Merge branch '289-add-non-cs-prng' into 'master'

Change isc_random() to be just PRNG, and add isc_nonce_buf() that uses CSPRNG

Closes #289

See merge request !325

CHANGES

+4956.	[func]		Change isc_random() to be just PRNG using xoshiro128**,
+			and add isc_nonce_buf() that uses CSPRNG. [GL #289]
+
 4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
 			[GL #286]

bin/dig/dighost.c

@@ -63,6 +63,7 @@
 #include <isc/log.h>
 #include <isc/netaddr.h>
 #include <isc/netdb.h>
+#include <isc/nonce.h>
 #include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/random.h>
@@ -1315,7 +1316,7 @@ setup_system(isc_boolean_t ipv4only, isc_boolean_t ipv6only) {
 	else if (keysecret[0] != 0)
 		setup_text_key();
 
-	isc_random_buf(cookie_secret, sizeof(cookie_secret));
+	isc_nonce_buf(cookie_secret, sizeof(cookie_secret));
 }
 
 /*%
@@ -1870,8 +1871,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 		     srv != NULL;
 		     srv = ISC_LIST_HEAD(lookup->my_server_list)) {
 			INSIST(i > 0);
-			j = isc_random();
-			j %= i;
+			j = isc_random_uniform(i);
 			next = ISC_LIST_NEXT(srv, link);
 			while (j-- > 0 && next != NULL) {
 				srv = next;
@@ -2023,7 +2023,6 @@ compute_cookie(unsigned char *clientcookie, size_t len) {
 isc_boolean_t
 setup_lookup(dig_lookup_t *lookup) {
 	isc_result_t result;
-	isc_uint32_t id;
 	unsigned int len;
 	dig_server_t *serv;
 	dig_query_t *query;
@@ -2198,8 +2197,7 @@ setup_lookup(dig_lookup_t *lookup) {
 	dighost_trying(store, lookup);
 	INSIST(dns_name_isabsolute(lookup->name));
 
-	id = isc_random();
-	lookup->sendmsg->id = (unsigned short)id & 0xFFFF;
+	lookup->sendmsg->id = (dns_messageid_t)isc_random16();
 	lookup->sendmsg->opcode = lookup->opcode;
 	lookup->msgcounter = 0;
 	/*

bin/named/controlconf.c

@@ -20,6 +20,7 @@
 #include <isc/mem.h>
 #include <isc/net.h>
 #include <isc/netaddr.h>
+#include <isc/nonce.h>
 #include <isc/random.h>
 #include <isc/result.h>
 #include <isc/stdtime.h>
@@ -457,7 +458,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (conn->nonce == 0) {
 		while (conn->nonce == 0) {
-			isc_random_buf(&conn->nonce, sizeof(conn->nonce));
+			isc_nonce_buf(&conn->nonce, sizeof(conn->nonce));
 		}
 		eresult = ISC_R_SUCCESS;
 	} else

bin/named/server.c

@@ -32,11 +32,11 @@
 #include <isc/httpd.h>
 #include <isc/lex.h>
 #include <isc/meminfo.h>
+#include <isc/nonce.h>
 #include <isc/parseint.h>
 #include <isc/platform.h>
 #include <isc/portset.h>
 #include <isc/print.h>
-#include <isc/random.h>
 #include <isc/refcount.h>
 #include <isc/resource.h>
 #include <isc/sha2.h>
@@ -5670,7 +5670,7 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	isc_random_buf(view->secret, sizeof(view->secret));
+	isc_nonce_buf(view->secret, sizeof(view->secret));
 
 	ISC_LIST_APPEND(*viewlist, view, link);
 	dns_view_attach(view, viewp);
@@ -8845,8 +8845,8 @@ load_configuration(const char *filename, named_server_t *server,
 			}
 		}
 	} else {
-		isc_random_buf(server->sctx->secret,
-			       sizeof(server->sctx->secret));
+		isc_nonce_buf(server->sctx->secret,
+			      sizeof(server->sctx->secret));
 	}
 
 	/*
@@ -13513,7 +13513,7 @@ generate_salt(unsigned char *salt, size_t saltlen) {
 	if (saltlen > 256U)
 		return (ISC_R_RANGE);
 
-	isc_random_buf(salt, saltlen);
+	isc_nonce_buf(salt, saltlen);
 
 	r.base = salt;
 	r.length = (unsigned int) saltlen;

bin/nsupdate/nsupdate.c

@@ -29,6 +29,7 @@
 #include <isc/lex.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/nonce.h>
 #include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/platform.h>
@@ -2829,14 +2830,16 @@ start_gssrequest(dns_name_t *master) {
 			fatal("out of memory");
 	}
 
