From owner-freebsd-current@FreeBSD.ORG Tue Feb 17 18:02:27 2015 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B2DFCF01 for ; Tue, 17 Feb 2015 18:02:27 +0000 (UTC) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 841BFA95 for ; Tue, 17 Feb 2015 18:02:27 +0000 (UTC) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t1HI2Q3D026566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 17 Feb 2015 10:02:26 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t1HI2QHb026565 for current@freebsd.org; Tue, 17 Feb 2015 10:02:26 -0800 (PST) (envelope-from jmg) Date: Tue, 17 Feb 2015 10:02:26 -0800 From: John-Mark Gurney To: current@freebsd.org Subject: Re: URGENT: RNG broken for last 4 months Message-ID: <20150217180226.GC1953@funkthat.com> References: <20150217173726.GA1953@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150217173726.GA1953@funkthat.com> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Tue, 17 Feb 2015 10:02:26 -0800 (PST) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2015 18:02:27 -0000 John-Mark Gurney wrote this message on Tue, Feb 17, 2015 at 09:37 -0800: > If you are running a current kernel r273872 or later, please upgrade > your kernel to r278907 or later immediately and regenerate keys. > > I discovered an issue where the new framework code was not calling > randomdev_init_reader, which means that read_random(9) was not returning > good random data. read_random(9) is used by arc4random(9) which is > the primary method that arc4random(3) is seeded from. > > This means most/all keys generated may be predictable and must be > regenerated. This includes, but not limited to, ssh keys and keys > generated by openssl. This is purely a kernel issue, and a simple > kernel upgrade w/ the patch is sufficient to fix the issue. It was brought to my attention (thanks Juli) that it might not be clear that this issue does not effect any released version of FreeBSD. It only effects people who run -current. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."