Date: Thu, 24 Dec 2009 19:48:43 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Paul Graphov <graphov@gmail.com> Cc: freebsd-hackers@freebsd.org, secteam@freebsd.org Subject: Re: yarrow random generator Message-ID: <alpine.BSF.2.00.0912241945490.73550@fledge.watson.org> In-Reply-To: <5a5b03660912240941r6b76a839u819a8a1408816386@mail.gmail.com> References: <5a5b03660912240445x7df1498dt42e29d93105efebc@mail.gmail.com> <oCmohG1K70vWpt/39IVPMdciTgk@DNdB9ElzNmEFYWRqT2UTVtuts%2BE> <4B339F27.6020707@freebsd.org> <5a5b03660912240941r6b76a839u819a8a1408816386@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 24 Dec 2009, Paul Graphov wrote:
> And also according to Schneier it is a good idea to save state of the PRNG
> and restore it on boot to make it "more seeded".
In the default configuration, we save some PRNG output every few minutes
(using cron) to a file in /var so that it can be re-injected into Yarrow on
the next boot (done by /etc/rc.d/random).
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> 2009/12/24 Colin Percival <cperciva@freebsd.org>
>
>> Hi all,
>>
>> Looks like there's a bug here, but it doesn't matter since this is dead
>> code: .seeded is initialized to 1 and never modified, so we will never
>> call into random_yarrow_block.
>>
>> IIRC this is because there are some places which ask for entropy before
>> yarrow is seeded but don't actually need *cryptographic* entropy.
>>
>>> Thu, Dec 24, 2009 at 03:45:15PM +0300, Paul Graphov wrote:
>>>> I've looked at FreeBSD 8.0 cryptographically secure pseudorandom
>>>> numbers generator and have a question. It looks like a bug but I'am
>>>> not sure.
>>>>
>>>> In file sys/dev/randomdev.c, function random_read:
>>>>
>>>> if (!random_systat.seeded)
>>>> error = (*random_systat.block)(flag);
>>>>
>>>> It blocks until PRNG is seeded. For software random generator
>> implementation
>>>> block method looks as follows, sys/dev/randomdev_soft.c:
>>>>
>>>> random_yarrow_block(int flag)
>>>> {
>>>> int error = 0;
>>>>
>>>> mtx_lock(&random_reseed_mtx);
>>>>
>>>> /* Blocking logic */
>>>> while (random_systat.seeded && !error) {
>>>> if (flag & O_NONBLOCK)
>>>> error = EWOULDBLOCK;
>>>> else {
>>>> printf("Entropy device is blocking.\n");
>>>> error = msleep(&random_systat,
>>>> &random_reseed_mtx,
>>>> PUSER | PCATCH, "block", 0);
>>>> }
>>>> }
>>>> mtx_unlock(&random_reseed_mtx);
>>>>
>>>> return error;
>>>> }
>>>>
>>>> It seems that random_systat.seeded in "while" condition should be
>> negated.
>>>> Or it will never block actually, or block erroneously until next reseed
>>>> (under very rare
>>>> conditions)
>>
>> --
>> Colin Percival
>> Security Officer, FreeBSD | freebsd.org | The power to serve
>> Founder / author, Tarsnap | tarsnap.com | Online backups for the truly
>> paranoid
>>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0912241945490.73550>