From owner-freebsd-security@FreeBSD.ORG  Mon Sep 17 20:20:31 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BD8AD106566B;
	Mon, 17 Sep 2012 20:20:31 +0000 (UTC)
	(envelope-from pawel@dawidek.net)
Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72])
	by mx1.freebsd.org (Postfix) with ESMTP id 6C4F78FC17;
	Mon, 17 Sep 2012 20:20:31 +0000 (UTC)
Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149])
	by mail.dawidek.net (Postfix) with ESMTPSA id EBEFBDC9;
	Mon, 17 Sep 2012 22:19:37 +0200 (CEST)
Date: Mon, 17 Sep 2012 22:20:49 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Mark Murray <markm@FreeBSD.org>
Message-ID: <20120917202049.GC1420@garage.freebsd.pl>
References: <CAG5KPzzRxzVX-+9fYjRdqjY-wScbM6AA7GYtLmktgMG0Zg8iyQ@mail.gmail.com>
	<E1TCbSz-0007CJ-BI@groundzero.grondar.org>
	<CAG5KPzyJNmXRfxtPPrdc2zVCsxGtDfJT79YC3a1PNUfOOSzt8A@mail.gmail.com>
	<E1TCcIq-000Brr-Ex@groundzero.grondar.org>
	<CAG5KPzwEESg7iUb2+-kAN+k55M95BZjh5VaSvxzSsSCVuZ9kMw@mail.gmail.com>
	<E1TCdlD-000C1N-4g@groundzero.grondar.org>
	<CAG5KPzzFO1H5Wcx34oXi09=aJqg5w+XWSd8fnn0Byvpy_8+-rA@mail.gmail.com>
	<E1TCpk1-000N2H-Vq@groundzero.grondar.org>
	<CAG5KPzymZY0ua2cAkzB-MK54G2WbWYi9J01c8YW4F9LOdVvc9A@mail.gmail.com>
	<E1TDHb0-000FIh-0Z@groundzero.grondar.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="MAH+hnPXVZWQ5cD/"
Content-Disposition: inline
In-Reply-To: <E1TDHb0-000FIh-0Z@groundzero.grondar.org>
X-OS: FreeBSD 10.0-CURRENT amd64
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Mailman-Approved-At: Mon, 17 Sep 2012 21:28:00 +0000
Cc: Arthur Mesh <arthurmesh@gmail.com>,
	Ian Lepore <freebsd@damnhippie.dyndns.org>,
	Doug Barton <dougb@freebsd.org>, Ben Laurie <benl@freebsd.org>,
	freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>
Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 20:20:31 -0000


--MAH+hnPXVZWQ5cD/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 16, 2012 at 05:21:21PM +0100, Mark Murray wrote:
> Hi
>=20
> Part 1 of the fix is enclosed; it involves drastically shortening the
> input into /dev/random (the "kickstart") at boot time. There are time
> implications that I'd like to hear any objections to.
>=20
> Part 1a is going to be tweeks to stashing entropy at restart
> (and possibly during normal running). Also fixes to zero-entropy
> first-startup.
>=20
> Part 2 will be a cheap shortening of files during reading so as not
> to clog up the harvest queue. The harvest queue will always be a bit
> intolerant of excess input via this route, so this should help a lot.
>=20
> Part 3 will be the addition of another choice of software PRNG;
> Fortuna. Fortuna is MUCH more resilient to attack, at the expense
> of using more kernel memory. For modern machines, this is scarcely
> noticeable, but it could be bad for embedded units.
>=20
> Tweeks along the way may include reverting to the original intent of
> starting the PRNG blocked, and only unblocking once reseeded.
>=20
> M
> --
> Mark R V Murray
> Pi: 132511160

> Index: initrandom
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- initrandom	(revision 240384)
> +++ initrandom	(working copy)
> @@ -23,15 +23,12 @@
> =20
>  better_than_nothing()
>  {
> -	# XXX temporary until we can improve the entropy
> -	# harvesting rate.
>  	# Entropy below is not great, but better than nothing.
>  	# This unblocks the generator at startup
>  	# Note: commands are ordered to cause the most variance across reboots.
> -	( kenv; dmesg; df -ib; ps -fauxww; date; sysctl -a ) \
> -	    | dd of=3D/dev/random bs=3D8k 2>/dev/null
> -	/sbin/sha256 -q `sysctl -n kern.bootfile` \
> -	    | dd of=3D/dev/random bs=3D8k 2>/dev/null
> +	for cmd in "kenv" "dmesg" "df -ib" "ps -fauxww" "date" "sysctl -ao" "ne=
tstat -arn" "fstat" ; do
> +	    ${cmd}| sha256 > /dev/random
> +	done

I'd much prefer to just use sha512 here and also add -b to sysctl.

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://tupytaj.pl

--MAH+hnPXVZWQ5cD/
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlBXhiAACgkQForvXbEpPzRENACfebpDcZizqdvOcJhMXXdFZdBB
QYAAn3zov0IRIJ3TDJ5gQSd1gE7Afwlo
=s/8t
-----END PGP SIGNATURE-----

--MAH+hnPXVZWQ5cD/--