Use /dev/urandom

ipscrub/src/ngx_ipscrub_module.c

@@ -146,7 +146,12 @@ ngx_http_variable_remote_addr_ipscrub(ngx_http_request_t *r, ngx_http_variable_v
   // Regenerate salt if past end of period.
   time_t now = time(NULL);
   if (period_start == -1 || now - period_start > icf->period_seconds) {
-    nonce = ngx_random();
+    // nonce = ngx_random();
+    rc = randlong(&nonce);
+    if (rc != NGX_OK) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
+
     // TODO: actually calculate when period_start should have been.
     period_start = now;
   }

ipscrub/src/ngx_ipscrub_support.c

@@ -36,3 +36,24 @@ ngx_int_t concat(ngx_pool_t *pool, ngx_str_t prefix, ngx_str_t suffix, u_char **
 
   return NGX_OK;
 }
+
+// randlong fills out with secure random bytes and returns NGX_OK iff successful.
+ngx_int_t randlong(long *out) {
+  #if !(NGX_DARWIN || NGX_SOLARIS || NGX_FREEBSD || NGX_LINUX)
+    // Windows not supported a.t.m.
+    // TODO: support Windows (https://msdn.microsoft.com/en-us/library/sxtz2fa8.aspx).
+    return -1;
+  #endif
+
+  int rand = open("/dev/urandom", O_RDONLY);
+  if (rand < 0) {
+      return -1;
+  }
+
+  ssize_t ret = read(rand, out, sizeof(long));
+  if (ret != sizeof(long)) {
+      return -1;
+  }
+
+  return NGX_OK;
+}

ipscrub/src/ngx_ipscrub_support.h

@@ -8,5 +8,6 @@
 
 ngx_int_t null_terminate(ngx_pool_t *pool, ngx_str_t input, u_char **hashed);
 ngx_int_t concat(ngx_pool_t *pool, ngx_str_t prefix, ngx_str_t suffix, u_char **out);
+ngx_int_t randlong(long *out);
 
 #endif /* _IPSCRUB_SUPPORT_H_INCLUDED_ */