openssl: Don't manually seed DRBG with OpenSSL 1.1.1

According to the documentation, it's generally not necessary to manually
seed OpenSSL's DRBG (and it actually can cause the daemon to lock up
during start up on systems with low entropy if OpenSSL is already trying
to seed it itself and holds the lock).  While that might already have been
the case with earlier versions, it's not explicitly stated in their
documentation.  So we keep the code for these versions.

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index c2dbf53286a123c246b35eb3a0a74c4c9cd52553..069136df0c394168de120ab653097b093cb60d39 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -243,8 +243,11 @@ static void threading_cleanup()
 
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x1010100fL
 /**
  * Seed the OpenSSL RNG, if required
+ * Not necessary anymore with OpenSSL 1.1.1 (maybe wasn't already earlier, but
+ * it's now explicitly mentioned in the documentation).
  */
 static bool seed_rng()
 {
@@ -271,6 +274,7 @@ static bool seed_rng()
        DESTROY_IF(rng);
        return TRUE;
 }
+#endif /* OPENSSL_VERSION_NUMBER */
 
 /**
  * Generic key loader
@@ -839,12 +843,14 @@ plugin_t *openssl_plugin_create()
                "openssl FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis");
 #endif /* OPENSSL_FIPS */
 
+#if OPENSSL_VERSION_NUMBER < 0x1010100fL
        if (!seed_rng())
        {
                DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
                destroy(this);
                return NULL;
        }
+#endif /* OPENSSL_VERSION_NUMBER */
 
        return &this->public.plugin;
 }