Date: Mon, 14 Nov 2011 23:27:21 +0400 From: Andrey Chernov <ache@freebsd.org> To: das@freebsd.org, current@freebsd.org, secteam@freebsd.org Subject: Re: Is fork() hook ever possible? Message-ID: <20111114192721.GA16834@vniz.net> In-Reply-To: <20111114013004.GA53392@zim.MIT.EDU> References: <20080916140319.GA34447@nagual.pp.ru> <20080916201932.GA59781@zim.MIT.EDU> <20111112102241.GA75396@vniz.net> <20111112154135.GA21512@zim.MIT.EDU> <20111112171531.GA83419@vniz.net> <20111114013004.GA53392@zim.MIT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 13, 2011 at 08:30:04PM -0500, David Schultz wrote: > I don't have those patches anymore, but I redid them from scratch > using the latest revision from OpenBSD. The patch at > http://www.freebsd.org/~das/patches/vshead.diff syncs our > arc4random.c with OpenBSD's to the extent possible, style bugs and > all. It seems prudent to treat it as a vendor source and avoid > gratuitous differences: Unlike our version, all the changes to > OpenBSD's arc4random.c were vetted by several people. Switching > to OpenBSD's version fixes the bug where a parent and child > process see the same random sequence. 1) We should use mib[0] = CTL_KERN; mib[1] = KERN_ARND; len = sizeof(rnd); sysctl(mib, 2, rnd, &len, NULL, 0); here instead of /dev/random, like OpenBSD did. It helps jails, and re-stearing not happens too often in anycase. Obviously it minimizes OpenBSD diffs too. > the IV. In arc4_stir(), I also fixed the bug where the wrong > buffer size was being passed to arc4_addrandom(), resulting in > entropy loss. That change should be committed separately. 2) I already explain this moment before. There is no bug here but intentional hack using time and pid entropy for stearing when read is fail: time/pid are at the beginning of the struct, successful read happens at the beginning of the struct too and beginning of the struct is passed as the key too. Key is always fixed KEYSIZE bytes. In your new patch you pass unneded stack garbadge at the beginning of the struct (often 0-s) in case good entropy is successfully readed into rdat.rnd, moreover, you pass more then KEYSIZE bytes - sizeof(rdat). When using KERN_ARND as in 1) this whole part becomes irrelevant. 3) (optional) I think we can lover initial permutations from our 1024 to at least OpenBSD's 256 here: for (i = 0; i < 1024; i++) (void)arc4_getbyte(); In my initial commit attemps I post several references to publicly available mathematical researches calculating estimated initial permutation count, some paper allows even 128. They can be found in the commit log. In all other moments your patch looks good for me. -- http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111114192721.GA16834>