From owner-svn-src-projects@FreeBSD.ORG Sun Nov 10 16:35:01 2013 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E6D8BD91; Sun, 10 Nov 2013 16:35:01 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C538523C8; Sun, 10 Nov 2013 16:35:01 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rAAGZ14v045266; Sun, 10 Nov 2013 16:35:01 GMT (envelope-from markm@svn.freebsd.org) Received: (from markm@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id rAAGZ17K045257; Sun, 10 Nov 2013 16:35:01 GMT (envelope-from markm@svn.freebsd.org) Message-Id: <201311101635.rAAGZ17K045257@svn.freebsd.org> From: Mark Murray Date: Sun, 10 Nov 2013 16:35:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r257919 - in projects/random_number_generator: etc/rc.d libexec/save-entropy X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2013 16:35:02 -0000 Author: markm Date: Sun Nov 10 16:35:00 2013 New Revision: 257919 URL: http://svnweb.freebsd.org/changeset/base/257919 Log: Fix up the random(4) startup scripts and runtime entropy caching. Modified: projects/random_number_generator/etc/rc.d/postrandom projects/random_number_generator/etc/rc.d/random projects/random_number_generator/libexec/save-entropy/save-entropy.sh Modified: projects/random_number_generator/etc/rc.d/postrandom ============================================================================== --- projects/random_number_generator/etc/rc.d/postrandom Sun Nov 10 16:33:14 2013 (r257918) +++ projects/random_number_generator/etc/rc.d/postrandom Sun Nov 10 16:35:00 2013 (r257919) @@ -14,25 +14,27 @@ name="postrandom" start_cmd="${name}_start" stop_cmd=":" -# This will remove old ${entropy_file} and generate a new one. +# This will remove old entropy file. # According to Bruce Schneier, this is strongly recommended in order # to avoid using same ${entropy_file} across reboots. # Reference: Chapter 10.6, Practical Cryptography, ISBN: 0-471-22357-3 postrandom_start() { - /etc/rc.d/random fastsaveseed - case ${entropy_dir} in [Nn][Oo]) ;; *) entropy_dir=${entropy_dir:-/var/db/entropy} if [ -d "${entropy_dir}" ]; then - if [ -w /dev/random ]; then - rm -f ${entropy_dir}/* - fi + rm -f ${entropy_dir}/* + fi + boot_dir=${boot_dir:-/boot} + if [ -d "${boot_dir}" ]; then + rm -f ${boot_dir}/entropy fi + rm -f /entropy + rm -f /var/db/entropy-file ;; esac } Modified: projects/random_number_generator/etc/rc.d/random ============================================================================== --- projects/random_number_generator/etc/rc.d/random Sun Nov 10 16:33:14 2013 (r257918) +++ projects/random_number_generator/etc/rc.d/random Sun Nov 10 16:35:00 2013 (r257919) @@ -17,75 +17,90 @@ stop_cmd="random_stop" extra_commands="saveseed" saveseed_cmd="${name}_stop" -random_start() +random_harvest() { - echo -n 'Entropy harvesting:' - - if checkyesno harvest_interrupt; then - ${SYSCTL} kern.random.sys.harvest.interrupt=1 >/dev/null - echo -n ' interrupts' - else - ${SYSCTL} kern.random.sys.harvest.interrupt=0 >/dev/null - fi - - if checkyesno harvest_ethernet; then - ${SYSCTL} kern.random.sys.harvest.ethernet=1 >/dev/null - echo -n ' ethernet' - else - ${SYSCTL} kern.random.sys.harvest.ethernet=0 >/dev/null - fi - - if checkyesno harvest_p_to_p; then - ${SYSCTL} kern.random.sys.harvest.point_to_point=1 >/dev/null - echo -n ' point_to_point' - else - ${SYSCTL} kern.random.sys.harvest.point_to_point=0 >/dev/null - fi - - if checkyesno harvest_swi; then - ${SYSCTL} kern.random.sys.harvest.swi=1 >/dev/null - echo -n ' swi' + tag=$1 + source=$2 + if checkyesno ${tag} ; then + setting=1 else - ${SYSCTL} kern.random.sys.harvest.swi=0 >/dev/null + setting=0 fi + oldsetting=`${SYSCTL_N} -i kern.random.sys.harvest.