From owner-freebsd-security@FreeBSD.ORG Thu Sep 6 22:02:04 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AB33A106564A; Thu, 6 Sep 2012 22:02:04 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id B70C48FC14; Thu, 6 Sep 2012 22:02:03 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so1862292wgb.31 for ; Thu, 06 Sep 2012 15:02:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=5YJQoWcAQkzkExD3vNwch4plGCFhkgoJ4/j6rsS73Zk=; b=xNAVyPjOUiC3HE/akPV8aEQQGWdrU4ariyVXsIf8Wo+sIaUxw6usYNtZA0oI7U8lBb b0uq1lACxlROpa0DtUIrnG1z66VK36VbZBYWRfKlpr5oUftAAdK6kI/ykV3HTWCWBjed 7bTIOMVNqQp22Nfjp4X6YEdn499VUDUXSn1NwZxFGThoLI+/q6AhXKha8LEv/TSej/NU nRt3P0x/cgKzUZyEcOGYTy2dqv5Lq+KT0MEgtmZr+SbeQy0+7ocGRC0Wt1/zrwVpfig8 A5cW5Dw7vPuAQceeGZPt3O2vY1CJs1qpLXGcibIGcLwcO1r5JhSO5sBfH0sgsxodGWf6 N/zw== Received: by 10.180.99.196 with SMTP id es4mr48461161wib.18.1346968922382; Thu, 06 Sep 2012 15:02:02 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id t8sm6251370wiy.3.2012.09.06.15.01.59 (version=SSLv3 cipher=OTHER); Thu, 06 Sep 2012 15:02:01 -0700 (PDT) Date: Thu, 6 Sep 2012 23:01:57 +0100 From: RW To: obrien@freebsd.org Message-ID: <20120906230157.5307a21f@gumby.homeunix.com> In-Reply-To: <20120906174247.GB13179@dragon.NUXI.org> References: <201208221843.q7MIhLU4077951@svn.freebsd.org> <5043DBAF.40506@FreeBSD.org> <20120903171538.GM1464@x96.org> <50450F2A.10708@FreeBSD.org> <20120903203505.GN1464@x96.org> <50451D6E.30401@FreeBSD.org> <20120903214638.GO1464@x96.org> <50453686.9090100@FreeBSD.org> <20120904220754.GA3643@server.rulingia.com> <20120906174247.GB13179@dragon.NUXI.org> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Mesh , Doug Barton , freebsd-rc@freebsd.org, freebsd-security@freebsd.org, Arthur Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 22:02:04 -0000 On Thu, 6 Sep 2012 10:42:47 -0700 David O'Brien wrote: > On Wed, Sep 05, 2012 at 08:07:54AM +1000, Peter Jeremy wrote: > > >What if, instead of replacing /entropy, we add an additional file > > >in /var/db/entropy at boot time that is numerically 1 higher than > > >$entropy_save_num ? > > That sounds like a reasonable idea. > > I don't see what that adds or fixes. It does not correct the > possible reuse of seed material. Reusing a secure entropy file is only a problem if the complete history of yarrow, from boot until some significant output, is exactly the same as on a previous boot. Once something changes you get a completely different sequence of yarrow cipher-keys; a counter or writing out a new entropy file will both do this, but OTOH so will any difference in harvested entropy such a sub-nanosecond difference in timing.