On Fri, May 06, 2022 at 05:04:05PM +0200, Jules Maselbas wrote: > Hi, > > I would like some feedback on how to select a dns_req_id. > Although ths is likely not very critical to barebox, I think using both > dns_timer_start plus random32 is a bit overkill. Maybe simply using > random is sufficient. > > On Thu, May 05, 2022 at 12:08:05PM +0200, Jules Maselbas wrote: > > The transaction ID wasn't verified on received DNS responses, plus the > > ID needs to be difficult to predict in order to avoid MitM (man in the > > middle) being able to easily forge responses. > > > > Signed-off-by: Jules Maselbas <jmaselbas@xxxxxxxxx> > > --- > > net/dns.c | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/net/dns.c b/net/dns.c > > index 78588b96f..9ad316e33 100644 > > --- a/net/dns.c > > +++ b/net/dns.c > > @@ -58,6 +58,7 @@ struct header { > > > > static struct net_connection *dns_con; > > static uint64_t dns_timer_start; > > +static uin32_t dns_req_id; > > static int dns_state; > > static IPaddr_t dns_ip; > > > > @@ -70,9 +71,12 @@ static int dns_send(const char *name) > > unsigned char *p, *s, *fullname, *dotptr; > > const unsigned char *domain; > > > > + /* generate a random transaction id */ > > + dns_req_id = dns_timer_start + random32(); > I am wondering if using only one of dns_timer_start or randome32 is > sufficient on its own. For the record musl uses clock_gettime without > random at all. random32() is a pseudo random generator, it will be initialized with the same seed every reboot and thus doesn't add any value here. Using the timer to generate an id should be better and sufficient. The worst that can happen is that barebox sends DNS requests right after startup, and I think the different times needed to get the link up should introduce a certain jitter in the timer values used for the id. Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox