Re: HEADS UP! New (incomplete) /dev/random device!
> > | 3) It is not built by default (except as a kernel module), so you > |either need to add the "options RANDOMDEV" like to your kernel > |config, or load it at boot time in /dev/loader.conf > > Can we make this a standard thing? I can't imagine why anyone wouldn't > want /dev/random in their system. Maybe to shrink the size of the > boot disk kernel, but I think the headaches that this could cause or worth > the code we might add. It is already in GENERIC; when the dust has settled, I'll tackle /boot/loader.conf. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
Mark Murray wrote: > > > On Sun, 25 Jun 2000, Warner Losh wrote: > > > > > Some days is OK, imho. Much more than that and I'd begin to worry. > > > Much more than a week or two and I'd worry a lot. I'll go put a note > > > in updating right now. > > > > That's okay with me too. People should just not upgrade their work > > machines for the next few days until entropy is fixed. > > Upgrading is fine; just don't build certificates/credentials. Upgrading is *not* fine. Everything that uses high-quality randomness is broken. This includes SSH, PGP, GnuPG, Apache/SSL random pid generation and what not. No, upgrading is not fine at all. Cheers, Jeroen -- Jeroen C. van Gelderen o _ _ _ [EMAIL PROTECTED] _o /\_ _ \\o (_)\__/o (_) _< \_ _>(_) (_)/<_\_| \ _|/' \/ (_)>(_) (_)(_) (_)(_)' _\o_ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Mon, Jun 26, 2000 at 04:09:26PM +0200, Leif Neland wrote: > How much does this "unrandomness" matter? That's why I said `depending on the application'. It probably doesn't matter too much for a Kerberos session key that will be used for the duration of an ftp session. It definately matters if you just generated a keytab to use for your new server, and you use that key for the lifetime of your server (not atypical). > How often are keys generated? If only once per program, then does it really > matter if the keys are generated randomly or from my mothers maiden name? Consult Schroedinger's cat. Maybe it only `matters' if someone is looking for weak keys in your environment. :-) -- Jacques Vidrine / [EMAIL PROTECTED] / [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
How much does this "unrandomness" matter? How often are keys generated? If only once per program, then does it really matter if the keys are generated randomly or from my mothers maiden name? Leif - Original Message - From: "Jacques A . Vidrine" <[EMAIL PROTECTED]> To: "Kris Kennaway" <[EMAIL PROTECTED]> Cc: "Mark Murray" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, June 26, 2000 3:25 PM Subject: Re: HEADS UP! New (incomplete) /dev/random device! > On Sun, Jun 25, 2000 at 12:55:47PM -0700, Kris Kennaway wrote: > > > > I don't know which applications depend on /dev/random providing entropy > > > > and which gather their own. > > SSH and SSL should not be used: PGP should be okay. > > FWIW, a quick look indicates: > > MIT Kerberos V gathers its own ``entropy'' when generating random > keys > > Heimdal uses /dev/random > > This matters in particular for creating keys for servers. Session keys > may or may not be a big deal, depending on the application. > -- > Jacques Vidrine / [EMAIL PROTECTED] / [EMAIL PROTECTED] > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-current" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> On Sun, Jun 25, 2000 at 12:35:12PM +0200, Mark Murray wrote: > > 3) It is not built by default (except as a kernel module), so you > >either need to add the "options RANDOMDEV" like to your kernel > >config, or load it at boot time in /dev/loader.conf > > Can't things be made to autoload random.ko as happens for if_fxp.ko when > I ifconfig it, or msdos.ko and procfs.ko when I mount them. I'd like to do this, but there is no "trigger" that can be hooked to do the work (mount and ifconfig can both do the work, but where do you hook a read(2) from /dev/random?) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, Jun 25, 2000 at 12:55:47PM -0700, Kris Kennaway wrote: > > > I don't know which applications depend on /dev/random providing entropy > > > and which gather their own. > SSH and SSL should not be used: PGP should be okay. FWIW, a quick look indicates: MIT Kerberos V gathers its own ``entropy'' when generating random keys Heimdal uses /dev/random This matters in particular for creating keys for servers. Session keys may or may not be a big deal, depending on the application. -- Jacques Vidrine / [EMAIL PROTECTED] / [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, Jun 25, 2000 at 12:35:12PM +0200, Mark Murray wrote: > 3) It is not built by default (except as a kernel module), so you >either need to add the "options RANDOMDEV" like to your kernel >config, or load it at boot time in /dev/loader.conf Can't things be made to autoload random.ko as happens for if_fxp.ko when I ifconfig it, or msdos.ko and procfs.ko when I mount them. -- -- David ([EMAIL PROTECTED]) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, Jun 25, 2000 at 10:17:27PM +0200, Mark Murray wrote: > 2) With the SMP "Destabilization" of the tree coming, I took the >opportunity because >a) Merging differences was going to get harder; and >b) folk were already warned off the use off CURRENT for > production purposes. Your code touched so many files and functions that you could not have not updated your /usr/src/sys for 2 weeks? It is possible to develop on something more than 1 hour old. -- -- David ([EMAIL PROTECTED]) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, Jun 25, 2000 at 01:21:10PM -0700, Kris Kennaway wrote:
> > 1) I whined for reviews for long enough. Where were you?
