From owner-svn-src-head@FreeBSD.ORG Wed Jul 31 17:46:18 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 66227FB7; Wed, 31 Jul 2013 17:46:18 +0000 (UTC) (envelope-from obrien@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4E2E22F8D; Wed, 31 Jul 2013 17:46:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r6VHkIpr041341; Wed, 31 Jul 2013 17:46:18 GMT (envelope-from obrien@freefall.freebsd.org) Received: (from obrien@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r6VHkIaT041338; Wed, 31 Jul 2013 17:46:18 GMT (envelope-from obrien) Date: Wed, 31 Jul 2013 10:46:14 -0700 From: "David O'Brien" To: Andrey Chernov Subject: Re: svn commit: r253786 - in head/sys: dev/random modules/padlock_rng modules/rdrand_rng modules/yarrow_rng Message-ID: <20130731174614.GA76782@dragon.NUXI.org> References: <201307292058.r6TKwA56031193@svn.freebsd.org> <51F6E0AB.3010001@freebsd.org> <20130731000746.GA65806@dragon.NUXI.org> <51F86F53.9020600@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <51F86F53.9020600@freebsd.org> X-Operating-System: FreeBSD 10.0-CURRENT X-MUA-Host: dragon.NUXI.org X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: obrien@freebsd.org List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 17:46:18 -0000 On Wed, Jul 31, 2013 at 05:58:43AM +0400, Andrey Chernov wrote: > On 31.07.2013 4:07, David O'Brien wrote: > > I believe you're talking about this code in > > sys/libkern/arc4random.c:arc4rand() > > > > if (atomic_cmpset_int(&arc4rand_iniseed_state, ARC4_ENTR_HAVE, > > ARC4_ENTR_SEED) || reseed || > > (arc4_numruns > ARC4_RESEED_BYTES) || > > (tv.tv_sec > arc4_t_reseed)) > > arc4_randomstir(); > > > > Without setting 'arc4rand_iniseed_state' from ARC4_ENTR_NONE -> > > ARC4_ENTR_HAVE, we would still call arc4_randomstir() periodically due > > to (tv.tv_sec > arc4_t_reseed) and (arc4_numruns > ARC4_RESEED_BYTES). > > The whole problem is that arc4 is poorly initialized right after boot, > but immediately used in many places like tcp. It reseeds again only > after 5 minutes after boot making vulnerability window at this interval. I realize the motivation for your r249631 change. But as it relates to the change I committed, there is no change in behavior in this. If one is using a hardware RNG, yarrow is not initialized and so the ARC4_ENTR_NONE -> ARC4_ENTR_HAVE transition does not happen. -- -- David (obrien@FreeBSD.org)