yarrow random generator

Robert Watson rwatson at FreeBSD.org
Thu Dec 24 19:48:43 UTC 2009 

On Thu, 24 Dec 2009, Paul Graphov wrote:

> And also according to Schneier it is a good idea to save state of the PRNG 
> and restore it on boot to make it "more seeded".

In the default configuration, we save some PRNG output every few minutes 
(using cron) to a file in /var so that it can be re-injected into Yarrow on 
the next boot (done by /etc/rc.d/random).

Robert N M Watson
Computer Laboratory
University of Cambridge

>
> 2009/12/24 Colin Percival <cperciva at freebsd.org>
>
>> Hi all,
>>
>> Looks like there's a bug here, but it doesn't matter since this is dead
>> code: .seeded is initialized to 1 and never modified, so we will never
>> call into random_yarrow_block.
>>
>> IIRC this is because there are some places which ask for entropy before
>> yarrow is seeded but don't actually need *cryptographic* entropy.
>>
>>> Thu, Dec 24, 2009 at 03:45:15PM +0300, Paul Graphov wrote:
>>>> I've looked at FreeBSD 8.0 cryptographically secure pseudorandom
>>>> numbers generator and have a question. It looks like a bug but I'am
>>>> not sure.
>>>>
>>>> In file sys/dev/randomdev.c, function random_read:
>>>>
>>>>         if (!random_systat.seeded)
>>>>                 error = (*random_systat.block)(flag);
>>>>
>>>> It blocks until PRNG is seeded. For software random generator
>> implementation
>>>> block method looks as follows, sys/dev/randomdev_soft.c:
>>>>
>>>> random_yarrow_block(int flag)
>>>> {
>>>>         int error = 0;
>>>>
>>>>         mtx_lock(&random_reseed_mtx);
>>>>
>>>>         /* Blocking logic */
>>>>         while (random_systat.seeded && !error) {
>>>>                 if (flag & O_NONBLOCK)
>>>>                         error = EWOULDBLOCK;
>>>>                 else {
>>>>                         printf("Entropy device is blocking.\n");
>>>>                         error = msleep(&random_systat,
>>>>                             &random_reseed_mtx,
>>>>                             PUSER | PCATCH, "block", 0);
>>>>                 }
>>>>         }
>>>>         mtx_unlock(&random_reseed_mtx);
>>>>
>>>>         return error;
>>>> }
>>>>
>>>> It seems that random_systat.seeded in "while" condition should be
>> negated.
>>>> Or it will never block actually, or block erroneously until next reseed
>>>> (under very rare
>>>> conditions)
>>
>> --
>> Colin Percival
>> Security Officer, FreeBSD | freebsd.org | The power to serve
>> Founder / author, Tarsnap | tarsnap.com | Online backups for the truly
>> paranoid
>>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>

More information about the freebsd-hackers mailing list