>
> Waiting until the code was complete and nominally commitworthy before
> spending time reviewing it.
\begin{AOL}
me too
\end{AOL}
--
-- David ([EMAIL PROTECTED])
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, Jun 25, 2000 at 12:55:47PM -0700, Kris Kennaway wrote: > I must say I'm not all that comfortable with this series of commits - I > was expecting this to stay in Mark's tree until it at least tries to do > everything the old driver did. Weakening system security like this for an > indeterminate period really bothers me. Agreed. Unlike the upcoming SMPng work, I don't see why this couldn't have been done until the new random device code was fully ready. -- -- David ([EMAIL PROTECTED]) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, 25 Jun 2000, Soren Schmidt wrote: > It seems Mark Murray wrote: > > > > Without knowing what you typed (and where), I can't help. > > > > > > Well, I thought that was obvious :) > > > > Not really; folks do the darndest things. :-) > > > > > Just added options RANDOMDEV as pr your instructions and made > > > a new kernel with config -r and make depend then make > > > > Do you have a full crypto distribution (kernel also)? > > Nope, just figured that out myself :) > Aren't we supposed to be able to build without crypto ?? Since the random dev is a cryptographically strong PRNG, I think its reasonable to depend on the crypto kernel bits. -- Doug Rabson Mail: [EMAIL PROTECTED] Nonlinear Systems Ltd. Phone: +44 20 8442 9037 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Mon, 26 Jun 2000, Mark Murray wrote: > > That's okay with me too. People should just not upgrade their work > > machines for the next few days until entropy is fixed. > > Upgrading is fine; just don't build certificates/credentials. Or use ssh Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> On Sun, 25 Jun 2000, Warner Losh wrote: > > > Some days is OK, imho. Much more than that and I'd begin to worry. > > Much more than a week or two and I'd worry a lot. I'll go put a note > > in updating right now. > > That's okay with me too. People should just not upgrade their work > machines for the next few days until entropy is fixed. Upgrading is fine; just don't build certificates/credentials. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
Kris Kennaway wrote: > > On Sun, 25 Jun 2000, Warner Losh wrote: > > > Some days is OK, imho. Much more than that and I'd begin to worry. > > Much more than a week or two and I'd worry a lot. I'll go put a note > > in updating right now. > > That's okay with me too. People should just not upgrade their work > machines for the next few days until entropy is fixed. It would be interesting to see how many people are using FreeBSD-current as a "work" machine, if you mean "work" to be a production machine doing actual server work. A lot of times, -current has been pretty stable for me, and I avoided a lot of "make world" and stability problems by following what's going on in this mailing list. I've only had a couple problems over the past 3 1/2 years with stability in FreeBSD-current, starting with 3.0-current. Granted, it's not generally recommended to use -current boxes as your main machine, but if you're careful, it's doable. I say FreeBSD-current makes a pretty decent production machine if the admin is smart enough to follow the mailing list and is knowledegeable enough to recognize the pitfalls of running such a beast. All others should be running 4.0-release or -stable, of course. - Donn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, 25 Jun 2000, Warner Losh wrote: > Some days is OK, imho. Much more than that and I'd begin to worry. > Much more than a week or two and I'd worry a lot. I'll go put a note > in updating right now. That's okay with me too. People should just not upgrade their work machines for the next few days until entropy is fixed. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> In message <[EMAIL PROTECTED]> Mark Murray writes: > : > Yes. Me too. Mark, how long is this period going to be? > : > : Some days. Certainly a lot shorter that the SMP destabilization. > > Some days is OK, imho. Much more than that and I'd begin to worry. > Much more than a week or two and I'd worry a lot. I'll go put a note > in updating right now. Thanks! :-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
