diff options
| author | obrien <obrien@FreeBSD.org> | 2012-08-22 18:43:21 +0000 |
|---|---|---|
| committer | obrien <obrien@FreeBSD.org> | 2012-08-22 18:43:21 +0000 |
| commit | 1103474a1b620f985700209f4d64623f9e47db77 (patch) | |
| tree | 9fe77158cb4fab9ca13a3136bb199db1adda88a2 /etc | |
| parent | fb4ec977240f0d977e439951415e7e21a788f5a7 (diff) | |
| download | FreeBSD-src-1103474a1b620f985700209f4d64623f9e47db77.zip FreeBSD-src-1103474a1b620f985700209f4d64623f9e47db77.tar.gz | |
Remove old entropy seeding after consumption initializing /dev/random PRNG.
Not doing so opens us up to replay attacks.
Submitted by: Arthur Mesh <arthurmesh@gmail.com>
Sponsored by: Juniper Networks
Diffstat (limited to 'etc')
| -rwxr-xr-x | etc/rc.d/postrandom | 41 | ||||
| -rwxr-xr-x | etc/rc.d/random | 5 |
2 files changed, 45 insertions, 1 deletions
diff --git a/etc/rc.d/postrandom b/etc/rc.d/postrandom new file mode 100755 index 0000000..f5311c2 --- /dev/null +++ b/etc/rc.d/postrandom @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: postrandom +# REQUIRE: initrandom random var +# BEFORE: LOGIN +# KEYWORD: nojail + +. /etc/rc.subr + +name="postrandom" +start_cmd="${name}_start" +stop_cmd=":" + +# This will remove old ${entropy_file} and generate a new one. +# According to Bruce Schneier, this is stronly recomended in order +# to avoid using same ${entropy_file} across reboots. +# Reference: Chapter 10.6, Practical Cryptograpy, ISBN: 0-471-22357-3 + +postrandom_start() +{ + /etc/rc.d/random fastsaveseed + + case ${entropy_dir} in + [Nn][Oo]) + ;; + *) + entropy_dir=${entropy_dir:-/var/db/entropy} + if [ -d "${entropy_dir}" ]; then + if [ -w /dev/random ]; then + rm -f ${entropy_dir}/* + fi + fi + ;; + esac +} + +load_rc_config random +run_rc_command "$1" diff --git a/etc/rc.d/random b/etc/rc.d/random index 160b1d4..8d9fd44 100755 --- a/etc/rc.d/random +++ b/etc/rc.d/random @@ -4,7 +4,7 @@ # # PROVIDE: random -# REQUIRE: var initrandom +# REQUIRE: initrandom var # BEFORE: netif # KEYWORD: nojail shutdown @@ -14,6 +14,9 @@ name="random" start_cmd="random_start" stop_cmd="random_stop" +extra_commands="saveseed" +saveseed_cmd="${name}_stop" + feed_dev_random() { if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then |
