From owner-freebsd-security@FreeBSD.ORG  Sun Sep 16 16:30:23 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 393A91065670
	for <freebsd-security@freebsd.org>;
	Sun, 16 Sep 2012 16:30:23 +0000 (UTC)
	(envelope-from markm@FreeBSD.org)
Received: from gromit.grondar.org (grandfather.grondar.org [93.89.92.32])
	by mx1.freebsd.org (Postfix) with ESMTP id D93178FC08
	for <freebsd-security@freebsd.org>;
	Sun, 16 Sep 2012 16:30:22 +0000 (UTC)
Received: from uucp by gromit.grondar.org with local-rmail (Exim 4.77
	(FreeBSD)) (envelope-from <markm@FreeBSD.org>) id 1TDHed-00084Z-Vm
	for freebsd-security@freebsd.org; Sun, 16 Sep 2012 17:25:07 +0100
Received: from localhost ([127.0.0.1] helo=groundzero.grondar.org)
	by groundzero.grondar.org with esmtp (Exim 4.77 (FreeBSD))
	(envelope-from <markm@FreeBSD.org>)
	id 1TDHb0-000FIh-0Z; Sun, 16 Sep 2012 17:21:22 +0100
To: Ben Laurie <benl@freebsd.org>, Arthur Mesh <arthurmesh@gmail.com>,
	Ian Lepore <freebsd@damnhippie.dyndns.org>,
	Doug Barton <dougb@freebsd.org>,
	"David O'Brien" <obrien@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>
In-reply-to: <CAG5KPzymZY0ua2cAkzB-MK54G2WbWYi9J01c8YW4F9LOdVvc9A@mail.gmail.com>
References: <50453686.9090100@FreeBSD.org>
	<20120911082309.GD72584@dragon.NUXI.org>
	<504F0687.7020309@FreeBSD.org> <201209121628.18088.jhb@freebsd.org>
	<5050F477.8060409@FreeBSD.org> <20120912213141.GI14077@x96.org>
	<20120913052431.GA15052@dragon.NUXI.org>
	<alpine.BSF.2.00.1209131258210.13080@ai.fobar.qr>
	<alpine.BSF.2.00.1209141336170.13080@ai.fobar.qr>
	<E1TCXN0-000NFT-7I@groundzero.grondar.org>
	<CAG5KPzwOdCkybj3D5uic1KC-pwW-pewgsrqrXg60f5SJjtzYPw@mail.gmail.com>
	<E1TCbDG-0002Hz-9D@groundzero.grondar.org>
	<CAG5KPzzRxzVX-+9fYjRdqjY-wScbM6AA7GYtLmktgMG0Zg8iyQ@mail.gmail.com>
	<E1TCbSz-0007CJ-BI@groundzero.grondar.org>
	<CAG5KPzyJNmXRfxtPPrdc2zVCsxGtDfJT79YC3a1PNUfOOSzt8A@mail.gmail.com>
	<E1TCcIq-000Brr-Ex@groundzero.grondar.org>
	<CAG5KPzwEESg7iUb2+-kAN+k55M95BZjh5VaSvxzSsSCVuZ9kMw@mail.gmail.com>
	<E1TCdlD-000C1N-4g@groundzero.grondar.org>
	<CAG5KPzzFO1H5Wcx34oXi09=aJqg5w+XWSd8fnn0Byvpy_8+-rA@mail.gmail.com>
	<E1TCpk1-000N2H-Vq@groundzero.grondar.org>
	<CAG5KPzxOua1t+WCef77E5jA1j_m6faw3JXUg sy8W_TeE+kpLUg@m
	<CAG5KPzymZY0ua2cAkzB-MK54G2WbWYi9J01c8YW4F9LOdVvc9A@mail.gmail.com>
From: Mark Murray <markm@FreeBSD.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0"
Content-ID: <58816.1347812437.0@groundzero.grondar.org>
Date: Sun, 16 Sep 2012 17:21:21 +0100
Message-Id: <E1TDHb0-000FIh-0Z@groundzero.grondar.org>
Cc: 
Subject: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Sep 2012 16:30:23 -0000

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <58816.1347812437.1@groundzero.grondar.org>

Hi

Part 1 of the fix is enclosed; it involves drastically shortening the
input into /dev/random (the "kickstart") at boot time. There are time
implications that I'd like to hear any objections to.

Part 1a is going to be tweeks to stashing entropy at restart
(and possibly during normal running). Also fixes to zero-entropy
first-startup.

Part 2 will be a cheap shortening of files during reading so as not
to clog up the harvest queue. The harvest queue will always be a bit
intolerant of excess input via this route, so this should help a lot.

Part 3 will be the addition of another choice of software PRNG;
Fortuna. Fortuna is MUCH more resilient to attack, at the expense
of using more kernel memory. For modern machines, this is scarcely
noticeable, but it could be bad for embedded units.

Tweeks along the way may include reverting to the original intent of
starting the PRNG blocked, and only unblocking once reseeded.

M
--
Mark R V Murray
Pi: 132511160

------- =_aaaaaaaaaa0
Content-Type: text/plain; file="initrandom.diff"; charset="us-ascii"
Content-ID: <58816.1347812437.2@groundzero.grondar.org>
Content-Description: initrandom.diff

Index: initrandom
===================================================================
--- initrandom	(revision 240384)
+++ initrandom	(working copy)
@@ -23,15 +23,12 @@
 
 better_than_nothing()
 {
-	# XXX temporary until we can improve the entropy
-	# harvesting rate.
 	# Entropy below is not great, but better than nothing.
 	# This unblocks the generator at startup
 	# Note: commands are ordered to cause the most variance across reboots.
-	( kenv; dmesg; df -ib; ps -fauxww; date; sysctl -a ) \
-	    | dd of=/dev/random bs=8k 2>/dev/null
-	/sbin/sha256 -q `sysctl -n kern.bootfile` \
-	    | dd of=/dev/random bs=8k 2>/dev/null
+	for cmd in "kenv" "dmesg" "df -ib" "ps -fauxww" "date" "sysctl -ao" "netstat -arn" "fstat" ; do
+	    ${cmd}| sha256 > /dev/random
+	done
 }
 
 initrandom_start()
@@ -67,6 +64,12 @@
 
 		# First pass at reseeding /dev/random.
 		#
+		better_than_nothing
+
+		sleep 1
+
+		# Give the RNG the best kicking that we might not have.
+		#
 		case ${entropy_file} in
 		[Nn][Oo] | '')
 			;;
@@ -77,8 +80,6 @@
 			;;
 		esac
 
-		better_than_nothing
-
 		echo -n ' kickstart'
 	fi
 

------- =_aaaaaaaaaa0--