The implementation was landed in r344913 and has had some bake time (at
least on my personal systems). There is some discussion of the motivation
for defaulting to this cipher as a PRF in the commit log for r344913.
As documented in that commit, administrators can retain the prior mode of
operation by setting the 'kern.random.use_chacha20_cipher' tunable to 0 in