The OpenBSD random number subsystem uses an in-kernel entropy pool. This
data isn't used directly. When entropy is requested, the contents of the
pool are hashed with MD5, and the massaged output used to seed an RC4 PRNG.
In looking at the code, however, I notice we actually fold the MD5 output in
half. From extract_entropy():
MD5Final(buffer, &tmp);
/*
* In case the hash function has some recognizable
* output pattern, we fold it in half.
*/
buffer[0] ^= buffer[15];
buffer[1] ^= buffer[14];
buffer[2] ^= buffer[13];
buffer[3] ^= buffer[12];
buffer[4] ^= buffer[11];
buffer[5] ^= buffer[10];
buffer[6] ^= buffer[ 9];
buffer[7] ^= buffer[ 8];
/* Copy data to destination buffer */
bcopy(buffer, buf, i);
nbytes -= i;
buf += i;
My question: Why? What exactly are we protecting against, and is this really
protection? (the comment indicates "some recognizable output pattern, but
that means little to me as is) Can we really be sure it doesn't make things
worse?
Is this done elsewhere, or is it our particular brand of voodoo?
Happy ho ho,
-kj
