From owner-freebsd-security@FreeBSD.ORG Thu Sep 6 17:27:52 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 664) id 5F9E1106566B; Thu, 6 Sep 2012 17:27:52 +0000 (UTC) Date: Thu, 6 Sep 2012 10:27:51 -0700 From: David O'Brien To: RW Message-ID: <20120906172751.GD14757@dragon.NUXI.org> References: <201208221843.q7MIhLU4077951@svn.freebsd.org> <5043DBAF.40506@FreeBSD.org> <20120903005708.7082f230@gumby.homeunix.com> <20120903013120.262a34fc@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120903013120.262a34fc@gumby.homeunix.com> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@freebsd.org Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 17:27:52 -0000 On Mon, Sep 03, 2012 at 01:31:20AM +0100, RW wrote: > I see that in CURRENT the order is reversed, but it's still repeating > the same problem of saturating the buffers. Now most of of the > low-grade entropy is going to be lost include the date, which in almost > all cases would have eliminated any problem with a reused entropy file. Given the limited buffer space we have, I'm not sure what else we could do. Artifically delay the better_than_nothing()? That seems too fragile and hackish. Arthur wanted to commit this: --- initrandom 2012-09-05 13:38:13.000000000 -0700 +++ initrandom,amesh 2012-08-22 16:54:03.000000000 -0700 @@ -18,6 +18,8 @@ feed_dev_random() { if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then cat "${1}" | dd of=/dev/random bs=8k 2>/dev/null + else + return 1 fi } @@ -72,16 +69,16 @@ initrandom_start() # case ${entropy_file} in [Nn][Oo] | '') + better_than_nothing ;; *) if [ -w /dev/random ]; then - feed_dev_random "${entropy_file}" + feed_dev_random "${entropy_file}" \ + || better_than_nothing fi ;; esac - better_than_nothing - echo -n ' kickstart' fi to reduce what could be the useless better_than_nothing() run. -- -- David (obrien@FreeBSD.org)