Date: Wed, 12 Sep 2012 10:45:47 +0100 From: RW <rwmaillists@googlemail.com> To: obrien@freebsd.org Cc: Arthur Mesh <arthurmesh@gmail.com>, Ian Lepore <freebsd@damnhippie.dyndns.org>, Doug Barton <dougb@FreeBSD.org>, freebsd-rc@freebsd.org, Xin Li <delphij@delphij.net>, freebsd-security@freebsd.org Subject: Re: svn commit: r239569 - head/etc/rc.d Message-ID: <20120912104547.1d0061c1@gumby.homeunix.com> In-Reply-To: <20120911082309.GD72584@dragon.NUXI.org> References: <50453686.9090100@FreeBSD.org> <20120904220754.GA3643@server.rulingia.com> <20120906174247.GB13179@dragon.NUXI.org> <20120906230157.5307a21f@gumby.homeunix.com> <20120906224703.GD89120@x96.org> <20120907015157.GA29497@server.rulingia.com> <20120910135218.GA68128@dragon.NUXI.org> <504E343A.4020802@FreeBSD.org> <20120911064636.GB72584@dragon.NUXI.org> <504EE446.6060500@FreeBSD.org> <20120911082309.GD72584@dragon.NUXI.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Sep 2012 01:23:09 -0700
David O'Brien wrote:
> > On 09/10/2012 23:46, David O'Brien wrote:
> > > In what way did I suggest we don't need to seed the PRNG?
> > > I simply removed an outdated and incorrect statement.
> >
> > Yes, the comment as it stood was out of date. I'm not sure that
> > removing it (rather than rephrasing it) was the right call.
>
> Doug you're a FreeBSD committer, you know how to use an editor and
> 'svn diff'. Where is your patch suggesting a rephrase?
>
>
> > > In fact writing into /dev/random CANNOT "seeded" yarrow.
> > > All /dev/random input is untrusted and is assumed to have _0_
> > > entropy:
> > >
> > > void
> > > random_yarrow_write(void *buf, int count)
> > > {
> > > ...
> > > random_harvest_internal(get_cyclecount(), (char *)buf + i,
> > > chunk, 0, 0, RANDOM_WRITE);
> >
> > You're taking that out of context. The 0 there is just an estimate,
> > but it's added to the tailq anyway.
>
> Yes the input written to /dev/random is put into the generator
> (provided you have the seed buffer space).
>
> The "0, 0" is the 'bits' and 'frac' argument to
> random_harvest_internal(), which become 'event->bits' and
> 'event->frac'. Follow the code from there and point out how I am
> wrong.
>
It doesn't make any difference.
When root close the device a forced slow reseed is done (after the
yarrow thread completes feeding the data into yarrow). Since this is
unconditional and clears the entropy accounting, the entropy estimate
is irrelevant to rc.d/, which runs as root.
The entropy estimated at zero bits is so that an *unpriveleged* user
can't feed in his own input, corrupt the entropy estimation and
perform a state-extension attack.
On Tue, 11 Sep 2012 00:12:06 -0700
Doug Barton wrote:
> I'm also tired of repeating why writing out a new /entropy file at
> boot time makes the system weaker, not stronger.
That's not really true. The entropy file contains up to 256 bits
of entropy, if yarrow is correctly seeded with that then that entropy
will be in the 256-bit key which will produce a new file that also
contains that entropy.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120912104547.1d0061c1>