From fb6b44e83083df34e8fccced4a2b518b27718144 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@cheimes.de>
Date: Tue, 29 Oct 2013 20:50:01 +0100
Subject: [PATCH 1/2] Issue #19227 / Issue #18747: Remove pthread_atfork()
 handler to remove OpenSSL re-seeding It is causing trouble like e.g. hanging
 processes.

---
 Modules/_ssl.c | 67 --------------------------------------------------
 1 file changed, 67 deletions(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index b791f28d087..374d930166f 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -19,9 +19,6 @@
 #ifdef WITH_THREAD
 #include "pythread.h"
 
-#ifdef HAVE_PTHREAD_ATFORK
-#  include <pthread.h>
-#endif
 
 #define PySSL_BEGIN_ALLOW_THREADS_S(save) \
     do { if (_ssl_locks_count>0) { (save) = PyEval_SaveThread(); } } while (0)
@@ -2584,65 +2581,6 @@ Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
 Returns number of bytes read.  Raises SSLError if connection to EGD\n\
 fails or if it does not provide enough data to seed PRNG.");
 
-/* Seed OpenSSL's PRNG at fork(), http://bugs.python.org/issue18747
- *
- * The prepare handler seeds the PRNG from pseudo-random data like pid, the
- * current time (miliseconds or seconds) and an uninitialized array.
- * The array contains stack variables that are impossible to predict
- * on most systems, e.g. function return address (subject to ASLR), the
- * stack protection canary and automatic variables.
- * The code is inspired by Apache's ssl_rand_seed() function.
- *
- * Note:
- * The code uses pthread_atfork() until Python has a proper atfork API. The
- * handlers are not removed from the child process. A prepare handler is used
- * instead of a child handler because fork() is supposed to be async-signal
- * safe but the handler calls unsafe functions. A parent handler has caused
- * other problems, see issue #19227.
- */
-
-#if defined(HAVE_PTHREAD_ATFORK) && defined(WITH_THREAD)
-#define PYSSL_RAND_ATFORK 1
-
-static void
-PySSL_RAND_atfork_prepare(void)
-{
-    struct {
-        char stack[128];    /* uninitialized (!) stack data, 128 is an
-                               arbitrary number. */
-        pid_t pid;          /* current pid */
-        _PyTime_timeval tp; /* current time */
-    } seed;
-
-#ifdef WITH_VALGRIND
-    VALGRIND_MAKE_MEM_DEFINED(seed.stack, sizeof(seed.stack));
-#endif
-    seed.pid = getpid();
-    _PyTime_gettimeofday(&(seed.tp));
-    RAND_add((unsigned char *)&seed, sizeof(seed), 0.0);
-}
-
-static int
-PySSL_RAND_atfork(void)
-{
-    static int registered = 0;
-    int retval;
-
-    if (registered)
-        return 0;
-
-    retval = pthread_atfork(PySSL_RAND_atfork_prepare, /* prepare */
-                            NULL,                      /* parent */
-                            NULL);                     /* child */
-    if (retval != 0) {
-        PyErr_SetFromErrno(PyExc_OSError);
-        return -1;
-    }
-    registered = 1;
-    return 0;
-}
-#endif /* HAVE_PTHREAD_ATFORK */
-
 #endif /* HAVE_OPENSSL_RAND */
 
 
@@ -3022,10 +2960,5 @@ PyInit__ssl(void)
     if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
         return NULL;
 
-#ifdef PYSSL_RAND_ATFORK
-    if (PySSL_RAND_atfork() == -1)
-        return NULL;
-#endif
-
     return m;
 }

From 3046fe4c039f333c1dc8d7758990df5bcadef873 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@cheimes.de>
Date: Tue, 29 Oct 2013 21:08:56 +0100
Subject: [PATCH 2/2] Issue #18747: document issue with OpenSSL's CPRNG state
 and fork

---
 Doc/library/os.rst  | 4 ++++
 Doc/library/ssl.rst | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/Doc/library/os.rst b/Doc/library/os.rst
index 59457f75acd..2c33366c0db 100644
--- a/Doc/library/os.rst
+++ b/Doc/library/os.rst
@@ -2582,6 +2582,10 @@ written in Python, such as a mail server's external command delivery program.
    Note that some platforms including FreeBSD <= 6.3, Cygwin and OS/2 EMX have
    known issues when using fork() from a thread.
 
+   .. warning::
+
+      See :mod:`ssl` for applications that use the SSL module with fork().
+
    Availability: Unix.
 
 
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index a688e4609d4..a12ce5b4436 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -28,6 +28,14 @@ probably additional platforms, as long as OpenSSL is installed on that platform.
    operating system socket APIs.  The installed version of OpenSSL may also
    cause variations in behavior.
 
+.. warning::
+
+   OpenSSL's internal random number generator does not properly handle fork.
+   Applications must change the PRNG state of the parent process if they use
+   any SSL feature with with :func:`os.fork`. Any successful call of
+   :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
+   :func:`~ssl.RAND_pseudo_bytes` is sufficient.
+
 This section documents the objects and functions in the ``ssl`` module; for more
 general information about TLS, SSL, and certificates, the reader is referred to
 the documents in the "See Also" section at the bottom.