-	memmove(kserver, &master_servers[master_inuse], sizeof(isc_sockaddr_t));
+	memmove(kserver, &master_servers[master_inuse],
+		sizeof(isc_sockaddr_t));
 
 	servname = dns_fixedname_initname(&fname);
 
 	if (realm == NULL)
 		get_ticket_realm(gmctx);
 
-	result = snprintf(servicename, sizeof(servicename), "DNS/%s%s", namestr, realm ? realm : "");
+	result = snprintf(servicename, sizeof(servicename), "DNS/%s%s",
+			  namestr, realm ? realm : "");
 	RUNTIME_CHECK(result < sizeof(servicename));
 	isc_buffer_init(&buf, servicename, strlen(servicename));
 	isc_buffer_add(&buf, strlen(servicename));
@@ -2848,9 +2851,10 @@ start_gssrequest(dns_name_t *master) {
 
 	keyname = dns_fixedname_initname(&fkname);
 
-	val = isc_random();
+	isc_nonce_buf(&val, sizeof(val));
 
-	result = snprintf(mykeystr, sizeof(mykeystr), "%u.sig-%s", val, namestr);
+	result = snprintf(mykeystr, sizeof(mykeystr), "%u.sig-%s", val,
+			  namestr);
 	RUNTIME_CHECK(result <= sizeof(mykeystr));
 
 	isc_buffer_init(&buf, mykeystr, strlen(mykeystr));

bin/rndc/rndc.c

@@ -930,7 +930,7 @@ main(int argc, char **argv) {
 	if (argc < 1)
 		usage(1);
 
-	serial = isc_random();
+	serial = isc_random32();
 
 	DO("create memory context", isc_mem_create(0, 0, &rndc_mctx));
 	DO("create socket manager", isc_socketmgr_create(rndc_mctx, &socketmgr));

bin/tests/system/tkey/keycreate.c

@@ -20,6 +20,7 @@
 #include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/nonce.h>
 #include <isc/print.h>
 #include <isc/random.h>
 #include <isc/sockaddr.h>
@@ -295,7 +296,7 @@ main(int argc, char *argv[]) {
 	CHECK("dst_key_fromnamedfile", result);
 
 	isc_buffer_init(&nonce, noncedata, sizeof(noncedata));
-	isc_random_buf(noncedata, sizeof(noncedata));
+	isc_nonce_buf(noncedata, sizeof(noncedata));
 	isc_buffer_add(&nonce, sizeof(noncedata));
 
 	(void)isc_app_run();

bin/tools/mdig.c

@@ -22,6 +22,7 @@
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/net.h>
+#include <isc/nonce.h>
 #include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/random.h>
@@ -1917,7 +1918,7 @@ main(int argc, char *argv[]) {
 	RUNCHECK(isc_log_create(mctx, &lctx, &lcfg));
 
 	RUNCHECK(dst_lib_init(mctx, NULL));
-	isc_random_buf(cookie_secret, sizeof(cookie_secret));
+	isc_nonce_buf(cookie_secret, sizeof(cookie_secret));
 
 	ISC_LIST_INIT(queries);
 	parse_args(ISC_FALSE, argc, argv);

config.h.in

@@ -521,6 +521,15 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <sys/un.h> header file. */
 #undef HAVE_SYS_UN_H
 
+/* Define to 1 if you have the <threads.h> header file. */
+#undef HAVE_THREADS_H
+
+/* Define if thread_local keyword is available */
+#undef HAVE_THREAD_LOCAL
+
+/* Define if Thread-Local Storage is available */
+#undef HAVE_TLS
+
 /* Define if running under Compaq TruCluster */
 #undef HAVE_TRUCLUSTER
 
@@ -533,6 +542,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if zlib was found */
 #undef HAVE_ZLIB
 
+/* Define if __thread keyword is available */
+#undef HAVE___THREAD
+
 /* Use HMAC-SHA1 for Client Cookie generation */
 #undef HMAC_SHA1_CC
 

