[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Real-World Impact of Hash DoS in Lua
- From: Sean Conner <sean@...>
- Date: Thu, 26 Jan 2012 00:23:49 -0500
It was thus said that the Great Roberto Ierusalimschy once stated:
> > OK. Cool. This is a showstopper for the company I am working with for
> > rolling out embedded Lua with nginx. Is there anything I can do to help?
>
> what it is still missing now is how to create the initial per-state
> random seed. Suggestions included some address and arc4random. I am
> afraid that, for the backup ANSI implementation, we cannot do much
> better than something like this:
>
> seed = (unsigned int)time() + (unsigned int)L;
>
> We can have better implementations for particular system. For instance,
> we can use arc4random if present, but how to detect it? Are there any
> other suggestions?
Under Solaris and Linux (both of which I use) I read from /dev/random or
/dev/urandom. Here's the function I use [1]:
static int math_randomseed(lua_State *const L)
{
FILE *fp;
unsigned int seed;
assert(L != NULL);
if (lua_toboolean(L,1))
{
fp = fopen("/dev/random","rb");
if (fp == NULL)
return luaL_error(L,"The NSA is keeping you from seeding your RNG");
}
else
{
fp = fopen("/dev/urandom","rb");
if (fp == NULL)
return luaL_error(L,"cannot seed RNG");
}
fread(&seed,sizeof(seed),1,fp);
fclose(fp);
srand(seed);
lua_pushnumber(L,seed);
return 1;
}
-spc (And if Roberto wants to use the code, I can relicense this under the
appropriate terms ... )
[1] code can be see at
https://github.com/spc476/lua-conmanorg/blob/master/src/math.c