• Jason A. Donenfeld's avatar
    random: use chacha20 for get_random_int/long · af729160
    Jason A. Donenfeld authored
    commit f5b98461 upstream.
    
    Now that our crng uses chacha20, we can rely on its speedy
    characteristics for replacing MD5, while simultaneously achieving a
    higher security guarantee. Before the idea was to use these functions if
    you wanted random integers that aren't stupidly insecure but aren't
    necessarily secure either, a vague gray zone, that hopefully was "good
    enough" for its users. With chacha20, we can strengthen this claim,
    since either we're using an rdrand-like instruction, or we're using the
    same crng as /dev/urandom. And it's faster than what was before.
    
    We could have chosen to replace this with a SipHash-derived function,
    which might be slightly faster, but at the cost of having yet another
    RNG construction in the kernel. By moving to chacha20, we have a single
    RNG to analyze and verify, and we also already get good performance
    improvements on all platforms.
    
    Implementation-wise, rather than use a generic buffer for both
    get_random_int/long and memcpy based on the size needs, we use a
    specific buffer for 32-bit reads and for 64-bit reads. This way, we're
    guaranteed to always have aligned accesses on all platforms. While
    slightly more verbose in C, the assembly this generates is a lot
    simpler than otherwise.
    
    Finally, on 32-bit platforms where longs and ints are the same size,
    we simply alias get_random_int to get_random_long.
    Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
    Suggested-by: default avatarTheodore Ts'o <tytso@mit.edu>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    af729160
random.c 61.6 KB