[sr-dev] git:master:d0743460: tls: add cryptorand engine also to tls_mod and documentation, enable as default

Henning Westerholt hw at skalatan.de
Mon Oct 7 10:50:00 CEST 2019 

Module: kamailio
Branch: master
Commit: d0743460f68c0dfcb807319dc9e2247eb51ee1ba
URL: https://github.com/kamailio/kamailio/commit/d0743460f68c0dfcb807319dc9e2247eb51ee1ba

Author: Henning Westerholt <hw at skalatan.de>
Committer: Henning Westerholt <hw at skalatan.de>
Date: 2019-10-07T10:49:16+02:00

tls: add cryptorand engine also to tls_mod and documentation, enable as default

---

Modified: src/modules/tls/doc/params.xml
Modified: src/modules/tls/tls_mod.c

---

Diff:  https://github.com/kamailio/kamailio/commit/d0743460f68c0dfcb807319dc9e2247eb51ee1ba.diff
Patch: https://github.com/kamailio/kamailio/commit/d0743460f68c0dfcb807319dc9e2247eb51ee1ba.patch

---

diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
index 6028642b5f..72d3278ed7 100644
--- a/src/modules/tls/doc/params.xml
+++ b/src/modules/tls/doc/params.xml
@@ -1251,7 +1251,7 @@ end
 		is not designed for multi-process applications and can result in a crash.
 		Therefore set the PRNG engine to one of the options listed in this
 		section. If libssl 1.1.x (or newer) is detected at compile time, then
-		the PRNG engine is set to "fastrand".
+		the PRNG engine is set to "cryptorand".
 	</para>
 	<para>
 		The following options are avaialble:
@@ -1259,10 +1259,13 @@ end
 	<itemizedlist>
 		<listitem><para>krand - use internal kam_rand() function</para></listitem>
 		<listitem><para>fastrand - use internal fastrand function</para></listitem>
+		<listitem><para>cryptorand - use internal cryptorand function</para></listitem>
 	</itemizedlist>
 	<para>
 		The default value is empty (not set) for libssl v1.0.x or older, and
-		"fastrand" for libssl v1.1.x or newer.
+		"cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines are
+		not recommended for production use, as they will not generate secure enough
+		random numbers.
 	</para>
 	<example>
 	    <title>Set <varname>rand_engine</varname> parameter</title>
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 75d8aa8fd2..5784ce4842 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -453,6 +453,9 @@ int ksr_rand_engine_param(modparam_t type, void* val)
 	} else if(reng->len == 8 && strncasecmp(reng->s, "fastrand", 8) == 0) {
 		LM_DBG("setting fastrand random engine\n");
 		RAND_set_rand_method(RAND_ksr_fastrand_method());
+	} else if (reng->len == 10 && strncasecmp(reng->s, "cryptorand", 10) == 0) {
+		LM_DBG("setting cryptorand random engine\n");
+		RAND_set_rand_method(RAND_ksr_cryptorand_method());
 	}
 #endif
 	return 0;
@@ -564,7 +567,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	LM_DBG("setting fastrand random engine\n");
-	RAND_set_rand_method(RAND_ksr_fastrand_method());
+	RAND_set_rand_method(RAND_ksr_cryptorand_method());
 #endif
 
 	sr_kemi_modules_add(sr_kemi_tls_exports);

More information about the sr-dev mailing list