tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: FreeBSD rnd bug
On 19 Feb 2015, at 15:51 , Jean-Yves Migeon <jym%NetBSD.org@localhost> wrote:
> Le 19/02/2015 09:47, Fredrik Pettai a écrit :
>> Did you see this:
>>
>> https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html
>>
>> I know that the rnd code in NetBSD has been reworked several times lately,
>> is the NetBSD design very different from FreeBSDs? or are they fairly equal?
>
> They are completely different. There are two PRNG:
> - a "fast" one (chacha20) which is consumed in places where plain randomization is required in performance critical paths (ASLR, TCP sequence, anon ports...);
> - a "strong" one (NIST CTR DRBG with AES 128 as block cipher) for crypto related operations.
>
> The seed for the fast RNG is obtained from the strong RNG, and the strong PRNG is initted through rndsink(9). Of course from there, quality depends on the entropy sources, but this is just to show that the call paths and APIs have nothing in common.
Are there any (continues) selftests performed on the data that comes out of fast/strong?
pkgsrc/security/ent exists, and gives a some analyses. I noted that someone ported rngtest (from debian’s rngtools) to FreeBSD https://github.com/waitman/rngtest (but I don’t know if compiles/works on NetBSD)
/P
Home |
Main Index |
Thread Index |
Old Index