The patch below adds support for arc4random(), cryptographically secure suite of functions, found commonly on *BSD and other OSes. The advantage over using /dev/random is that we avoid talking with VFS and opening file descriptor. Also, there is a arc4random_uniform() functions that provides uniformly distributed number, as opposed to commonly used idiom "rand() % foo". This was developed and tested on OpenBSD with oRTP 0.22. --- configure.ac.orig Mon Nov 25 12:57:48 2013 +++ configure.ac Mon Nov 25 12:59:26 2013 @@ -160,6 +160,9 @@ build_scheduler=yes dnl Check if we have seteuid system call AC_CHECK_FUNCS(seteuid) +dnl Check if we have arc4random family routines available +AC_CHECK_FUNCS(arc4random) + dnl check if we can use the pthread_library AC_CHECK_LIB(pthread, pthread_mutex_init, [pthread_enabled=yes], [pthread_enabled=no]) --- src/netsim.c.orig Mon Nov 25 13:16:42 2013 +++ src/netsim.c Mon Nov 25 13:19:26 2013 @@ -110,7 +110,13 @@ static mblk_t *simulate_bandwidth_limit(RtpSession *se } static mblk_t *simulate_loss_rate(RtpSession *session, mblk_t *input, int rate){ - if((rand() % 101) >= rate) { + int rrate; +#ifdef HAVE_ARC4RANDOM + rrate = arc4random_uniform(101); +#else + rrate = rand() % 101; +#endif + if(rrate >= rate) { return input; } freemsg(input); --- src/ortp.c.orig Mon Nov 25 12:54:51 2013 +++ src/ortp.c Mon Nov 25 12:55:19 2013 @@ -49,9 +49,11 @@ RtpScheduler *__ortp_scheduler; extern void av_profile_init(RtpProfile *profile); static void init_random_number_generator(){ +#ifndef HAVE_ARC4RANDOM struct timeval t; gettimeofday(&t,NULL); srandom(t.tv_usec+t.tv_sec); +#endif } --- src/rtpsession.c.orig Mon Nov 25 13:15:47 2013 +++ src/rtpsession.c Mon Nov 25 13:16:26 2013 @@ -98,7 +98,11 @@ extern void rtp_parse(RtpSession *session, mblk_t *mp, static uint32_t uint32_t_random(){ +#ifdef HAVE_ARC4RANDOM + return arc4random(); +#else return random(); +#endif } --- src/rtpsession_inet.c.orig Mon Nov 25 13:09:20 2013 +++ src/rtpsession_inet.c Mon Nov 25 13:14:50 2013 @@ -23,7 +23,7 @@ #if defined(WIN32) || defined(_WIN32_WCE) #include "ortp-config-win32.h" #elif HAVE_CONFIG_H -#include "ortp-config.h" /*needed for HAVE_SYS_UIO_H */ +#include "ortp-config.h" /*needed for HAVE_SYS_UIO_H and HAVE_ARC4RANDOM */ #endif #include "ortp/ortp.h" #include "utils.h" @@ -272,11 +272,16 @@ static ortp_socket_t create_and_bind_random(const char for (retry=0;retry<100;retry++) { int localport; +#ifdef HAVE_ARC4RANDOM + localport = 5000 + (int)arc4random_uniform(0x10000 - 5000); + localport &= 0xfffe; +#else do { localport = (rand () + 5000) & 0xfffe; } while ((localport < 5000) || (localport > 0xffff)); +#endif /*do not set REUSEADDR in case of random allocation */ sock = create_and_bind(localip, localport, sock_family,FALSE); if (sock!=-1) { --- src/stun.c.orig Mon Nov 25 12:44:52 2013 +++ src/stun.c Mon Nov 25 12:57:12 2013 @@ -1159,6 +1159,9 @@ stunEncodeMessage( const StunMessage *msg, int stunRand(void) { +#if defined(HAVE_ARC4RANDOM) + return (int)arc4random(); +#else /* return 32 bits of random stuff */ /* assert( sizeof(int) == 4 ); */ static bool_t init=FALSE; @@ -1251,6 +1254,7 @@ stunRand(void) #else return random(); #endif +#endif /* HAVE_ARC4RANDOM */ } @@ -1260,10 +1264,15 @@ randomPort() { int min=0x4000; int max=0x7FFF; - - int ret = stunRand(); + int ret; + +#ifdef HAVE_ARC4RANDOM + ret = min + (int)arc4random_uniform(max - min); +#else + ret = stunRand(); ret = ret|min; ret = ret&max; +#endif return ret; } --- src/zrtp.c.orig Mon Nov 25 13:20:20 2013 +++ src/zrtp.c Mon Nov 25 13:25:41 2013 @@ -771,7 +771,11 @@ static OrtpZrtpContext* createUserData(ZrtpContext *co userData->zrtpContext=context; userData->timerWillTriggerAt=0; userData->last_recv_zrtp_seq_number=0; +#ifdef HAVE_ARC4RANDOM + userData->last_sent_zrtp_seq_number=arc4random_uniform(0xfffe) + 1; +#else userData->last_sent_zrtp_seq_number=rand()+1; // INT_MAX+1 (signed) +#endif userData->srtpRecv=NULL; userData->srtpSend=NULL;