command delivery program.
|
|||
Note that some platforms including FreeBSD <= 6.3, Cygwin and OS/2 EMX have
|
||||
known issues when using fork() from a thread.
|
||||
|
||||
.. warning::
|
||||
|
||||
See :mod:`ssl` for applications that use the SSL module with fork().
|
||||
|
||||
Availability: Unix.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,14 @@ probably additional platforms, as long as OpenSSL is installed on that platform.
|
|||
cause variations in behavior. For example, TLSv1.1 and TLSv1.2 come with
|
||||
openssl version 1.0.1.
|
||||
|
||||
.. warning::
|
||||
|
||||
OpenSSL's internal random number generator does not properly handle fork.
|
||||
Applications must change the PRNG state of the parent process if they use
|
||||
any SSL feature with with :func:`os.fork`. Any successful call of
|
||||
:func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
|
||||
:func:`~ssl.RAND_pseudo_bytes` is sufficient.
|
||||
|
||||
This section documents the objects and functions in the ``ssl`` module; for more
|
||||
general information about TLS, SSL, and certificates, the reader is referred to
|
||||
the documents in the "See Also" section at the bottom.
|
||||
|
|
|
|||
|
|
@ -28,6 +28,9 @@ Core and Builtins
|
|||
Library
|
||||
-------
|
||||
|
||||
- Issue #19227: Remove pthread_atfork() handler. The handler was added to
|
||||
solve #18747 but has caused issues.
|
||||
|
||||
- Issue #19420: Fix reference leak in module initalization code of
|
||||
_hashopenssl.c
|
||||
|
||||
|
|
|
|||
|
|
@ -19,9 +19,6 @@
|
|||
#ifdef WITH_THREAD
|
||||
#include "pythread.h"
|
||||
|
||||
#ifdef HAVE_PTHREAD_ATFORK
|
||||
# include <pthread.h>
|
||||
#endif
|
||||
|
||||
#define PySSL_BEGIN_ALLOW_THREADS_S(save) \
|
||||
do { if (_ssl_locks_count>0) { (save) = PyEval_SaveThread(); } } while (0)
|
||||
|
|
@ -2950,65 +2947,6 @@ Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
|
|||
Returns number of bytes read. Raises SSLError if connection to EGD\n\
|
||||
fails or if it does not provide enough data to seed PRNG.");
|
||||
|
||||
/* Seed OpenSSL's PRNG at fork(), http://bugs.python.org/issue18747
|
||||
*
|
||||
* The prepare handler seeds the PRNG from pseudo-random data like pid, the
|
||||
* current time (miliseconds or seconds) and an uninitialized array.
|
||||
* The array contains stack variables that are impossible to predict
|
||||
* on most systems, e.g. function return address (subject to ASLR), the
|
||||
* stack protection canary and automatic variables.
|
||||
* The code is inspired by Apache's ssl_rand_seed() function.
|
||||
*
|
||||
* Note:
|
||||
* The code uses pthread_atfork() until Python has a proper atfork API. The
|
||||
* handlers are not removed from the child process. A prepare handler is used
|
||||
* instead of a child handler because fork() is supposed to be async-signal
|
||||
* safe but the handler calls unsafe functions. A parent handler has caused
|
||||
* other problems, see issue #19227.
|
||||
*/
|
||||
|
||||
#if defined(HAVE_PTHREAD_ATFORK) && defined(WITH_THREAD)
|
||||
#define PYSSL_RAND_ATFORK 1
|
||||
|
||||
static void
|
||||
PySSL_RAND_atfork_prepare(void)
|
||||
{
|
||||
struct {
|
||||
char stack[128]; /* uninitialized (!) stack data, 128 is an
|
||||
arbitrary number. */
|
||||
pid_t pid; /* current pid */
|
||||
_PyTime_timeval tp; /* current time */
|
||||
} seed;
|
||||
|
||||
#ifdef WITH_VALGRIND
|
||||
VALGRIND_MAKE_MEM_DEFINED(seed.stack, sizeof(seed.stack));
|
||||
#endif
|
||||
seed.pid = getpid();
|
||||
_PyTime_gettimeofday(&(seed.tp));
|
||||
RAND_add((unsigned char *)&seed, sizeof(seed), 0.0);
|
||||
}
|
||||
|
||||
static int
|
||||
PySSL_RAND_atfork(void)
|
||||
{
|
||||
static int registered = 0;
|
||||
int retval;
|
||||
|
||||
if (registered)
|
||||
return 0;
|
||||
|
||||
retval = pthread_atfork(PySSL_RAND_atfork_prepare, /* prepare */
|
||||
NULL, /* parent */
|
||||
NULL); /* child */
|
||||
if (retval != 0) {
|
||||
PyErr_SetFromErrno(PyExc_OSError);
|
||||
return -1;
|
||||
}
|
||||
registered = 1;
|
||||
return 0;
|
||||
}
|
||||
#endif /* HAVE_PTHREAD_ATFORK */
|
||||
|
||||
#endif /* HAVE_OPENSSL_RAND */
|
||||
|
||||
|
||||
|
|
@ -3623,10 +3561,5 @@ PyInit__ssl(void)
|
|||
if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
|
||||
return NULL;
|
||||
|
||||
#ifdef PYSSL_RAND_ATFORK
|
||||
if (PySSL_RAND_atfork() == -1)
|
||||
return NULL;
|
||||
#endif
|
||||
|
||||
return m;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue