svn commit: r239569 - head/etc/rc.d

Wed, 22 Aug 2012 11:44:05 -0700 

Author: obrien
Date: Wed Aug 22 18:43:21 2012
New Revision: 239569
URL: http://svn.freebsd.org/changeset/base/239569

Log:
  Remove old entropy seeding after consumption initializing /dev/random PRNG.
  Not doing so opens us up to replay attacks.
  
  Submitted by: Arthur Mesh <arthurm...@gmail.com>
  Sponsored by: Juniper Networks

Added:
  head/etc/rc.d/postrandom   (contents, props changed)
Modified:
  head/etc/rc.d/random

Added: head/etc/rc.d/postrandom
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/etc/rc.d/postrandom    Wed Aug 22 18:43:21 2012        (r239569)
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: postrandom
+# REQUIRE: initrandom random var
+# BEFORE: LOGIN
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="postrandom"
+start_cmd="${name}_start"
+stop_cmd=":"
+
+# This will remove old ${entropy_file} and generate a new one.
+# According to Bruce Schneier, this is stronly recomended in order
+# to avoid using same ${entropy_file} across reboots.
+# Reference: Chapter 10.6, Practical Cryptograpy, ISBN: 0-471-22357-3
+
+postrandom_start()
+{
+       /etc/rc.d/random fastsaveseed
+
+       case ${entropy_dir} in
+       [Nn][Oo])
+               ;;
+       *)
+               entropy_dir=${entropy_dir:-/var/db/entropy}
+               if [ -d "${entropy_dir}" ]; then
+                       if [ -w /dev/random ]; then
+                               rm -f ${entropy_dir}/*
+                       fi
+               fi
+               ;;
+       esac
+}
+
+load_rc_config random
+run_rc_command "$1"

Modified: head/etc/rc.d/random
==============================================================================
--- head/etc/rc.d/random        Wed Aug 22 18:35:17 2012        (r239568)
+++ head/etc/rc.d/random        Wed Aug 22 18:43:21 2012        (r239569)
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: random
-# REQUIRE: var initrandom
+# REQUIRE: initrandom var
 # BEFORE: netif
 # KEYWORD: nojail shutdown
 
@@ -14,6 +14,9 @@ name="random"
 start_cmd="random_start"
 stop_cmd="random_stop"
 
+extra_commands="saveseed"
+saveseed_cmd="${name}_stop"
+
 feed_dev_random()
 {
        if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to