On fork, perturb the PRNG stream in the child

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14016 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 17 insertions, 3 deletions

diff --git a/src/lib/crypto/yarrow/ChangeLog b/src/lib/crypto/yarrow/ChangeLog
index 22413ecfd..d5f52f577 100644
--- a/src/lib/crypto/yarrow/ChangeLog
+++ b/src/lib/crypto/yarrow/ChangeLog
@@ -1,3 +1,7 @@
+2001-11-21  Sam Hartman  <hartmans@mit.edu>
+
+	* yarrow.c (Yarrow_detect_fork): Reseed the number generator including the fork rather than throwing away state.
+
 2001-11-19  Sam Hartman  <hartmans@mit.edu>
 
 	* yhash.h: Work around sha1 implementation using host byte order
diff --git a/src/lib/crypto/yarrow/yarrow.c b/src/lib/crypto/yarrow/yarrow.c
index e3e26f1cb..b4e5a218e 100644
--- a/src/lib/crypto/yarrow/yarrow.c
+++ b/src/lib/crypto/yarrow/yarrow.c
@@ -121,14 +121,24 @@ static void krb5int_yarrow_init_Limits(Yarrow_CTX* y)
 
 static int Yarrow_detect_fork(Yarrow_CTX *y)
 {
+    pid_t newpid;
     EXCEP_DECL;
 
     /* this does not work for multi-threaded apps if threads have different
      * pids */
-    if ( y->pid != getpid() )
+       newpid = getpid();
+    if ( y->pid != newpid )
     {
-	TRY( krb5int_yarrow_init( y, y->entropyfile ) );
-    }
+	/* we input the pid twice, so it will get into the fast pool at least once
+	 * Then we reseed.  This doesn't really increase entropy, but does make the
+	 * streams distinct assuming we already have good entropy*/
+	y->pid = newpid;
+	TRY (krb5int_yarrow_input (y, 0, &newpid,
+				   sizeof (newpid), 0));
+		TRY (krb5int_yarrow_input (y, 0, &newpid,
+				   sizeof (newpid), 0));
+		TRY (krb5int_yarrow_reseed (y, YARROW_FAST_POOL));
+		    }
 
  CATCH:
     EXCEP_RET;