random: mix in architectural randomness earlier in extract_buf()

[deliverable/linux.git] / drivers / char / random.c

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 2d5daf9b58e9eb0ec58e7bdd04a5d4f0e26dc1a1..54d020815b4e368b92bd89a88b6eb08fccd331d6 100644 (file)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -904,7 +904,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
        int i;
        union {
                __u32 w[5];
-               unsigned long l[LONGS(EXTRACT_SIZE)];
+               unsigned long l[LONGS(20)];
        } hash;
        __u32 workspace[SHA_WORKSPACE_WORDS];
        __u8 extract[64];
@@ -916,6 +916,17 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
        for (i = 0; i < r->poolinfo->poolwords; i += 16)
                sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
 
+       /*
+        * If we have a architectural hardware random number
+        * generator, mix that in, too.
+        */
+       for (i = 0; i < LONGS(20); i++) {
+               unsigned long v;
+               if (!arch_get_random_long(&v))
+                       break;
+               hash.l[i] ^= v;
+       }
+
        /*
         * We mix the hash back into the pool to prevent backtracking
         * attacks (where the attacker knows the state of the pool
@@ -945,17 +956,6 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
        hash.w[1] ^= hash.w[4];
        hash.w[2] ^= rol32(hash.w[2], 16);
 
-       /*
-        * If we have a architectural hardware random number
-        * generator, mix that in, too.
-        */
-       for (i = 0; i < LONGS(EXTRACT_SIZE); i++) {
-               unsigned long v;
-               if (!arch_get_random_long(&v))
-                       break;
-               hash.l[i] ^= v;
-       }
-
        memcpy(out, &hash, EXTRACT_SIZE);
        memset(&hash, 0, sizeof(hash));
 }