From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 19 17:18:40 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC6691065673 for ; Sat, 19 Apr 2008 17:18:40 +0000 (UTC) (envelope-from fbsd06+VE=21e66bf6@mlists.homeunix.com) Received: from turtle-out.mxes.net (turtle-out.mxes.net [216.86.168.191]) by mx1.freebsd.org (Postfix) with ESMTP id 730718FC22 for ; Sat, 19 Apr 2008 17:18:40 +0000 (UTC) (envelope-from fbsd06+VE=21e66bf6@mlists.homeunix.com) Received: from mxout-03.mxes.net (mxout-03.mxes.net [216.86.168.178]) by turtle-in.mxes.net (Postfix) with ESMTP id 2EB7916475E for ; Sat, 19 Apr 2008 12:57:00 -0400 (EDT) Received: from gumby.homeunix.com. (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id AE96023E3F9 for ; Sat, 19 Apr 2008 12:56:57 -0400 (EDT) Date: Sat, 19 Apr 2008 17:56:55 +0100 From: RW To: freebsd-hackers@freebsd.org Message-ID: <20080419175655.51a37bb2@gumby.homeunix.com.> X-Mailer: Claws Mail 3.3.1 (GTK+ 2.12.9; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Yarrow's Counter X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2008 17:18:40 -0000 The random number generator in FreeBSD's Yarrow implementation uses AES256 in counter mode. When a reseed occurs the generator is reinitialised like this: - generate a new cypher-key from the pool[s] and the old key - zero the counter - encrypt the (zeroed) counter with the new key My question is: why zero the counter? If it's not zeroed then the old counter is encrypted instead, and after a few reseeds the counter will accumulate an independent 256 bits of entropy, rather than being a function of the new key. Should I submit a patch, it's simply a matter of deleting two lines in reseed() in sys/dev/random/yarrow.c. yarrow_hash_finish(&context, temp); yarrow_encrypt_init(&random_state.key, temp); /* 4. Recompute the counter */ for (i = 0; i < 4; i++) <--- random_state.counter[i] = 0; <--- yarrow_encrypt(&random_state.key, random_state.counter, temp); memcpy(random_state.counter, temp, sizeof(random_state.counter));