configure

@@ -2146,60 +2146,6 @@ $as_echo "$ac_res" >&6; }
 } # ac_fn_c_check_func
-# ac_fn_c_check_type LINENO TYPE VAR INCLUDES
-# -------------------------------------------
-# Tests whether TYPE exists after having included INCLUDES, setting cache
-# variable VAR accordingly.
-ac_fn_c_check_type ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
-$as_echo_n "checking for $2... " >&6; }
-if eval \${$3+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  eval "$3=no"
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-$4
-int
-main ()
-{
-if (sizeof ($2))
-	 return 0;
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-$4
-int
-main ()
-{
-if (sizeof (($2)))
-	    return 0;
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-
-else
-  eval "$3=yes"
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-eval ac_res=\$$3
-	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-
-} # ac_fn_c_check_type
-
 # ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
 # -------------------------------------------------------
 # Tests whether HEADER exists, giving a warning if it cannot be compiled using
@@ -2291,6 +2237,60 @@ fi
 } # ac_fn_c_check_header_mongrel
+# ac_fn_c_check_type LINENO TYPE VAR INCLUDES
+# -------------------------------------------
+# Tests whether TYPE exists after having included INCLUDES, setting cache
+# variable VAR accordingly.
+ac_fn_c_check_type ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  eval "$3=no"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+if (sizeof ($2))
+	 return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+if (sizeof (($2)))
+	    return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+else
+  eval "$3=yes"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_type
+
 # ac_fn_c_compute_int LINENO EXPR VAR INCLUDES
 # --------------------------------------------
 # Tries to find the compile-time value of EXPR in a program that includes
@@ -13279,6 +13279,99 @@ fi
 done
+#
+# Check for thread local storage
+#
+for ac_header in threads.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "threads.h" "ac_cv_header_threads_h" "$ac_includes_default"
+if test "x$ac_cv_header_threads_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_THREADS_H 1
+_ACEOF
+
+		     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C11 Thread-Local Storage using thread_local" >&5
+$as_echo_n "checking for C11 Thread-Local Storage using thread_local... " >&6; }
+		     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+				  #include <threads.h>
+
+int
+main ()
+{
+
+				  static thread_local int tls = 0;
+				  return (tls);
+
+  ;
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+			     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE_THREAD_LOCAL 1" >>confdefs.h
+
+
+$as_echo "#define HAVE_TLS 1" >>confdefs.h
+
+
+else
+
+			     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+
+		     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Thread-Local Storage using __thread" >&5
+$as_echo_n "checking for Thread-Local Storage using __thread... " >&6; }
+		     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+
+				  static __thread int tls = 0;
+				  return (tls);
+
+  ;
+  return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+			     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAVE___THREAD 1" >>confdefs.h
+
+
+$as_echo "#define HAVE_TLS 1" >>confdefs.h
+
+
+else
+
+			     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+done
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5
 $as_echo_n "checking for an ANSI C-conforming const... " >&6; }
 if ${ac_cv_c_const+:} false; then :

configure.in

@@ -486,6 +486,45 @@ AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/mman.h sys/sockio.h sys
 #endif
 ])
 
+#
+# Check for thread local storage
+#
+AC_CHECK_HEADERS([threads.h],
+		 [
+		     AC_MSG_CHECKING([for C11 Thread-Local Storage using thread_local])
+		     AC_COMPILE_IFELSE(
+			 [AC_LANG_PROGRAM(
+			      [
+				  #include <threads.h>
+			      ],[
+				  static thread_local int tls = 0;
+				  return (tls);
+			      ])
+			 ],[
+			     AC_MSG_RESULT([yes])
+			     AC_DEFINE([HAVE_THREAD_LOCAL],[1],[Define if thread_local keyword is available])
+			     AC_DEFINE([HAVE_TLS],[1],[Define if Thread-Local Storage is available])
+			 ],[
+			     AC_MSG_RESULT([no])
+			 ])
+		 ],[
+		     AC_MSG_CHECKING([for Thread-Local Storage using __thread])
+		     AC_COMPILE_IFELSE(
+			 [AC_LANG_PROGRAM(
+			      [
+			      ],[
+				  static __thread int tls = 0;
+				  return (tls);
+			      ])
+			 ],[
+			     AC_MSG_RESULT([yes])
+			     AC_DEFINE([HAVE___THREAD],[1],[Define if __thread keyword is available])
+			     AC_DEFINE([HAVE_TLS],[1],[Define if Thread-Local Storage is available])
+			 ],[
+			     AC_MSG_RESULT([no])
+			 ])
+		 ])
+
 AC_C_CONST
 AC_C_INLINE
 AC_C_VOLATILE

lib/dns/adb.c

@@ -1834,7 +1834,7 @@ new_adbentry(dns_adb_t *adb) {
 	e->to512 = 0;
 	e->cookie = NULL;
 	e->cookielen = 0;
-	e->srtt = (isc_random() & 0x1f) + 1;
+	e->srtt = (isc_random_uniform(0x1f)) + 1;
 	e->lastage = 0;
 	e->expires = 0;
 	e->active = 0;

