prosody
38c95544b7ee
util/random.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

util/random.lua @ 13289:38c95544b7ee

mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).
author Matthew Wild <mwild1@gmail.com>
date Thu, 26 Oct 2023 15:14:39 +0100
parent 12975:d10957394a3c
line wrap: on
line source

-- Prosody IM
-- Copyright (C) 2008-2014 Matthew Wild
-- Copyright (C) 2008-2014 Waqas Hussain
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--

local ok, crand = pcall(require, "prosody.util.crand");
if ok and pcall(crand.bytes, 1) then return crand; end

local urandom, urandom_err = io.open("/dev/urandom", "r");

local function bytes(n)
	local data, err = urandom:read(n);
	if not data then
		if err then
			error("Unable to retrieve data from secure random number generator (/dev/urandom): "..tostring(err));
		else
			error("Secure random number generator (/dev/urandom) returned an end-of-file condition");
		end
	end
	return data;
end

if not urandom then
	function bytes()
		error("Unable to obtain a secure random number generator, please see https://prosody.im/doc/random ("..urandom_err..")");
	end
end

return {
	bytes = bytes;
	_source = "/dev/urandom";
};