${source}` + case ${oldsetting} in + 0 | 1) + if [ ${oldsetting} != ${setting} ] ; then + ${SYSCTL} kern.random.sys.harvest.${source}=${setting} >/dev/null + fi + if [ ${setting} = 1 ] ; then + echo -n " ${source}" + fi + ;; + *) + ;; + esac +} - echo '.' +random_start() +{ + randomadaptor=`${SYSCTL_N} -i kern.random.active_adaptor` + case ${randomadaptor} in + dummy | '') + ;; + *) + echo -n 'Entropy harvesting:' + random_harvest 'harvest_interrupt' 'interrupt' + random_harvest 'harvest_ethernet' 'ethernet' + random_harvest 'harvest_p_to_p' 'point_to_point' + random_harvest 'harvest_swi' 'swi' + echo '.' + ;; + esac } random_stop() { - # Write some entropy so when the machine reboots /dev/random - # can be reseeded - # - case ${entropy_file} in - [Nn][Oo] | '') + randomadaptor=`${SYSCTL_N} -i kern.random.active_adaptor` + case ${randomadaptor} in + dummy | '') + warn 'entropy device not present; entropy not cached' ;; *) - echo -n 'Writing entropy file:' - rm -f ${entropy_file} 2> /dev/null - oumask=`umask` - umask 077 - if touch ${entropy_file} 2> /dev/null; then - entropy_file_confirmed="${entropy_file}" - else - # Try this as a reasonable alternative for read-only - # roots, diskless workstations, etc. - rm -f /var/db/entropy-file 2> /dev/null - if touch /var/db/entropy-file 2> /dev/null; then - entropy_file_confirmed=/var/db/entropy-file - fi - fi - case ${entropy_file_confirmed} in - '') - warn 'write failed (read-only fs?)' + # Write some entropy so when the machine reboots /dev/random + # can be reseeded + # + case ${entropy_file} in + [Nn][Oo] | '') ;; *) - dd if=/dev/random of=${entropy_file_confirmed} \ - bs=4096 count=1 2> /dev/null + echo -n 'Writing entropy file:' + rm -f ${entropy_file} 2> /dev/null + oumask=`umask` + umask 077 + if touch ${entropy_file} 2> /dev/null; then + entropy_file_confirmed="${entropy_file}" + else + # Try this as a reasonable alternative for read-only + # roots, diskless workstations, etc. + rm -f /var/db/entropy-file 2> /dev/null + if touch /var/db/entropy-file 2> /dev/null; then + entropy_file_confirmed=/var/db/entropy-file + fi + fi + case ${entropy_file_confirmed} in + '') + warn 'write failed (read-only fs?)' + ;; + *) + dd if=/dev/random of=${entropy_file_confirmed} \ + bs=4096 count=1 2> /dev/null + echo -n ${entropy_file_confirmed} + ;; + esac + umask ${oumask} echo '.' ;; esac - umask ${oumask} ;; esac } Modified: projects/random_number_generator/libexec/save-entropy/save-entropy.sh ============================================================================== --- projects/random_number_generator/libexec/save-entropy/save-entropy.sh Sun Nov 10 16:33:14 2013 (r257918) +++ projects/random_number_generator/libexec/save-entropy/save-entropy.sh Sun Nov 10 16:35:00 2013 (r257919) @@ -51,7 +51,7 @@ case ${entropy_dir} in ;; esac -entropy_save_sz=${entropy_save_sz:-2048} +entropy_save_sz=${entropy_save_sz:-4096} entropy_save_num=${entropy_save_num:-8} if [ ! -d "${entropy_dir}" ]; then