In message <[EMAIL PROTECTED]> Mark Murray writes: : > Yes. Me too. Mark, how long is this period going to be? : : Some days. Certainly a lot shorter that the SMP destabilization. Some days is OK, imho. Much more than that and I'd begin to worry. Much more than a week or two and I'd worry a lot. I'll go put a note in updating right now. Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, 25 Jun 2000, Mark Murray wrote: > > I must say I'm not all that comfortable with this series of commits - I > > was expecting this to stay in Mark's tree until it at least tries to do > > everything the old driver did. Weakening system security like this for an > > indeterminate period really bothers me. > > 1) I whined for reviews for long enough. Where were you? Waiting until the code was complete and nominally commitworthy before spending time reviewing it. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> Yes. Me too. Mark, how long is this period going to be? Some days. Certainly a lot shorter that the SMP destabilization. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> > It complains about libcrypto & libssl not containing RSA, but it > > might be because make world is broken due to perl... > > This happens when a test RSA operation fails - but OpenSSH doesn't try to > check why it fails and assumes it was because no RSA code even > exists. It's probably more likely it's failing an internal check related > to /dev/random (this is the signature which caused me to notice the > missing /dev/random on alpha recently) Looks like we (er, you! :-) ) have a job to do fixing this? ;-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> I must say I'm not all that comfortable with this series of commits - I > was expecting this to stay in Mark's tree until it at least tries to do > everything the old driver did. Weakening system security like this for an > indeterminate period really bothers me. 1) I whined for reviews for long enough. Where were you? 2) With the SMP "Destabilization" of the tree coming, I took the opportunity because a) Merging differences was going to get harder; and b) folk were already warned off the use off CURRENT for production purposes. 3) I fully recognise that this needs to be worked on; now that I have gotten rid of a lot of mess, I can give it my attention; the time is not "indeterminate", it is "work in progress" (Ya, Ya, semantics). M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> And the one to yarrow.c ?? Done! > > What are the symptoms? > > It complains about libcrypto & libssl not containing RSA, but it > might be because make world is broken due to perl... That means the /dev/random driver is not loaded. /../../contrib/perl5/configpm line 20. > Use of uninitialized value at /u1/src/gnu/usr.bin/perl/libperl/../../../../co ntrib/perl5/configpm line 432. Fix coming now... > > > Seems phk's extended Murphy field has found a new victim :) > > > > Always, with a big commit. > > Nah, not if tested proberly :) Dunno. There seems to be a limit on commit size, after which glitches are bound to come. I see my job as staying awake long enough to make things stable enough. :-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
In message <[EMAIL PROTECTED]> Kris Kennaway writes: : I must say I'm not all that comfortable with this series of commits - I : was expecting this to stay in Mark's tree until it at least tries to do : everything the old driver did. Weakening system security like this for an : indeterminate period really bothers me. Yes. Me too. Mark, how long is this period going to be? Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, 25 Jun 2000, Soren Schmidt wrote: > It complains about libcrypto & libssl not containing RSA, but it > might be because make world is broken due to perl... This happens when a test RSA operation fails - but OpenSSH doesn't try to check why it fails and assumes it was because no RSA code even exists. It's probably more likely it's failing an internal check related to /dev/random (this is the signature which caused me to notice the missing /dev/random on alpha recently) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, 25 Jun 2000, Mark Murray wrote: > > I don't know which applications depend on /dev/random providing entropy > > and which gather their own. > > Right. SSH and SSL should not be used: PGP should be okay. I must say I'm not all that comfortable with this series of commits - I was expecting this to stay in Mark's tree until it at least tries to do everything the old driver did. Weakening system security like this for an indeterminate period really bothers me. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
It seems Mark Murray wrote: > > He he :) remember the patch to i386/i386/mem.c as that is also > > broken, the default statement is best used _inside_ a switch :) > > Yeah - I got that :-). And the one to yarrow.c ?? > > That makes my kernel compile, but ssh doesn't work anymore, > > What are the symptoms? It complains about libcrypto & libssl not containing RSA, but it might be because make world is broken due to perl... > > which might be due to world being broken due to your import > > of the latest ugliest perl version, it doesn't compile either :) > > Symptoms? cd /u1/src/gnu/usr.bin/perl/libperl && make build-tools Extracting config.h (with variable substitutions) Extracting cflags (with variable substitutions) Extracting writemain (with variable substitutions) Extracting myconfig (with variable substitutions) Invalid conversion in sprintf: "%v" at /u1/src/gnu/usr.bin/perl/libperl/../../../../contrib/perl5/configpm line 20. Use of uninitialized value at /u1/src/gnu/usr.bin/perl/libperl/../../../../contrib/perl5/configpm line 432. /u1/src/gnu/usr.bin/perl/libperl/../../../../contrib/perl5/configpm: Config.pm not valid at /u1/src/gnu/usr.bin/perl/libperl/../../../../contrib/perl5/configpm line 432. > > Seems phk's extended Murphy field has found a new victim :) > > Always, with a big commit. Nah, not if tested proberly :) -Søren To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> He he :) remember the patch to i386/i386/mem.c as that is also > broken, the default statement is best used _inside_ a switch :) Yeah - I got that :-). > That makes my kernel compile, but ssh doesn't work anymore, What are the symptoms? > which might be due to world being broken due to your import > of the latest ugliest perl version, it doesn't compile either :) Symptoms? > Seems phk's extended Murphy field has found a new victim :) Always, with a big commit. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
It seems Mark Murray wrote: > > > I'm not sure about that rule anymore; AFAIK, it is not possible. > > > > Hmm, we also have another rule, and that is to test before commit, > > the following patch is needed to make a current kernel with > > your resent commits compile :) > > Fooey. :-( > > This is what you get from too-heavy testing in modules, and > not-heavy-enough in LINT. He he :) remember the patch to i386/i386/mem.c as that is also broken, the default statement is best used _inside_ a switch :) That makes my kernel compile, but ssh doesn't work anymore, which might be due to world being broken due to your import of the latest ugliest perl version, it doesn't compile either :) Seems phk's extended Murphy field has found a new victim :) -Søren To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> > I'm not sure about that rule anymore; AFAIK, it is not possible. > > Hmm, we also have another rule, and that is to test before commit, > the following patch is needed to make a current kernel with > your resent commits compile :) Fooey. :-( This is what you get from too-heavy testing in modules, and not-heavy-enough in LINT. Thanks! M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
It seems Mark Murray wrote: > > > Do you have a full crypto distribution (kernel also)? > > > > Nope, just figured that out myself :) > > Aren't we supposed to be able to build without crypto ?? > > I'm not sure about that rule anymore; AFAIK, it is not possible. Hmm, we also have another rule, and that is to test before commit, the following patch is needed to make a current kernel with your resent commits compile :) Index: dev/randomdev//randomdev.c === RCS file: /home/ncvs/src/sys/dev/randomdev/randomdev.c,v retrieving revision 1.1 diff -u -r1.1 randomdev.c --- dev/randomdev//randomdev.c 2000/06/25 08:38:58 1.1 +++ dev/randomdev//randomdev.c 2000/06/25 18:39:10 @@ -44,7 +44,7 @@ #include #include -#include "yarrow.h" +#include "dev/randomdev/yarrow.h" static d_read_t randomread; static d_write_t randomwrite; Index: dev/randomdev//yarrow.c === RCS file: /home/ncvs/src/sys/dev/randomdev/yarrow.c,v retrieving revision 1.1 diff -u -r1.1 yarrow.c --- dev/randomdev//yarrow.c 2000/06/25 08:38:58 1.1 +++ dev/randomdev//yarrow.c 2000/06/25 18:38:58 @@ -39,7 +39,7 @@ #include #include -#include "yarrow.h" +#include "dev/randomdev/yarrow.h" void generator_gate(void); void reseed(void); Index: i386/i386//mem.c === RCS file: /home/ncvs/src/sys/i386/i386/mem.c,v retrieving revision 1.86 diff -u -r1.86 mem.c --- i386/i386//mem.c2000/06/25 17:26:47 1.86 +++ i386/i386//mem.c2000/06/25 18:42:13 @@ -217,10 +217,10 @@ /* minor device 1 is kernel memory */ case 1: return i386_btop(vtophys(offset)); - } default: return -1; + } } /* -Søren To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> > Do you have a full crypto distribution (kernel also)? > > Nope, just figured that out myself :) > Aren't we supposed to be able to build without crypto ?? I'm not sure about that rule anymore; AFAIK, it is not possible. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
It seems Mark Murray wrote: > > > Without knowing what you typed (and where), I can't help. > > > > Well, I thought that was obvious :) > > Not really; folks do the darndest things. :-) > > > Just added options RANDOMDEV as pr your instructions and made > > a new kernel with config -r and make depend then make > > Do you have a full crypto distribution (kernel also)? Nope, just figured that out myself :) Aren't we supposed to be able to build without crypto ?? -Søren To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> > Without knowing what you typed (and where), I can't help. > > Well, I thought that was obvious :) Not really; folks do the darndest things. :-) > Just added options RANDOMDEV as pr your instructions and made > a new kernel with config -r and make depend then make Do you have a full crypto distribution (kernel also)? M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
