From 1d0f73d20f5368e7c27eb10026ed9af27dbda186 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@cheimes.de>
Date: Thu, 22 Aug 2013 13:19:48 +0200
Subject: [PATCH] Issue #18747: Use a parent atfork handler instead of a child
 atfork handler. fork() is suppose to be async-signal safe but the handler
 calls unsafe functions. A parent handler mitigates the issue.

---
 Modules/_ssl.c | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 1c769edb0913..1839dc07114c 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1628,23 +1628,25 @@ fails or if it does not provide enough data to seed PRNG.");
 
 /* Seed OpenSSL's PRNG at fork(), http://bugs.python.org/issue18747
  *
- * The child handler seeds the PRNG from pseudo-random data like pid, the
- * current time (nanoseconds, miliseconds or seconds) and an uninitialized
- * array. The array contains stack variables that are impossible to predict
+ * The parent handler seeds the PRNG from pseudo-random data like pid, the
+ * current time (miliseconds or seconds) and an uninitialized arry.
+ * The array contains stack variables that are impossible to predict
  * on most systems, e.g. function return address (subject to ASLR), the
  * stack protection canary and automatic variables.
  * The code is inspired by Apache's ssl_rand_seed() function.
  *
  * Note:
  * The code uses pthread_atfork() until Python has a proper atfork API. The
- * handlers are not removed from the child process.
+ * handlers are not removed from the child process. A parent handler is used
+ * instead of a child handler because fork() is suppose to be async-signal
+ * safe but the handler calls unsafe functions.
  */
 
 #if defined(HAVE_PTHREAD_ATFORK) && defined(WITH_THREAD)
 #define PYSSL_RAND_ATFORK 1
 
 static void
-PySSL_RAND_atfork_child(void)
+PySSL_RAND_atfork_parent(void)
 {
     struct {
         char stack[128];    /* uninitialized (!) stack data, 128 is an
@@ -1658,11 +1660,6 @@ PySSL_RAND_atfork_child(void)
 #endif
     seed.pid = getpid();
     seed.time = time(NULL);
-
-#if 0
-    fprintf(stderr, "PySSL_RAND_atfork_child() seeds %i bytes in pid %i\n",
-            (int)sizeof(seed), seed.pid);
-#endif
     RAND_add((unsigned char *)&seed, sizeof(seed), 0.0);
 }
 
@@ -1676,8 +1673,8 @@ PySSL_RAND_atfork(void)
         return 0;
 
     retval = pthread_atfork(NULL,                     /* prepare */
-                            NULL,                     /* parent */
-                            PySSL_RAND_atfork_child); /* child */
+                            PySSL_RAND_atfork_parent, /* parent */
+                            NULL);                    /* child */
     if (retval != 0) {
         PyErr_SetFromErrno(PyExc_OSError);
         return -1;
-- 
2.47.3