On fork, perturb the PRNG stream in the child

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14016 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/crypto/yarrow/ChangeLog b/src/lib/crypto/yarrow/ChangeLog
index 22413ecfd95085e73a7df9cad5157136ca217945..d5f52f577b414226e6f2d6afaffe95a12044ece1 100644 (file)
--- a/src/lib/crypto/yarrow/ChangeLog
+++ b/src/lib/crypto/yarrow/ChangeLog
@@ -1,3 +1,7 @@
+2001-11-21  Sam Hartman  <hartmans@mit.edu>
+
+       * yarrow.c (Yarrow_detect_fork): Reseed the number generator including the fork rather than throwing away state.
+
 2001-11-19  Sam Hartman  <hartmans@mit.edu>
 
        * yhash.h: Work around sha1 implementation using host byte order

diff --git a/src/lib/crypto/yarrow/yarrow.c b/src/lib/crypto/yarrow/yarrow.c
index e3e26f1cb43bb081074a97ae46e175409257973e..b4e5a218e0b658fae1cbdd57ad68fae95ada6ce5 100644 (file)
--- a/src/lib/crypto/yarrow/yarrow.c
+++ b/src/lib/crypto/yarrow/yarrow.c
@@ -121,14 +121,24 @@ static void krb5int_yarrow_init_Limits(Yarrow_CTX* y)
 
 static int Yarrow_detect_fork(Yarrow_CTX *y)
 {
+    pid_t newpid;
     EXCEP_DECL;
 
     /* this does not work for multi-threaded apps if threads have different
      * pids */
-    if ( y->pid != getpid() )
+       newpid = getpid();
+    if ( y->pid != newpid )
     {
-       TRY( krb5int_yarrow_init( y, y->entropyfile ) );
-    }
+       /* we input the pid twice, so it will get into the fast pool at least once
+        * Then we reseed.  This doesn't really increase entropy, but does make the
+        * streams distinct assuming we already have good entropy*/
+       y->pid = newpid;
+       TRY (krb5int_yarrow_input (y, 0, &newpid,
+                                  sizeof (newpid), 0));
+               TRY (krb5int_yarrow_input (y, 0, &newpid,
+                                  sizeof (newpid), 0));
+               TRY (krb5int_yarrow_reseed (y, YARROW_FAST_POOL));
+                   }
 
  CATCH:
     EXCEP_RET;