It seems Mark Murray wrote: > Hi > > Without knowing what you typed (and where), I can't help. Well, I thought that was obvious :) Just added options RANDOMDEV as pr your instructions and made a new kernel with config -r and make depend then make > > cc -c -O -pipe -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes > -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions > -ansi -g -nostdinc -I- -I. -I../.. -I../../../include -D_KERNEL -include opt_g > lobal.h -elf -mpreferred-stack-boundary=2 ../../dev/randomdev/randomdev.c > > ../../dev/randomdev/randomdev.c:45: crypto/blowfish/blowfish.h: No such file > or directory > > ../../dev/randomdev/randomdev.c:47: yarrow.h: No such file or directory > > ../../dev/randomdev/randomdev.c:85: invalid use of undefined type `struct sta > te' > > ../../dev/randomdev/randomdev.c:85: initializer element is not constant > > ../../dev/randomdev/randomdev.c:85: (near initialization for `sysctl___kern_r > andom_yarrow_gengateinterval.oid_arg1') > > *** Error code 1 -Søren To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
Hi Without knowing what you typed (and where), I can't help. M > Uhm, what about this: > > > cc -c -O -pipe -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -g -nostdinc -I- -I. -I../.. -I../../../include -D_KERNEL -include opt_g lobal.h -elf -mpreferred-stack-boundary=2 ../../dev/randomdev/randomdev.c > ../../dev/randomdev/randomdev.c:45: crypto/blowfish/blowfish.h: No such file or directory > ../../dev/randomdev/randomdev.c:47: yarrow.h: No such file or directory > ../../dev/randomdev/randomdev.c:85: invalid use of undefined type `struct sta te' > ../../dev/randomdev/randomdev.c:85: initializer element is not constant > ../../dev/randomdev/randomdev.c:85: (near initialization for `sysctl___kern_r andom_yarrow_gengateinterval.oid_arg1') > *** Error code 1 > > -Søren > -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
It seems Mark Murray wrote: > Hola Mondo! > > The New /dev/random device is in but there are come caveats. > > 1) It is not yet cryptographically secure, so those of you using >CURRENT for "live" projects, please be careful! > > 2) If you do not have the randomdev module loaded, ssh will >fail in strange and creative ways (like RSA or DH not working >for strange reasons). > > 3) It is not built by default (except as a kernel module), so you >either need to add the "options RANDOMDEV" like to your kernel >config, or load it at boot time in /dev/loader.conf > > 4) Make sure that you update your /etc area (mergemaster is your >friend). The rndcontrol(8) utility is now OBE, and no longer of >relevance. > > You have been warned! Uhm, what about this: cc -c -O -pipe -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -g -nostdinc -I- -I. -I../.. -I../../../include -D_KERNEL -include opt_global.h -elf -mpreferred-stack-boundary=2 ../../dev/randomdev/randomdev.c ../../dev/randomdev/randomdev.c:45: crypto/blowfish/blowfish.h: No such file or directory ../../dev/randomdev/randomdev.c:47: yarrow.h: No such file or directory ../../dev/randomdev/randomdev.c:85: invalid use of undefined type `struct state' ../../dev/randomdev/randomdev.c:85: initializer element is not constant ../../dev/randomdev/randomdev.c:85: (near initialization for `sysctl___kern_random_yarrow_gengateinterval.oid_arg1') *** Error code 1 -Søren To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
> I guess it follows that it is not a good idea to generate keys or > certificates on -CURRENT for a while (until entropy comes back to town)? Correct if they rely on /dev/random for entropy. > I don't know which applications depend on /dev/random providing entropy > and which gather their own. Right. > If so, I think this needs an UPDATING entry, particularly since the > symptoms could outlive the cause. i.e. something to the effect of > ``Keys and certificates generated on -CURRENT on or after m/d/y should > not be used'' and updated again when the entropy is again available. Agreed. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP! New (incomplete) /dev/random device!
On Sun, Jun 25, 2000 at 12:35:12PM +0200, Mark Murray wrote: > 1) It is not yet cryptographically secure, so those of you using >CURRENT for "live" projects, please be careful! I guess it follows that it is not a good idea to generate keys or certificates on -CURRENT for a while (until entropy comes back to town)? I don't know which applications depend on /dev/random providing entropy and which gather their own. If so, I think this needs an UPDATING entry, particularly since the symptoms could outlive the cause. i.e. something to the effect of ``Keys and certificates generated on -CURRENT on or after m/d/y should not be used'' and updated again when the entropy is again available. -- Jacques Vidrine / [EMAIL PROTECTED] / [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
