From owner-freebsd-security  Thu Mar 27 23:14:08 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id XAA24744
          for security-outgoing; Thu, 27 Mar 1997 23:14:08 -0800 (PST)
Received: from grackle.grondar.za (grackle.grondar.za [196.7.18.131])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA24738;
          Thu, 27 Mar 1997 23:13:59 -0800 (PST)
Received: from grackle.grondar.za (localhost [127.0.0.1])
          by grackle.grondar.za (8.8.5/8.8.4) with ESMTP
	  id JAA09258; Fri, 28 Mar 1997 09:13:20 +0200 (SAT)
Message-Id: <199703280713.JAA09258@grackle.grondar.za>
To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.ru>
cc: Mark Murray <mark@grondar.za>,
        Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de>, markm@FreeBSD.ORG,
        security@FreeBSD.ORG
Subject: Re: ATTENTION: Initial state of random pool 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 28 Mar 1997 09:13:12 +0200
From: Mark Murray <mark@grondar.za>
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

=?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= wrote:
> > At the moment, the pool of randomness is stirred far too often by MD5. I
> > have some more recent code by Ted Ts'o which uses SHA, and is improved in
> > other ways.
> 
> Hmm, I not talk about improvements right now, only about bugfixes...

Oh, OK. I am planning a huge improvement in the long(ish) term. In the
meanwhile, I am sure I can come up with some decent muck to prime the pool.

> To summarize what I want:
> 
> 1) We need to check, if at least _one_ true random word added after
> boot just to be shure that daemons can use /dev/urandom.
> 
> 2) If it happens, go to 4)
> 
> 3) We need to add this random word, f.e. from timer.
> 
> 4a) We need remove rndcontrol from rc.i386 (leaving it as user-land
> utility) and add all interrupts to kernel config file, i.e.
> something like:
> option	RAND_INTS	"5 7 10 11"
> or something more suitable.
> 
> or
> 
> 4b) We need to start rndcontrol as early as possible in /etc/rc
> (I think 4a is better)

Should be easy. I'll look at this over the next few days.

M
--
Mark Murray                PGP key fingerprint = 80 36 6E 40 83 D6 8A 36
This .sig is umop ap!sdn.                        BC 06 EA 0E 7A F2 CE CE