From owner-freebsd-security@FreeBSD.ORG Wed Sep 5 21:27:49 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 76B0E106564A for ; Wed, 5 Sep 2012 21:27:49 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au [122.100.2.194]) by mx1.freebsd.org (Postfix) with ESMTP id DF33B8FC1A for ; Wed, 5 Sep 2012 21:27:48 +0000 (UTC) Received: from aspire.rulingia.com (12.58.233.220.static.exetel.com.au [220.233.58.12]) by vps.rulingia.com (8.14.5/8.14.5) with ESMTP id q85LRhCX061611 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 6 Sep 2012 07:27:47 +1000 (EST) (envelope-from peter@rulingia.com) Received: from aspire.rulingia.com (localhost [127.0.0.1]) by aspire.rulingia.com (8.14.5/8.14.5) with ESMTP id q85LRZ8V010384 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 6 Sep 2012 07:27:35 +1000 (EST) (envelope-from peter@aspire.rulingia.com) Received: (from peter@localhost) by aspire.rulingia.com (8.14.5/8.14.5/Submit) id q85LRZkL010383 for freebsd-security@freebsd.org; Thu, 6 Sep 2012 07:27:35 +1000 (EST) (envelope-from peter) Date: Thu, 6 Sep 2012 07:27:34 +1000 From: Peter Jeremy To: freebsd-security@freebsd.org Message-ID: <20120905212734.GE2654@aspire.rulingia.com> References: <201208222337.q7MNbORo017642@svn.freebsd.org> <5043E449.8050005@FreeBSD.org> <20120904220126.GA85339@dragon.NUXI.org> <50468326.8070009@FreeBSD.org> <20120905021248.5a17ace9@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ep0oHQY+/Gbo/zt0" Content-Disposition: inline In-Reply-To: <20120905021248.5a17ace9@gumby.homeunix.com> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: svn commit: r239598 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 21:27:49 -0000 --ep0oHQY+/Gbo/zt0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2012-Sep-05 02:12:48 +0100, RW wrote: >All of the low-grade entropy should go through sha256. Overall, I like the idea of feeding the high-volume mixed quality "entropy" through SHA-256 or similar. >Anything written into /dev/random is passed by random_yarrow_write() 16 >Bytes at time into random_harvest_internal() which copies it into a >buffer and queues it up. If there are 256 buffers queued >random_harvest_internal() simply returns without doing anything.=20 This would seem to open up a denial-of-entropy attack on random(4): All entropy sources feed into Yarrow via random_harvest_internal() which queues the input into a single queue - harvestfifo. When this queue is full, further input is discarded. If I run "dd if=3D/dev/zero of=3D/dev/random" then harvestfifo will be kept full of NULs, resulting in other entropy events (particularly from within the kernel) being discarded. There would still be a small amount of entropy from the get_cyclecount() calls but this is minimal. Is it worth splitting harvestfifo into multiple queues to prevent this? At least a separate queue for RANDOM_WRITE and potentially separate queues for each entropy source. --=20 Peter Jeremy --ep0oHQY+/Gbo/zt0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBHw8YACgkQ/opHv/APuIfkrwCgkZum7Lyrep1wQthkNAU44/ea IhMAnRrxd4u1x9//YZrmfkyx/s+Kqv58 =9EFJ -----END PGP SIGNATURE----- --ep0oHQY+/Gbo/zt0--