crypt: Add workaround for non-fork-safe PRGs.

Some PRNGs implementations suffer from the problem that after a fork()
the PRNG state of parent and child process differ only by the child pid
which is mixed into the state. Certain versions of openssl are known to
contain this flaw.

On such implementations two command handlers will generate the same
challenge and session keys if their pid is identical. This may happen
due to pid wrapping.

This patch works around this shortcoming by reading some pseudo random
bytes in the parent process after each fork().

diff --git a/server.c b/server.c
index 36af088ec64e0b4fd2baac06cd773653858853f0..70d9137e7073cf7e7c7e9d3e598c742a26657560 100644 (file)
--- a/server.c
+++ b/server.c
@@ -388,6 +388,9 @@ static int command_post_select(struct sched *s, struct task *t)
                goto out;
        }
        if (child_pid) {
+               /* avoid problems with non-fork-safe PRNGs */
+               unsigned char buf[16];
+               get_random_bytes_or_die(buf, sizeof(buf));
                close(new_fd);
                /* parent keeps accepting connections */
                return 0;