mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Sascha Hauer <sha@pengutronix.de>
To: Jules Maselbas <jmaselbas@kalray.eu>
Cc: barebox@lists.infradead.org
Subject: Re: [PATCH] net: dns: Generate and verify transaction ID
Date: Mon, 9 May 2022 09:17:18 +0200	[thread overview]
Message-ID: <20220509071718.GY4012@pengutronix.de> (raw)
In-Reply-To: <20220506150405.GF10082@tellis.lin.mbt.kalray.eu>

On Fri, May 06, 2022 at 05:04:05PM +0200, Jules Maselbas wrote:
> Hi,
> 
> I would like some feedback on how to select a dns_req_id.
> Although ths is likely not very critical to barebox, I think using both
> dns_timer_start plus random32 is a bit overkill. Maybe simply using
> random is sufficient.
> 
> On Thu, May 05, 2022 at 12:08:05PM +0200, Jules Maselbas wrote:
> > The transaction ID wasn't verified on received DNS responses, plus the
> > ID needs to be difficult to predict in order to avoid MitM (man in the
> > middle) being able to easily forge responses.
> > 
> > Signed-off-by: Jules Maselbas <jmaselbas@kalray.eu>
> > ---
> >  net/dns.c | 10 +++++++++-
> >  1 file changed, 9 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/dns.c b/net/dns.c
> > index 78588b96f..9ad316e33 100644
> > --- a/net/dns.c
> > +++ b/net/dns.c
> > @@ -58,6 +58,7 @@ struct header {
> >  
> >  static struct net_connection *dns_con;
> >  static uint64_t dns_timer_start;
> > +static uin32_t dns_req_id;
> >  static int dns_state;
> >  static IPaddr_t dns_ip;
> >  
> > @@ -70,9 +71,12 @@ static int dns_send(const char *name)
> >  	unsigned char *p, *s, *fullname, *dotptr;
> >  	const unsigned char *domain;
> >  
> > +	/* generate a random transaction id */
> > +	dns_req_id = dns_timer_start + random32();
> I am wondering if using only one of dns_timer_start or randome32 is
> sufficient on its own. For the record musl uses clock_gettime without
> random at all.

random32() is a pseudo random generator, it will be initialized with the
same seed every reboot and thus doesn't add any value here. Using the
timer to generate an id should be better and sufficient.
The worst that can happen is that barebox sends DNS requests right after
startup, and I think the different times needed to get the link up
should introduce a certain jitter in the timer values used for the id.

Sascha


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


      reply	other threads:[~2022-05-09  7:19 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-05 10:08 Jules Maselbas
2022-05-06 14:58 ` [PATCH] fixup! " Jules Maselbas
2022-05-06 14:59   ` Jules Maselbas
2022-05-06 15:16   ` Jules Maselbas
2022-05-06 15:04 ` [PATCH] " Jules Maselbas
2022-05-09  7:17   ` Sascha Hauer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220509071718.GY4012@pengutronix.de \
    --to=sha@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    --cc=jmaselbas@kalray.eu \
    --subject='Re: [PATCH] net: dns: Generate and verify transaction ID' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox