1 # Improve res_randomid in the resolver.
5 @@ -31,6 +31,7 @@ extern struct __res_state _res;
8 /* Now define the internal interfaces. */
9 +extern unsigned int _shuffle_next (void);
10 extern int __res_vinit (res_state, int);
11 extern int __res_maybe_init (res_state, int);
12 extern void _sethtent (int);
15 @@ -29,7 +29,7 @@ distribute := ../conf/portability.h mapv4v6addr.h mapv4v6hostent.h \
16 Banner res_hconf.h res_debug.h README gai_misc.h ga_test.c
18 routines := herror inet_addr inet_ntop inet_pton nsap_addr res_init \
19 - res_hconf res_libc res-state
20 + res_hconf res_libc res-state shuffle
22 tests = tst-aton tst-leaks tst-inet_ntop
24 --- a/resolv/res_init.c
25 +++ b/resolv/res_init.c
26 @@ -570,7 +570,9 @@ net_mask(in) /* XXX - should really use system's version of this */
30 - return 0xffff & __getpid();
31 +/* We should probably randomize the port number as well,
32 + * but this may be better done in the kernel */
33 + return _shuffle_next();
36 libc_hidden_def (__res_randomid)
37 --- a/resolv/res_mkquery.c
38 +++ b/resolv/res_mkquery.c
39 @@ -120,6 +120,7 @@ res_nmkquery(res_state statp,
41 memset(buf, 0, HFIXEDSZ);
43 +#ifdef USE_OLD_RANDOMIZE_CODE
44 /* We randomize the IDs every time. The old code just
45 incremented by one after the initial randomization which
46 still predictable if the application does multiple
47 @@ -137,6 +138,9 @@ res_nmkquery(res_state statp,
49 while ((randombits & 0xffff) == 0);
50 statp->id = (statp->id + randombits) & 0xffff;
52 + statp->id = res_randomid ();
56 hp->rd = (statp->options & RES_RECURSE) != 0;
58 +++ b/resolv/shuffle.c
61 + * Written by Solar Designer and placed in the public domain.
69 +#define DEVICE "/dev/urandom"
74 +#if defined(DEVICE) && defined(_LIBC)
75 +#define CONSERVE_KERNEL_RANDOMNESS
77 +#undef CONSERVE_KERNEL_RANDOMNESS
86 +#include <sys/time.h>
87 +#include <sys/times.h>
95 +static unsigned char pool[0x100];
98 + unsigned int base, xor;
99 + unsigned char s[0x80];
101 +static unsigned char seed_f[0x100];
109 +static void pool_update(unsigned int seed)
113 + __srandom(seed ^ __random());
114 + for (i = 0; i < sizeof(pool); i++) {
116 + pool[i] += (x >> 16) ^ x;
121 +static int read_loop(int fd, char *buffer, int count)
126 + while (count > 0) {
127 + block = __read(fd, &buffer[offset], count);
130 + if (errno == EINTR) continue;
133 + if (!block) return offset;
142 +static int read_random(char *buffer, int count)
145 +#ifdef CONSERVE_KERNEL_RANDOMNESS
146 + unsigned int seed[2];
148 + if (count > sizeof(pool))
152 + if ((fd = __open(DEVICE, O_RDONLY)) < 0)
155 +#ifdef CONSERVE_KERNEL_RANDOMNESS
156 + if (read_loop(fd, (char *)seed, sizeof(seed)) != sizeof(seed)) {
162 + memset(pool, 'X', sizeof(pool));
163 + pool_update(seed[0]);
164 + pool_update(seed[1]);
166 + memcpy(buffer, pool, count);
168 + count = read_loop(fd, buffer, count);
175 +#define read_random(buffer, count) (-1)
178 +static void shuffle_init()
182 + if (read_random((char *)seed_f, sizeof(seed_f)) != sizeof(seed_f)) {
183 + memset(pool, 'X', sizeof(pool));
184 + pool_update(__getpid());
185 + pool_update(__getppid());
186 + if (!__gettimeofday(&tv, NULL)) {
187 + pool_update(tv.tv_sec);
188 + pool_update(tv.tv_usec);
191 + memcpy(seed_f, pool, sizeof(seed_f));
195 + state.n = DIV; /* force a reseed() */
198 +static void reseed()
202 + if (read_random((char *)&seed_c, sizeof(seed_c)) != sizeof(seed_c)) {
203 + pool_update(__times(&buf));
204 + pool_update(buf.tms_utime);
205 + pool_update(buf.tms_stime);
207 + memcpy(&seed_c, pool, sizeof(seed_c));
210 + seed_c.base &= 0x1fff;
212 + seed_c.base += DIV + 3;
213 + seed_c.xor &= (DIV - 1);
214 + state.msb ^= 0x8000;
221 + * Now, time for a puzzle. Think of division by DIV in seed_c.base.
222 + * This is not as slow as it might appear: the inner loop needs only
223 + * a few iterations per call, on average.
225 +static unsigned int shuffle_1_next()
227 + if (state.n >= DIV - 1)
230 + if (state.n && state.b <= state.a) {
232 + state.b = ++state.a;
234 + state.b *= seed_c.base;
236 + } while (state.b > state.a);
237 + } while (state.a != state.b);
240 + state.b *= seed_c.base;
244 + return state.b ^ seed_c.xor;
248 + * The idea behind shuffle_2 is David Wagner's (any bugs are mine,
251 +static unsigned int shuffle_2(unsigned int x)
253 + unsigned int i, sum;
256 + for (i = 0; i < 8; i++) {
258 + x ^= ((unsigned int)seed_c.s[(x ^ sum) & 0x7f]) << 7;
259 + x = ((x & 0xff) << 7) | (x >> 8);
266 + * A full 16-bit permutation. This one can't be re-seeded, but still
267 + * makes some attacks quite a bit harder.
269 +static unsigned int shuffle_3(unsigned int x)
271 + unsigned int i, sum;
274 + for (i = 0; i < 8; i++) {
276 + x ^= ((unsigned int)seed_f[(x ^ sum) & 0xff]) << 8;
277 + x = ((x & 0xff) << 8) | (x >> 8);
283 +unsigned int _shuffle_next()
285 + static int initialized = 0;
286 + unsigned int pid, x;
288 +/* This isn't MT-safe, but the resolver itself isn't safe, anyway */
289 + if (!initialized) {
294 +/* Make sure the sequence we generate changes after fork() */
297 + x = shuffle_1_next();
301 + x ^= (pid >> 15) & 0xffff;
312 + for (i = 0; i < 0xfffe; i++)
313 + printf("%u\n", _shuffle_next());