From d0743460f68c0dfcb807319dc9e2247eb51ee1ba Mon Sep 17 00:00:00 2001
From: Henning Westerholt <hw@skalatan.de>
Date: Mon, 7 Oct 2019 10:49:16 +0200
Subject: [PATCH] tls: add cryptorand engine also to tls_mod and documentation,
 enable as default

---
 src/modules/tls/doc/params.xml | 7 +++++--
 src/modules/tls/tls_mod.c      | 5 ++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
index 6028642b5f4..72d3278ed7b 100644
--- a/src/modules/tls/doc/params.xml
+++ b/src/modules/tls/doc/params.xml
@@ -1251,7 +1251,7 @@ end
 		is not designed for multi-process applications and can result in a crash.
 		Therefore set the PRNG engine to one of the options listed in this
 		section. If libssl 1.1.x (or newer) is detected at compile time, then
-		the PRNG engine is set to "fastrand".
+		the PRNG engine is set to "cryptorand".
 	</para>
 	<para>
 		The following options are avaialble:
@@ -1259,10 +1259,13 @@ end
 	<itemizedlist>
 		<listitem><para>krand - use internal kam_rand() function</para></listitem>
 		<listitem><para>fastrand - use internal fastrand function</para></listitem>
+		<listitem><para>cryptorand - use internal cryptorand function</para></listitem>
 	</itemizedlist>
 	<para>
 		The default value is empty (not set) for libssl v1.0.x or older, and
-		"fastrand" for libssl v1.1.x or newer.
+		"cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines are
+		not recommended for production use, as they will not generate secure enough
+		random numbers.
 	</para>
 	<example>
 	    <title>Set <varname>rand_engine</varname> parameter</title>
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 75d8aa8fd20..5784ce4842e 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -453,6 +453,9 @@ int ksr_rand_engine_param(modparam_t type, void* val)
 	} else if(reng->len == 8 && strncasecmp(reng->s, "fastrand", 8) == 0) {
 		LM_DBG("setting fastrand random engine\n");
 		RAND_set_rand_method(RAND_ksr_fastrand_method());
+	} else if (reng->len == 10 && strncasecmp(reng->s, "cryptorand", 10) == 0) {
+		LM_DBG("setting cryptorand random engine\n");
+		RAND_set_rand_method(RAND_ksr_cryptorand_method());
 	}
 #endif
 	return 0;
@@ -564,7 +567,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	LM_DBG("setting fastrand random engine\n");
-	RAND_set_rand_method(RAND_ksr_fastrand_method());
+	RAND_set_rand_method(RAND_ksr_cryptorand_method());
 #endif
 
 	sr_kemi_modules_add(sr_kemi_tls_exports);