Improve the entropy of the source port randomization for network address

translation. It turns out this is useful for applications which require source port randomization for security (i.e. dns servers). Discussed with: secteam Requested by: mlaier MFC after: 2 weeks
2008-08-30 20:58:34 +00:00 · 2008-08-30 20:58:34 +00:00 · 4d406f1257
commit 4d406f1257
parent 1a41b28f5c
1 changed files with 6 additions and 6 deletions
--- a/sys/netinet/libalias/alias_db.c
+++ b/sys/netinet/libalias/alias_db.c
@ -606,7 +606,7 @@ GetNewPort(struct libalias *la, struct alias_link *lnk, int alias_port_param)
 			port_sys = ntohs(port_net);
 		} else {
 			/* First trial and all subsequent are random. */
-			port_sys = random() & ALIAS_PORT_MASK;
+			port_sys = arc4random() & ALIAS_PORT_MASK;
 			port_sys += ALIAS_PORT_BASE;
 			port_net = htons(port_sys);
 		}
@ -657,7 +657,7 @@ GetNewPort(struct libalias *la, struct alias_link *lnk, int alias_port_param)
 			}
 #endif
 		}
-		port_sys = random() & ALIAS_PORT_MASK;
+		port_sys = arc4random() & ALIAS_PORT_MASK;
 		port_sys += ALIAS_PORT_BASE;
 		port_net = htons(port_sys);
 	}
@ -772,9 +772,9 @@ FindNewPortGroup(struct libalias *la,

 		/* First trial and all subsequent are random. */
 		if (align == FIND_EVEN_ALIAS_BASE)
-			port_sys = random() & ALIAS_PORT_MASK_EVEN;
+			port_sys = arc4random() & ALIAS_PORT_MASK_EVEN;
 		else
-			port_sys = random() & ALIAS_PORT_MASK;
+			port_sys = arc4random() & ALIAS_PORT_MASK;

 		port_sys += ALIAS_PORT_BASE;
 	}
@ -796,9 +796,9 @@ FindNewPortGroup(struct libalias *la,

 		/* Find a new base to try */
 		if (align == FIND_EVEN_ALIAS_BASE)
-			port_sys = random() & ALIAS_PORT_MASK_EVEN;
+			port_sys = arc4random() & ALIAS_PORT_MASK_EVEN;
 		else
-			port_sys = random() & ALIAS_PORT_MASK;
+			port_sys = arc4random() & ALIAS_PORT_MASK;

 		port_sys += ALIAS_PORT_BASE;
 	}