Use non-cryptographically-secure PRNG to generate a nonce for cookies.

Rationale: the nonce here is only used to make sure there is a low
probability of duplication, according to section B.2 of RFC7873.
It is only 32-bit, and even if an attacker knows the algorithm used
to generate nonces it won't, in any way, give him any platform to
attack the server as long as server secret used to sign the
(nonce, time) pair with HMAC-SHA1 is secure.

On the other hand, currently, each packet sent requires (unnecessarily)
a CS pseudo-random number which is ineffective.

diff --git a/CHANGES b/CHANGES
index 892a2107a079db6dab777c9ac642f996f99dbe25..27bf2ce4deffc20c8edb7f1a201f782093bcbd9b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5062.  [func]          Use non-crypto-secure PRNG to generate nonces for
+                       cookies [GL !887]
+
 5061.  [protocol]      Add support for EID and NIMLOC. [GL #626]
 
 5060.  [bug]           GID, UID and UINFO could not be loaded using unknown

diff --git a/lib/ns/client.c b/lib/ns/client.c
index 32c8ddfe2200d04509201223a9c823e5513ac2cb..7b789047e6bde4e741a05f5003a0810912c9ef28 100644 (file)
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -1656,7 +1656,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
                isc_buffer_init(&buf, cookie, sizeof(cookie));
                isc_stdtime_get(&now);
 
-               isc_nonce_buf(&nonce, sizeof(nonce));
+               isc_random_buf(&nonce, sizeof(nonce));
 
                compute_cookie(client, now, nonce, client->sctx->secret, &buf);