lib/dns/dispatch.c

@@ -693,7 +693,8 @@ get_dispsocket(dns_dispatch_t *disp, const isc_sockaddr_t *dest,
 		dispsock->resp = NULL;
 		dispsock->portentry = NULL;
 		dispsock->task = NULL;
-		isc_task_attach(disp->task[isc_random() % disp->ntasks], &dispsock->task);
+		isc_task_attach(disp->task[isc_random_uniform(disp->ntasks)],
+				&dispsock->task);
 		ISC_LINK_INIT(dispsock, link);
 		ISC_LINK_INIT(dispsock, blink);
 		dispsock->magic = DISPSOCK_MAGIC;
@@ -3169,7 +3170,7 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, unsigned int options,
 	if ((options & DNS_DISPATCHOPT_FIXEDID) != 0) {
 		id = *idp;
 	} else {
-		isc_random_buf(&id, sizeof(id));
+		id = (dns_messageid_t)isc_random16();
 	}
 	ok = ISC_FALSE;
 	i = 0;

lib/dns/hmac_link.c

@@ -29,6 +29,7 @@
 #include <isc/hmacmd5.h>
 #include <isc/hmacsha.h>
 #include <isc/md5.h>
+#include <isc/nonce.h>
 #include <isc/random.h>
 #include <isc/sha1.h>
 #include <isc/mem.h>
@@ -161,7 +162,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int))
 	}
 
 	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
-	isc_random_buf(data, bytes);
+	isc_nonce_buf(data, bytes);
 
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
@@ -468,7 +469,7 @@ hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int))
 	}
 
 	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-	isc_random_buf(data, bytes);
+	isc_nonce_buf(data, bytes);
 
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
@@ -758,7 +759,7 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int))
 	}
 
 	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
-	isc_random_buf(data, bytes);
+	isc_nonce_buf(data, bytes);
 
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
@@ -1042,7 +1043,7 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int))
 	}
 
 	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
-	isc_random_buf(data, bytes);
+	isc_nonce_buf(data, bytes);
 
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
@@ -1326,7 +1327,7 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int))
 	}
 
 	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
-	isc_random_buf(data, bytes);
+	isc_nonce_buf(data, bytes);
 
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
@@ -1610,7 +1611,7 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int))
 	}
 
 	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
-	isc_random_buf(data, bytes);
+	isc_nonce_buf(data, bytes);
 
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);

lib/dns/openssldsa_link.c

@@ -34,6 +34,7 @@
 #include <string.h>
 
 #include <isc/mem.h>
+#include <isc/nonce.h>
 #include <isc/random.h>
 #include <isc/safe.h>
 #include <isc/sha1.h>
@@ -351,7 +352,7 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 
 	UNUSED(unused);
 
-	isc_random_buf(rand_array, sizeof(rand_array));
+	isc_nonce_buf(rand_array, sizeof(rand_array));
 
 	dsa = DSA_new();
 	if (dsa == NULL)

lib/dns/rbtdb.c

@@ -5415,12 +5415,12 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 		isc_stdtime_get(&now);
 
 	if (isc_mem_isovermem(rbtdb->common.mctx)) {
-		isc_uint32_t val = isc_random();
-
 		/*
+		 * Force expire with 25% probability.
 		 * XXXDCL Could stand to have a better policy, like LRU.
 		 */
-		force_expire = ISC_TF(rbtnode->down == NULL && val % 4 == 0);
+		force_expire = ISC_TF(rbtnode->down == NULL && 
+                                      (isc_random32() % 4) == 0);
 
 		/*
 		 * Note that 'log' can be true IFF overmem is also true.

lib/dns/rdataset.c

@@ -410,9 +410,9 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 			 * 'Random' order.
 			 */
 			for (i = 0; i < count; i++) {
-				isc_uint32_t val = isc_random();
+				isc_uint32_t val = isc_random32();
 
-				choice = i + (val % (count - i));
+				choice = i + val % (count - i);
 				rdata = in[i];
 				in[i] = in[choice];
 				in[choice] = rdata;
@@ -432,7 +432,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 
 			val = rdataset->count;
 			if (val == ISC_UINT32_MAX) {
-				val = isc_random();
+				val = isc_random32();
 			}
 			j = val % count;
 			for (i = 0; i < count; i++) {

lib/dns/resolver.c

@@ -1182,7 +1182,7 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 			 * slow.  We don't know.  Increase the RTT.
 			 */
 			INSIST(no_response);
-			value = isc_random();
+			value = isc_random32();
 			if (query->addrinfo->