Date: Thu, 24 Dec 2009 20:41:21 +0300 From: Paul Graphov <graphov@gmail.com> To: secteam@freebsd.org Cc: freebsd-hackers@freebsd.org Subject: Re: yarrow random generator Message-ID: <5a5b03660912240941r6b76a839u819a8a1408816386@mail.gmail.com> In-Reply-To: <4B339F27.6020707@freebsd.org> References: <5a5b03660912240445x7df1498dt42e29d93105efebc@mail.gmail.com> <oCmohG1K70vWpt/39IVPMdciTgk@DNdB9ElzNmEFYWRqT2UTVtuts%2BE> <4B339F27.6020707@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dont these lines (random_yarrow_init function) make it available to set
"seeded" to zero?
SYSCTL_ADD_PROC(&random_clist,
SYSCTL_CHILDREN(random_sys_o),
OID_AUTO, "seeded", CTLTYPE_INT | CTLFLAG_RW,
&random_systat.seeded, 1, random_check_boolean, "I",
"Seeded State");
And also according to Schneier it is a good idea to save state of the PRNG
and restore it on boot to make it
"more seeded".
2009/12/24 Colin Percival <cperciva@freebsd.org>
> Hi all,
>
> Looks like there's a bug here, but it doesn't matter since this is dead
> code: .seeded is initialized to 1 and never modified, so we will never
> call into random_yarrow_block.
>
> IIRC this is because there are some places which ask for entropy before
> yarrow is seeded but don't actually need *cryptographic* entropy.
>
> > Thu, Dec 24, 2009 at 03:45:15PM +0300, Paul Graphov wrote:
> >> I've looked at FreeBSD 8.0 cryptographically secure pseudorandom
> >> numbers generator and have a question. It looks like a bug but I'am
> >> not sure.
> >>
> >> In file sys/dev/randomdev.c, function random_read:
> >>
> >> if (!random_systat.seeded)
> >> error = (*random_systat.block)(flag);
> >>
> >> It blocks until PRNG is seeded. For software random generator
> implementation
> >> block method looks as follows, sys/dev/randomdev_soft.c:
> >>
> >> random_yarrow_block(int flag)
> >> {
> >> int error = 0;
> >>
> >> mtx_lock(&random_reseed_mtx);
> >>
> >> /* Blocking logic */
> >> while (random_systat.seeded && !error) {
> >> if (flag & O_NONBLOCK)
> >> error = EWOULDBLOCK;
> >> else {
> >> printf("Entropy device is blocking.\n");
> >> error = msleep(&random_systat,
> >> &random_reseed_mtx,
> >> PUSER | PCATCH, "block", 0);
> >> }
> >> }
> >> mtx_unlock(&random_reseed_mtx);
> >>
> >> return error;
> >> }
> >>
> >> It seems that random_systat.seeded in "while" condition should be
> negated.
> >> Or it will never block actually, or block erroneously until next reseed
> >> (under very rare
> >> conditions)
>
> --
> Colin Percival
> Security Officer, FreeBSD | freebsd.org | The power to serve
> Founder / author, Tarsnap | tarsnap.com | Online backups for the truly
> paranoid
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5a5b03660912240941r6b76a839u819a8a1408816386>