From owner-svn-src-all@FreeBSD.ORG Wed Aug 22 18:43:22 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 077C2106564A; Wed, 22 Aug 2012 18:43:22 +0000 (UTC) (envelope-from obrien@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id CD87E8FC0C; Wed, 22 Aug 2012 18:43:21 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q7MIhLx1077953; Wed, 22 Aug 2012 18:43:21 GMT (envelope-from obrien@svn.freebsd.org) Received: (from obrien@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q7MIhLU4077951; Wed, 22 Aug 2012 18:43:21 GMT (envelope-from obrien@svn.freebsd.org) Message-Id: <201208221843.q7MIhLU4077951@svn.freebsd.org> From: "David E. O'Brien" Date: Wed, 22 Aug 2012 18:43:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r239569 - head/etc/rc.d X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2012 18:43:22 -0000 Author: obrien Date: Wed Aug 22 18:43:21 2012 New Revision: 239569 URL: http://svn.freebsd.org/changeset/base/239569 Log: Remove old entropy seeding after consumption initializing /dev/random PRNG. Not doing so opens us up to replay attacks. Submitted by: Arthur Mesh Sponsored by: Juniper Networks Added: head/etc/rc.d/postrandom (contents, props changed) Modified: head/etc/rc.d/random Added: head/etc/rc.d/postrandom ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/etc/rc.d/postrandom Wed Aug 22 18:43:21 2012 (r239569) @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: postrandom +# REQUIRE: initrandom random var +# BEFORE: LOGIN +# KEYWORD: nojail + +. /etc/rc.subr + +name="postrandom" +start_cmd="${name}_start" +stop_cmd=":" + +# This will remove old ${entropy_file} and generate a new one. +# According to Bruce Schneier, this is stronly recomended in order +# to avoid using same ${entropy_file} across reboots. +# Reference: Chapter 10.6, Practical Cryptograpy, ISBN: 0-471-22357-3 + +postrandom_start() +{ + /etc/rc.d/random fastsaveseed + + case ${entropy_dir} in + [Nn][Oo]) + ;; + *) + entropy_dir=${entropy_dir:-/var/db/entropy} + if [ -d "${entropy_dir}" ]; then + if [ -w /dev/random ]; then + rm -f ${entropy_dir}/* + fi + fi + ;; + esac +} + +load_rc_config random +run_rc_command "$1" Modified: head/etc/rc.d/random ============================================================================== --- head/etc/rc.d/random Wed Aug 22 18:35:17 2012 (r239568) +++ head/etc/rc.d/random Wed Aug 22 18:43:21 2012 (r239569) @@ -4,7 +4,7 @@ # # PROVIDE: random -# REQUIRE: var initrandom +# REQUIRE: initrandom var # BEFORE: netif # KEYWORD: nojail shutdown @@ -14,6 +14,9 @@ name="random" start_cmd="random_start" stop_cmd="random_stop" +extra_commands="saveseed" +saveseed_cmd="${name}_stop" + feed_dev_random() { if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then