From: Harry Sintonen <sintonen@iki.fi>
Date: Sat, 4 Mar 2023 07:02:14 +0000 (+0200)
Subject: rand: use arc4random as fallback when available
X-Git-Tag: curl-8_0_0~98
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=755ddbe901cd0c921fbc3ac5b3775c0dc683bc73;p=thirdparty%2Fcurl.git

rand: use arc4random as fallback when available

Normally curl uses cryptographically strong random provided by the
selected SSL backend. If compiled without SSL support, a naive built-in
function was used instead.

Generally this was okay, but it will result in some downsides for non-
SSL builds, such as predictable temporary file names.

This change ensures that arc4random will be used instead, if available.

Closes #10672
---

diff --git a/configure.ac b/configure.ac
index 988183d5d1..f40652c07e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3626,7 +3626,8 @@ AC_CHECK_FUNCS([fnmatch \
   setrlimit \
   snprintf \
   utime \
-  utimes
+  utimes \
+  arc4random
 ],[
 ],[
   func="$ac_func"
diff --git a/lib/rand.c b/lib/rand.c
index 4b6ac072e6..9abb722d2b 100644
--- a/lib/rand.c
+++ b/lib/rand.c
@@ -30,6 +30,10 @@
 #ifdef HAVE_ARPA_INET_H
 #include <arpa/inet.h>
 #endif
+#ifdef HAVE_ARC4RANDOM
+/* Some platforms might have the prototype missing (ubuntu + libressl) */
+uint32_t arc4random(void);
+#endif
 
 #include <curl/curl.h>
 #include "vtls/vtls.h"
@@ -143,6 +147,11 @@ static CURLcode randit(struct Curl_easy *data, unsigned int *rnd)
   }
 #endif
 
+#ifdef HAVE_ARC4RANDOM
+  *rnd = (unsigned int)arc4random();
+  return CURLE_OK;
+#endif
+
 #if defined(RANDOM_FILE) && !defined(WIN32)
   if(!seeded) {
     /* if there's a random file to read a seed from, use it */