From adebb6e733c59da7c75051f27c47f38337d387ae Mon Sep 17 00:00:00 2001
From: Georg Koppen <gk@torproject.org>
Date: Tue, 10 Feb 2015 01:44:08 +0000
Subject: [PATCH] ssp.c (__guard_setup): For Windows...

       * ssp.c (__guard_setup): For Windows, use approved
       methods to get a suitable random number for the stack
       check guard rather than reading /dev/random.

From-SVN: r220559
---
 libssp/ChangeLog |  7 +++++++
 libssp/ssp.c     | 16 ++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/libssp/ChangeLog b/libssp/ChangeLog
index d1580a37e98..843992ebdb8 100644
--- a/libssp/ChangeLog
+++ b/libssp/ChangeLog
@@ -1,3 +1,10 @@
+2015-02-09  Georg Koppen  <gk@torproject.org>
+
+	* ssp.c: Conditionally include <windows.h>
+	(__guard_setup): For Windows, use approved methods to get
+	a suitable random number for the stack check guard rather
+	than reading /dev/random.
+
 2015-01-22  Matthias Klose  <doko@ubuntu.com>
 
 	* gets-chk.c: Declare prototype for gets in C11 mode.
diff --git a/libssp/ssp.c b/libssp/ssp.c
index 96adf17ce3f..38e3ec83f6b 100644
--- a/libssp/ssp.c
+++ b/libssp/ssp.c
@@ -55,6 +55,7 @@ see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
 /* Native win32 apps don't know about /dev/tty but can print directly
    to the console using  "CONOUT$"   */
 #if defined (_WIN32) && !defined (__CYGWIN__)
+#include <windows.h>
 # define _PATH_TTY "CONOUT$"
 #else
 # define _PATH_TTY "/dev/tty"
@@ -75,6 +76,20 @@ __guard_setup (void)
   if (__stack_chk_guard != 0)
     return;
 
+#if defined (_WIN32) && !defined (__CYGWIN__)
+  HCRYPTPROV hprovider = 0;
+  if (CryptAcquireContext(&hprovider, NULL, NULL, PROV_RSA_FULL,
+                          CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
+    {
+      if (CryptGenRandom(hprovider, sizeof (__stack_chk_guard),
+          (BYTE *)&__stack_chk_guard) &&  __stack_chk_guard != 0)
+        {
+           CryptReleaseContext(hprovider, 0);
+           return;
+        }
+      CryptReleaseContext(hprovider, 0);
+    }
+#else
   fd = open ("/dev/urandom", O_RDONLY);
   if (fd != -1)
     {
@@ -85,6 +100,7 @@ __guard_setup (void)
         return;
     }
 
+#endif
   /* If a random generator can't be used, the protector switches the guard
      to the "terminator canary".  */
   p = (unsigned char *) &__stack_chk_guard;
-- 
2.11.4.GIT