Re: [PATCH v2 2/2] random: use BLAKE2s instead of SHA1 in extraction
From: Geert Uytterhoeven
Date: Tue Jan 11 2022 - 06:39:39 EST
Hi Jsaon,
On Sat, Dec 25, 2021 at 1:52 AM Jason A. Donenfeld <Jason@xxxxxxxxx> wrote:
> This commit addresses one of the lower hanging fruits of the RNG: its
> usage of SHA1.
>
> BLAKE2s is generally faster, and certainly more secure, than SHA1, which
> has [1] been [2] really [3] very [4] broken [5]. Additionally, the
> current construction in the RNG doesn't use the full SHA1 function, as
> specified, and allows overwriting the IV with RDRAND output in an
> undocumented way, even in the case when RDRAND isn't set to "trusted",
> which means potential malicious IV choices. And its short length means
> that keeping only half of it secret when feeding back into the mixer
> gives us only 2^80 bits of forward secrecy. In other words, not only is
> the choice of hash function dated, but the use of it isn't really great
> either.
m68k bloat-o-meter:
blake2s_compress_generic - 4448 +4448
blake2s256_hmac - 302 +302
blake2s_update - 156 +156
blake2s_final - 124 +124
blake2s_init.constprop - 94 +94
__ksymtab_blake2s_update - 12 +12
__ksymtab_blake2s_final - 12 +12
__ksymtab_blake2s_compress_generic - 12 +12
__ksymtab_blake2s256_hmac - 12 +12
blake2s_mod_init - 4 +4
__initcall__kmod_libblake2s__101_82_blake2s_mod_init6 - 4 +4
Unfortunately we cannot get rid of the sha1 code yet (lib/sha1.o is
built-in unconditionally), as there are other users...
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds