Bug 54752 - mod_ssl should not use uninitialized memory as random seed
Summary: mod_ssl should not use uninitialized memory as random seed
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-03-25 22:01 UTC by Stefan Fritsch
Modified: 2018-05-27 20:16 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Fritsch 2013-03-25 22:01:46 UTC
mod_ssl's 'builtin' random seed uses uninitalized stack memory as random seed. This is undefined behavior in C and can cause other seemingly unrelated code to be optimized away. See http://kqueue.org/blog/2012/06/25/more-randomness-or-less/ for an example.

Also the docs are wrong in that it claims that the scoreboard memory is used as seed, which is not the case.
Comment 1 Takashi Sato 2013-04-05 03:02:00 UTC

I think today httpd should use apr random functions and should not have own random functionality.
Comment 2 Christophe JAILLET 2018-05-27 20:16:20 UTC
Doc have been updated in r1832346 to be consistent with the code.

Your suggestion is still relevant, but at least the doc does not lie anymore :)