On Tue, Nov 15, 2011, Andrey Chernov wrote: > On Mon, Nov 14, 2011 at 03:58:55PM -0500, David Schultz wrote: > > On Mon, Nov 14, 2011, Andrey Chernov wrote: > > > 1) We should use > > > mib[0] = CTL_KERN; > > > mib[1] = KERN_ARND; > > > > > > len = sizeof(rnd); > > > sysctl(mib, 2, rnd, &len, NULL, 0); > > > here instead of /dev/random, like OpenBSD did. It helps jails, and > > > re-stearing not happens too often in anycase. Obviously it minimizes > > > OpenBSD diffs too. > > > > Yes, that was in my list of suggested follow-on work, but I don't > > have time for it right now. > > I can add this to your patch, we have the same semantics here as OpenBSD, > so there will be no surprizes.
Not quite. OpenBSD's implementation is more careful. I just noticed a funny thing about FreeBSD's KERN_ARND sysctl: If the random device isn't (or can't be) loaded, KERN_ARND silently decides to initialize itself with the output of random(). This means that whatever minuscule amount of entropy it might have picked up from the clock is reduced to a maximum of 31 bits. That's a fantastic way to provide a false sense of security... _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
