yarrow random generator

Paul Graphov graphov at gmail.com
Thu Dec 24 17:41:23 UTC 2009


Dont these lines (random_yarrow_init function) make it available to set
"seeded" to zero?

            SYSCTL_ADD_PROC(&random_clist,
            SYSCTL_CHILDREN(random_sys_o),
            OID_AUTO, "seeded", CTLTYPE_INT | CTLFLAG_RW,
            &random_systat.seeded, 1, random_check_boolean, "I",
            "Seeded State");

And also according to Schneier it is a good idea to save state of the PRNG
and restore it on boot to make it
"more seeded".

2009/12/24 Colin Percival <cperciva at freebsd.org>

> Hi all,
>
> Looks like there's a bug here, but it doesn't matter since this is dead
> code: .seeded is initialized to 1 and never modified, so we will never
> call into random_yarrow_block.
>
> IIRC this is because there are some places which ask for entropy before
> yarrow is seeded but don't actually need *cryptographic* entropy.
>
> > Thu, Dec 24, 2009 at 03:45:15PM +0300, Paul Graphov wrote:
> >> I've looked at FreeBSD 8.0 cryptographically secure pseudorandom
> >> numbers generator and have a question. It looks like a bug but I'am
> >> not sure.
> >>
> >> In file sys/dev/randomdev.c, function random_read:
> >>
> >>         if (!random_systat.seeded)
> >>                 error = (*random_systat.block)(flag);
> >>
> >> It blocks until PRNG is seeded. For software random generator
> implementation
> >> block method looks as follows, sys/dev/randomdev_soft.c:
> >>
> >> random_yarrow_block(int flag)
> >> {
> >>         int error = 0;
> >>
> >>         mtx_lock(&random_reseed_mtx);
> >>
> >>         /* Blocking logic */
> >>         while (random_systat.seeded && !error) {
> >>                 if (flag & O_NONBLOCK)
> >>                         error = EWOULDBLOCK;
> >>                 else {
> >>                         printf("Entropy device is blocking.\n");
> >>                         error = msleep(&random_systat,
> >>                             &random_reseed_mtx,
> >>                             PUSER | PCATCH, "block", 0);
> >>                 }
> >>         }
> >>         mtx_unlock(&random_reseed_mtx);
> >>
> >>         return error;
> >> }
> >>
> >> It seems that random_systat.seeded in "while" condition should be
> negated.
> >> Or it will never block actually, or block erroneously until next reseed
> >> (under very rare
> >> conditions)
>
> --
> Colin Percival
> Security Officer, FreeBSD | freebsd.org | The power to serve
> Founder / author, Tarsnap | tarsnap.com | Online backups for the truly
> paranoid
>


More information about the freebsd-hackers mailing list