Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 572
    • Issues 572
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 110
    • Merge requests 110
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Merge requests
  • !887

Cookies with non-crypto-secure random

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged Witold Krecicki requested to merge wpk-non-crypto-secure-cookies into master Oct 24, 2018
  • Overview 3
  • Commits 1
  • Pipelines 3
  • Changes 2

Use non-cryptographically-secure PRNG to generate a nonce for cookies.

Rationale: the nonce here is only used to make sure there is a low probability of duplication, according to section B.2 of rfc7873. It is only 32-bit, and even if an attacker knows the algorithm used to generate nonces it won't, in any way, give him any platform to attack the server as long as server secret used to sign the (nonce, time) pair with HMAC-SHA1 is secure.

On the other hand, currently, each packet sent requires (unnecessarily) a CS pseudo-random number which is ineffective.

Edited Oct 24, 2018 by Witold Krecicki
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: wpk-non-crypto-secure-cookies