1 files changed, 18 insertions, 0 deletions

diff --git a/pkg/tcpip/stack/stack.go b/pkg/tcpip/stack/stack.go
index 1fffe9274..11ff65bf2 100644
--- a/pkg/tcpip/stack/stack.go
+++ b/pkg/tcpip/stack/stack.go
@@ -23,6 +23,7 @@ import (
 	"bytes"
 	"encoding/binary"
 	"fmt"
+	"io"
 	mathrand "math/rand"
 	"sync/atomic"
 	"time"
@@ -445,6 +446,9 @@ type Stack struct {
 	// used when a random number is required.
 	randomGenerator *mathrand.Rand
 
+	// secureRNG is a cryptographically secure random number generator.
+	secureRNG io.Reader
+
 	// sendBufferSize holds the min/default/max send buffer sizes for
 	// endpoints other than TCP.
 	sendBufferSize tcpip.SendBufferSizeOption
@@ -528,6 +532,9 @@ type Options struct {
 	// IPTables are the initial iptables rules. If nil, iptables will allow
 	// all traffic.
 	IPTables *IPTables
+
+	// SecureRNG is a cryptographically secure random number generator.
+	SecureRNG io.Reader
 }
 
 // TransportEndpointInfo holds useful information about a transport endpoint
@@ -636,6 +643,10 @@ func New(opts Options) *Stack {
 
 	opts.NUDConfigs.resetInvalidFields()
 
+	if opts.SecureRNG == nil {
+		opts.SecureRNG = rand.Reader
+	}
+
 	s := &Stack{
 		transportProtocols: make(map[tcpip.TransportProtocolNumber]*transportProtocolState),
 		networkProtocols:   make(map[tcpip.NetworkProtocolNumber]NetworkProtocol),
@@ -652,6 +663,7 @@ func New(opts Options) *Stack {
 		uniqueIDGenerator:  opts.UniqueID,
 		nudDisp:            opts.NUDDisp,
 		randomGenerator:    mathrand.New(randSrc),
+		secureRNG:          opts.SecureRNG,
 		sendBufferSize: tcpip.SendBufferSizeOption{
 			Min:     MinBufferSize,
 			Default: DefaultBufferSize,
@@ -2048,6 +2060,12 @@ func (s *Stack) Rand() *mathrand.Rand {
 	return s.randomGenerator
 }
 
+// SecureRNG returns the stack's cryptographically secure random number
+// generator.
+func (s *Stack) SecureRNG() io.Reader {
+	return s.secureRNG
+}
+
 func generateRandUint32() uint32 {
 	b := make([]byte, 4)
 	if _, err := rand.Read(b); err != nil {