svn commit: r239598 - head/etc/rc.d
Peter Jeremy
peter at rulingia.com
Wed Sep 5 21:27:49 UTC 2012
On 2012-Sep-05 02:12:48 +0100, RW <rwmaillists at googlemail.com> wrote:
>All of the low-grade entropy should go through sha256.
Overall, I like the idea of feeding the high-volume mixed quality
"entropy" through SHA-256 or similar.
>Anything written into /dev/random is passed by random_yarrow_write() 16
>Bytes at time into random_harvest_internal() which copies it into a
>buffer and queues it up. If there are 256 buffers queued
>random_harvest_internal() simply returns without doing anything.
This would seem to open up a denial-of-entropy attack on random(4):
All entropy sources feed into Yarrow via random_harvest_internal()
which queues the input into a single queue - harvestfifo. When this
queue is full, further input is discarded. If I run
"dd if=/dev/zero of=/dev/random"
then harvestfifo will be kept full of NULs, resulting in other entropy
events (particularly from within the kernel) being discarded. There
would still be a small amount of entropy from the get_cyclecount()
calls but this is minimal.
Is it worth splitting harvestfifo into multiple queues to prevent
this? At least a separate queue for RANDOM_WRITE and potentially
separate queues for each entropy source.
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120905/fd861b5a/attachment.pgp
More information about the freebsd-security
mailing list