54752 – mod_ssl should not use uninitialized memory as random seed

Bug 54752 - mod_ssl should not use uninitialized memory as random seed

Summary: mod_ssl should not use uninitialized memory as random seed

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.5-HEAD
Hardware:	All All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-03-25 22:01 UTC by Stefan Fritsch
Modified:	2020-08-04 10:27 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Fritsch 2013-03-25 22:01:46 UTC

mod_ssl's 'builtin' random seed uses uninitalized stack memory as random seed. This is undefined behavior in C and can cause other seemingly unrelated code to be optimized away. See http://kqueue.org/blog/2012/06/25/more-randomness-or-less/ for an example.

Also the docs are wrong in that it claims that the scoreboard memory is used as seed, which is not the case.

Comment 1 Takashi Sato 2013-04-05 03:02:00 UTC

+1

I think today httpd should use apr random functions and should not have own random functionality.

Comment 2 Christophe JAILLET 2018-05-27 20:16:20 UTC

Doc have been updated in r1832346 to be consistent with the code.

Your suggestion is still relevant, but at least the doc does not lie anymore :)

Comment 3 Joe Orton 2020-08-04 10:27:54 UTC

I think we can consider this fixed as of r1877467 for trunk.  Docs updated in r1880564.