Add support for arc4random() for TLS rng

MbedTLS has support for getrandom() on linux. This adds arc4random() which should allow for operation in chroot() on BSDs
mongrel2 · Jan 24, 2021 · 8a6db3b · 8a6db3b
1 parent c8ba8cf
commit 8a6db3b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -165,16 +165,19 @@ release: tarball
 netbsd: OPTFLAGS += -I/usr/local/include -I/usr/pkg/include
 netbsd: LDFLAGS += -L/usr/local/lib -L/usr/pkg/lib
 netbsd: LIBS=-lzmq -lsqlite3 $(LDFLAGS)
+netbsd: CFLAGS += -DHAS_ARC4RANDOM
 netbsd: dev
 
 
 freebsd: OPTFLAGS += -I/usr/local/include
 freebsd: LDFLAGS += -L/usr/local/lib -pthread
+freebsd: CFLAGS += -DHAS_ARC4RANDOM
 freebsd: all
 
 openbsd: OPTFLAGS += -I/usr/local/include
 openbsd: LDFLAGS += -L/usr/local/lib -pthread
 openbsd: LIBS=-lzmq -lsqlite3 $(LDFLAGS)
+openbsd: CFLAGS += -DHAS_ARC4RANDOM
 openbsd: all
 
 solaris: OPTFLAGS += -I/usr/local/include
@@ -185,8 +188,10 @@ solaris: all
 
 macports: OPTFLAGS += -I/opt/local/include
 macports: LDFLAGS += -L/opt/local/lib -undefined dynamic_lookup
+macports: CFLAGS += -DHAS_ARC4RANDOM
 macports: all
 
 brew: OPTFLAGS += -I/usr/local/include
 brew: LDFLAGS += -L/usr/local/lib -undefined dynamic_lookup
+brew: CFLAGS += -DHAS_ARC4RANDOM
 brew: all
diff --git a/src/server.c b/src/server.c
@@ -149,6 +149,14 @@ static int Server_load_ciphers(Server *srv, bstring ssl_ciphers_val)
     return -1;
 }
 
+#ifdef HAS_ARC4RANDOM
+static int arc4random_entropy_func(void *data, unsigned char * output, size_t len)
+{
+    arc4random_buf(output, len);
+    return 0;
+}
+#endif
+
 int Server_init_rng(Server *srv)
 {
     int rc;
@@ -171,7 +179,10 @@ int Server_init_rng(Server *srv)
         srv->rng_func = mbedtls_ctr_drbg_random;
         srv->rng_ctx = ctx;
     } else {
-#ifdef MBEDTLS_HAVEGE_C
+#ifdef HAS_ARC4RANDOM
+        srv->rng_func=arc4random_entropy_func;
+        srv->rng_ctx = NULL;
+#elif MBEDTLS_HAVEGE_C
         log_warn("entropy source unavailable. falling back to havege rng");
 
         ctx = calloc(sizeof(mbedtls_havege_state), 1);
@@ -180,7 +191,7 @@ int Server_init_rng(Server *srv)
         srv->rng_func = mbedtls_havege_random;
         srv->rng_ctx = ctx;
 #else
-	sentinel("No entropy source available, SSL is not possible (disable chroot?)\n");
+        sentinel("No entropy source available, SSL is not possible (disable chroot?)\n");
 #endif
     }