aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2009-05-05 11:17:43 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-05-07 14:59:06 -0400
commit8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 (patch)
tree2c961332be5d4c4e2c8c4a4a4f899afaebc44dd7
parent2c66fa7e6be6bdb88587ac13ac1de080d5be4f95 (diff)
random: make get_random_int() more random
It's a really simple patch that basically just open-codes the current "secure_ip_id()" call, but when open-coding it we now use a _static_ hashing area, so that it gets updated every time. And to make sure somebody can't just start from the same original seed of all-zeroes, and then do the "half_md4_transform()" over and over until they get the same sequence as the kernel has, each iteration also mixes in the same old "current->pid + jiffies" we used - so we should now have a regular strong pseudo-number generator, but we also have one that doesn't have a single seed. Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It has no real meaning. It could be anything. I just picked the previous seed, it's just that now we keep the state in between calls and that will feed into the next result, and that should make all the difference. I made that hash be a per-cpu data just to avoid cache-line ping-pong: having multiple CPU's write to the same data would be fine for randomness, and add yet another layer of chaos to it, but since get_random_int() is supposed to be a fast interface I did it that way instead. I considered using "__raw_get_cpu_var()" to avoid any preemption overhead while still getting the hash be _mostly_ ping-pong free, but in the end good taste won out. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/char/random.c19
1 files changed, 12 insertions, 7 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c
index f824ef8a9273..b2ced39d76b2 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1665,15 +1665,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_number);
1665 * value is not cryptographically secure but for several uses the cost of 1665 * value is not cryptographically secure but for several uses the cost of
1666 * depleting entropy is too high 1666 * depleting entropy is too high
1667 */ 1667 */
1668DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
1668unsigned int get_random_int(void) 1669unsigned int get_random_int(void)
1669{ 1670{
1670 /* 1671 struct keydata *keyptr;
1671 * Use IP's RNG. It suits our purpose perfectly: it re-keys itself 1672 __u32 *hash = get_cpu_var(get_random_int_hash);
1672 * every second, from the entropy pool (and thus creates a limited 1673 int ret;
1673 * drain on it), and uses halfMD4Transform within the second. We 1674
1674 * also mix it with jiffies and the PID: 1675 keyptr = get_keyptr();
1675 */ 1676 hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;
1676 return secure_ip_id((__force __be32)(current->pid + jiffies)); 1677
1678 ret = half_md4_transform(hash, keyptr->secret);
1679 put_cpu_var(get_random_int_hash);
1680
1681 return ret;
1677} 1682}
1678 1683
1679/* 1684/*