Date: Tue, 15 Nov 2011 11:08:43 +0400 From: Andrey Chernov <ache@freebsd.org> To: das@freebsd.org, Oliver Pinter <oliver.pntr@gmail.com>, current@freebsd.org, secteam@freebsd.org Subject: Re: Is fork() hook ever possible? Message-ID: <20111115070842.GA86944@vniz.net> In-Reply-To: <20111115054929.GA27803@zim.MIT.EDU> References: <20111112171531.GA83419@vniz.net> <20111114013004.GA53392@zim.MIT.EDU> <20111114192721.GA16834@vniz.net> <20111114205855.GB58790@zim.MIT.EDU> <20111114212926.GA28783@vniz.net> <20111114230855.GA59545@zim.MIT.EDU> <20111115004443.GA50429@vniz.net> <CAPjTQNFSbkiaDUzMh_WYffM9vF1-H3j-FA2FZJfHR-0uJyJ3eQ@mail.gmail.com> <20111115023912.GA68523@vniz.net> <20111115054929.GA27803@zim.MIT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 15, 2011 at 12:49:29AM -0500, David Schultz wrote: > On Tue, Nov 15, 2011, Andrey Chernov wrote: > > In case you mean passing later whole structure like: > >=20 > > arc4_addrandom((u_char *)&rdat, sizeof(rdat)); > >=20 > > it will be incorrect because it change known algorithm parameters, whic= h=20 > > defines exact 128 bytes and not anything else. >=20 > No, RC4 keys are anything up to 256 bytes. Of course. But changing it away from the reference implementation will=20 cause questions or paranoia. You can re-read your recent reasons against=20 lowering drop count from 1024, this is very similar. > I think what you really want is a union in any case, but relax. > arc4_stir() works right now, so I think it can stay as is until > we're ready to make further functional changes, e.g., getting > entropy from the KERN_ARND sysctl. =20 You can left the current stir code as is but please don't forget in the=20 future that the price is its weakness in jails without /dev/random. > But that's complicated by > the fact that KERN_ARND won't tell you if it has failed to produce > any useful entropy, and I won't have the cycles to look into it for > a little while. BTW, we can re-stir kernel arc4 one time more - when yarrow is feeded,=20 =66rom the yarrow code. In general it promises to be earlier that any of=20 userland programs is starting. --=20 http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111115070842.GA86944>