|
|
bad511 |
From a503519533eb375a5ce1f7566bfc153aac980d87 Mon Sep 17 00:00:00 2001
|
|
|
bad511 |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
bad511 |
Date: Fri, 9 Jul 2021 20:52:21 +0200
|
|
|
bad511 |
Subject: [PATCH] Use proper entropy to initialize tsig keyname
|
|
|
bad511 |
|
|
|
bad511 |
Random names used on GSS backed nsupdate can conflict in specific
|
|
|
bad511 |
situations. That might include starting a lot of machines from
|
|
|
bad511 |
containers, where they took all similar time to start. PID and timestamp
|
|
|
bad511 |
would be similar and therefore randomness is quite low. Use entropy to
|
|
|
bad511 |
generate more random identifier and reduce chance of conflict.
|
|
|
bad511 |
---
|
|
|
bad511 |
bin/nsupdate/nsupdate.c | 4 +++-
|
|
|
bad511 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
bad511 |
|
|
|
bad511 |
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
|
|
bad511 |
index 458aa76..d9e5a2b 100644
|
|
|
bad511 |
--- a/bin/nsupdate/nsupdate.c
|
|
|
bad511 |
+++ b/bin/nsupdate/nsupdate.c
|
|
|
bad511 |
@@ -2941,7 +2941,9 @@ start_gssrequest(dns_name_t *master) {
|
|
|
bad511 |
|
|
|
bad511 |
keyname = dns_fixedname_initname(&fkname);
|
|
|
bad511 |
|
|
|
bad511 |
- isc_random_get(&val;;
|
|
|
bad511 |
+ result = isc_entropy_getdata(entropy, &val, sizeof(val), NULL, 0);
|
|
|
bad511 |
+ if (result != ISC_R_SUCCESS)
|
|
|
bad511 |
+ isc_random_get(&val;;
|
|
|
bad511 |
result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s",
|
|
|
bad511 |
val, namestr);
|
|
|
bad511 |
if (result != ISC_R_SUCCESS)
|
|
|
bad511 |
--
|
|
|
bad511 |
2.31.1
|
|
|
bad511 |
|