c51f8f88d7
Non-cryptographic PRNGs may have great statistical properties, but are usually trivially predictable to someone who knows the algorithm, given a small sample of their output. An LFSR like prandom_u32() is particularly simple, even if the sample is widely scattered bits. It turns out the network stack uses prandom_u32() for some things like random port numbers which it would prefer are *not* trivially predictable. Predictability led to a practical DNS spoofing attack. Oops. This patch replaces the LFSR with a homebrew cryptographic PRNG based on the SipHash round function, which is in turn seeded with 128 bits of strong random key. (The authors of SipHash have *not* been consulted about this abuse of their algorithm.) Speed is prioritized over security; attacks are rare, while performance is always wanted. Replacing all callers of prandom_u32() is the quick fix. Whether to reinstate a weaker PRNG for uses which can tolerate it is an open question. Commit |
||
---|---|---|
.. | ||
agp | ||
hw_random | ||
ipmi | ||
mwave | ||
pcmcia | ||
tpm | ||
xilinx_hwicap | ||
xillybus | ||
Kconfig | ||
Makefile | ||
adi.c | ||
apm-emulation.c | ||
applicom.c | ||
applicom.h | ||
bsr.c | ||
ds1620.c | ||
dsp56k.c | ||
dtlk.c | ||
hangcheck-timer.c | ||
hpet.c | ||
lp.c | ||
mem.c | ||
misc.c | ||
mspec.c | ||
nsc_gpio.c | ||
nvram.c | ||
nwbutton.c | ||
nwbutton.h | ||
nwflash.c | ||
pc8736x_gpio.c | ||
powernv-op-panel.c | ||
ppdev.c | ||
ps3flash.c | ||
random.c | ||
raw.c | ||
scx200_gpio.c | ||
sonypi.c | ||
tb0219.c | ||
tlclk.c | ||
toshiba.c | ||
ttyprintk.c | ||
uv_mmtimer.c | ||
virtio_console.c |