On 1/16/14 4:57 AM, Dr. Stephen Henson wrote:
On Thu, Jan 16, 2014, Florian Weimer wrote:
The additional resolution of a tick counter might make reseeding
after fork unnecessary, but it's difficult to be sure. Something
not based on timing information looks desirable to me.
I should point out that the aim of the current code is not to completely
reseed after fork() but to make the PRNG state diverge so that the two
processes do not share the same internal PRNG state.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
If you want to make sure they diverge, and make sure that multiple forks
diverge differently, you should push in the process ID. Pushing in time
helps with (but does not perfectly cure) the virtual machine copying
problem. So I suggest pushing in the PID concatenated with some sort of
time.
The reason I say that it is not perfect is that that might be some
installation that has taken a snapshot of a VM. Every time they need a
new VM, they just start up a new one from that snapshot. If time is
only to a second, it is quite possible that 2 VMs start up the same
second. Higher resolution time would be better.
Of course, modern Intel chips have a really good RNG. Use that if you can.
--David Jacobson
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
