From owner-svn-src-head@FreeBSD.ORG Sat Jul 28 10:26:08 2012 Return-Path: Delivered-To: svn-src-head@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF4E9106564A; Sat, 28 Jul 2012 10:26:08 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id A0EDB8FC0A; Sat, 28 Jul 2012 10:26:08 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 4AB1246B17; Sat, 28 Jul 2012 06:26:08 -0400 (EDT) Date: Sat, 28 Jul 2012 11:26:08 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: David Schultz In-Reply-To: <20120724123721.GA65519@zim.MIT.EDU> Message-ID: References: <201207041951.q64JpPXu029310@svn.freebsd.org> <20120704200220.GM2337@deviant.kiev.zoral.com.ua> <20120704203239.GA42326@vniz.net> <4FF4AC3D.9070109@FreeBSD.org> <20120724123721.GA65519@zim.MIT.EDU> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Doug Barton , Pawel Jakub Dawidek , svn-src-all@FreeBSD.ORG, svn-src-head@FreeBSD.ORG, src-committers@FreeBSD.ORG, Konstantin Belousov , Andrey Chernov , markm@FreeBSD.ORG Subject: Re: svn commit: r238118 - head/lib/libc/gen X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2012 10:26:09 -0000 On Tue, 24 Jul 2012, David Schultz wrote: > On Wed, Jul 04, 2012, Doug Barton wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> On 07/04/2012 13:32, Andrey Chernov wrote: >>> 1) /dev/urandom may not exist in jails/sandboxes >> >> That would be a pretty serious configuration error. > > Yes -- but the scary part is that arc4random() is not fail-safe at all. If > /dev/random isn't there, you just silently get predictable "randomness". > If you needed that randomness for cryptographic purposes you're out of luck; > you might as well have used rot13. Using the sysctl doesn't fix the failure > mode (in fact, as I recall the sysctl dubiously never reports failure even > if there is no entropy), but there's a narrower set of circumstances under > which the sysctl can fail. Probably the most important thing for us to do is to make it clear which sources of randomness are appropriate for use in cryptography, and then propagate information to the downstream APIs as needed. Given its chequered past, it's clear that srandomdev() on FreeBSD is not appropriate for use in generating keys -- programmers should prefer the OpenSSL APIs. Currently, programmers are directed to arc4random(3) by random(3), but I'm actually not sure that is the right advice. I'm of the (possibly debateable) view that no randomness initialisation routine that can't return a failure is appropriate for cryptographic purposes -- if generating a key and /dev/random can't be found, or only the kernel arc4random bits are available but they aren't known to be good for key generation, then key generation should fail. Robert