Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Jul 2012 11:26:08 +0100 (BST)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        David Schultz <das@FreeBSD.ORG>
Cc:        Doug Barton <dougb@FreeBSD.ORG>, Pawel Jakub Dawidek <pjd@FreeBSD.ORG>, svn-src-all@FreeBSD.ORG, svn-src-head@FreeBSD.ORG, src-committers@FreeBSD.ORG, Konstantin Belousov <kostikbel@gmail.com>, Andrey Chernov <ache@FreeBSD.ORG>, markm@FreeBSD.ORG
Subject:   Re: svn commit: r238118 - head/lib/libc/gen
Message-ID:  <alpine.BSF.2.00.1207281123350.53430@fledge.watson.org>
In-Reply-To: <20120724123721.GA65519@zim.MIT.EDU>
References:  <201207041951.q64JpPXu029310@svn.freebsd.org> <20120704200220.GM2337@deviant.kiev.zoral.com.ua> <20120704203239.GA42326@vniz.net> <4FF4AC3D.9070109@FreeBSD.org> <20120724123721.GA65519@zim.MIT.EDU>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 24 Jul 2012, David Schultz wrote:

> On Wed, Jul 04, 2012, Doug Barton wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On 07/04/2012 13:32, Andrey Chernov wrote:
>>> 1) /dev/urandom may not exist in jails/sandboxes
>>
>> That would be a pretty serious configuration error.
>
> Yes -- but the scary part is that arc4random() is not fail-safe at all.  If 
> /dev/random isn't there, you just silently get predictable "randomness". 
> If you needed that randomness for cryptographic purposes you're out of luck; 
> you might as well have used rot13.  Using the sysctl doesn't fix the failure 
> mode (in fact, as I recall the sysctl dubiously never reports failure even 
> if there is no entropy), but there's a narrower set of circumstances under 
> which the sysctl can fail.

Probably the most important thing for us to do is to make it clear which 
sources of randomness are appropriate for use in cryptography, and then 
propagate information to the downstream APIs as needed.  Given its chequered 
past, it's clear that srandomdev() on FreeBSD is not appropriate for use in 
generating keys -- programmers should prefer the OpenSSL APIs.  Currently, 
programmers are directed to arc4random(3) by random(3), but I'm actually not 
sure that is the right advice.  I'm of the (possibly debateable) view that no 
randomness initialisation routine that can't return a failure is appropriate 
for cryptographic purposes -- if generating a key and /dev/random can't be 
found, or only the kernel arc4random bits are available but they aren't known 
to be good for key generation, then key generation should fail.

Robert



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1207281123350.53430>